Author Topic: Let's Encrypt SSL Certrificates  (Read 7268 times)

nontrivial

  • Zen Warrior
  • ***
  • Posts: 181
  • Karma: +16/-0
    • View Profile
Let's Encrypt SSL Certrificates
« on: August 31, 2016, 10:33:00 pm »
So there are many posts on these forums for getting trusted certificates to work on Zentyal, and I have written a couple of them. I have been able to get lets encrypt certificates to work on Zentyal 4.2 for postfix, dovecot, and the webadmin, but not the webmail (sogo). The sogo certificate (/etc/ocsmanager/blah.org.pem) gets replaced, but then it gets clobbered again. If I replace the certificate and restart apache it seems to work just fine. I am still going to keep working on this, but any help of suggestions would be greatly appreciated.

First make sure all service certificates are enables in the webadmin, then create the executable file "/etc/zentyal/hooks/ca.postsetconf":

  #!/bin/sh

  cat /etc/letsencrypt/live/blah.org/privkey.pem /etc/letsencrypt/live/blah.org/cert.pem /etc/letsencrypt/live/blah.org/fullchain.pem > /tmp/temp.pem
  cp -f /tmp/temp.pem /etc/dovecot/private/dovecot.pem
  cp -f /tmp/temp.pem /etc/postfix/sasl/postfix.pem
  cp -f /tmp/temp.pem /etc/ocsmanager/blah.org.pem
  cp -f /tmp/temp.pem /var/lib/zentyal/conf/ssl/ssl.pem

  rm -f /tmp/temp.pem

  chmod 600 /etc/dovecot/private/dovecot.pem
  chmod 400 /etc/postfix/sasl/postfix.pem
  chmod 644 /etc/ocsmanager/blah.org.pem
  chmod 600 /var/lib/zentyal/conf/ssl/ssl.pem

  exit 0

Shockingly, Zentyal does serve up arbitrary web pages under /var/www/html, so in order to have a better looking URL to access webmail you can change /var/www/html/index.html to look like this:

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <meta http-equiv="refresh" content="0; URL='https://mysrv.blog.org/sogo'" />
    <title>Please Wait</title>
  </head>
  <body>Please Wait...</body>
</html>

That way the URL https://mail.blah.org will get you to your webmail.

nontrivial

  • Zen Warrior
  • ***
  • Posts: 181
  • Karma: +16/-0
    • View Profile
Re: Let's Encrypt SSL Certrificates
« Reply #1 on: August 31, 2016, 10:41:37 pm »
Also creating an openchange.postsetconf file is the best I can come up with:

#!/bin/sh

cat /etc/letsencrypt/live/blah.org/privkey.pem /etc/letsencrypt/live/blah.org/cert.pem /etc/letsencrypt/live/blah.org/fullchain.pem > /tmp/temp.pem

cp -f /tmp/temp.pem /etc/ocsmanager/nontrivial.org.pem

rm -f /tmp/temp.pem

chmod 400 /etc/postfix/sasl/postfix.pem

service apache2 restart

exit 0


It seems to work like a champ, but for all I know I'm messing up the exhange/outlook stuff. I really don't care at this point, if that works as well I will consider that a bonus.

nontrivial

  • Zen Warrior
  • ***
  • Posts: 181
  • Karma: +16/-0
    • View Profile
Re: Let's Encrypt SSL Certrificates
« Reply #2 on: August 31, 2016, 10:53:01 pm »
It's probably also a good idea to edit /etc/apache2/mods-available/ssl.conf and change "SSLProtocol all" to  "SSLProtocol all -SSLv3". Stupid poodles.

prodh971

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Let's Encrypt SSL Certrificates
« Reply #3 on: November 01, 2016, 07:12:24 pm »
Hello,
You found a solution?

Jormungandr

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Let's Encrypt SSL Certrificates
« Reply #4 on: January 31, 2017, 04:48:29 pm »
Thanks for posting this! Your directions were basically perfect and I can confirm it doesn't clobber exchange emulation.

theb2b

  • Zen Monk
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: Let's Encrypt SSL Certrificates
« Reply #5 on: February 01, 2017, 06:39:42 pm »
The directions do work and have the scripts set to run on server startup. Might be a bit overkill but for me I have found when apache restarts the certs get clobbered and just the cert for webmail\sogo. Going to look see if I can get the script to run whenever the command to restart apache is used.

jclaggett

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Let's Encrypt SSL Certrificates
« Reply #6 on: March 28, 2017, 01:56:00 am »
SOGO is being handled by an Apache Reverse Proxy.  If you have your Apache (or nginx) SSL setup right, it *should* work fine. 

If you look, there is a /etc/apache2/conf-available for sogo

Heh, I discovered this recently when I switched my main system out from Apache to nginx and suddenly sogo wasn't working.  Found the reverse proxy config information on the web, got that into sogo, and it's good to go.
« Last Edit: March 28, 2017, 01:58:48 am by jclaggett »

Neustradamus

  • Zen Monk
  • **
  • Posts: 92
  • Karma: +0/-5
    • View Profile
Re: Let's Encrypt SSL Certrificates
« Reply #7 on: November 07, 2018, 11:26:55 pm »
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836

Can you help?

Neustradamus

  • Zen Monk
  • **
  • Posts: 92
  • Karma: +0/-5
    • View Profile
Re: Let's Encrypt SSL Certrificates
« Reply #8 on: January 18, 2021, 06:17:43 am »
Since my first ticket for Let's Encrypt support: https://github.com/zentyal/zentyal/issues/1836 (it has been closed by Zentyal Team).

I have created a second ticket for Let's Encrypt support which has been closed by Zentyal Team too.

I have created a third ticket for Let's Encrypt support, can you like, comment on it?
- https://github.com/zentyal/zentyal/issues/2015