Author Topic: Letsencrypt and 3rd party certificates  (Read 1607 times)

kzchico

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +3/-0
    • View Profile
Letsencrypt and 3rd party certificates
« on: June 26, 2017, 12:44:06 pm »
When are you going to enable integration of Letsencrypt and 3rd party certificates without us tinkering around with the config files?

markus.neubauer

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +7/-0
    • View Profile
[Solved] Re: Letsencrypt and 3rd party certificates
« Reply #1 on: March 08, 2018, 06:11:30 pm »
In the meantime there is a simple script solution for zentyal 5 at https://www.std-soft.com/hm-service/code/28-zentyal-mit-zertifikat-von-letsencrypt-fit-machen
The script is meant for /usr/local/sbin/ and should do what is necessary for the official services, just make it executable an run once interactive.
« Last Edit: October 30, 2018, 10:53:56 am by markus.neubauer »

corky

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #2 on: May 13, 2018, 08:41:16 am »
The script was exactly what I was looking for but could you modify it for nginx and not apache please

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 860
  • Karma: +57/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #3 on: May 28, 2018, 08:10:29 am »
If you mean the web admin page then you could edit /usr/share/zentyal/stubs/core/nginx.conf.mas.

Edit the ssl certificate lines to read :
Code: [Select]
        ssl_certificate      /etc/letsencrypt/live/<my_Domain_Name>/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/<my_Domain_Name>/privkey.pem;


A more permanent way to do this is to use hooks see http://blogs.zentyal.org/jacalvo/2011/01/04/how-to-customize-the-configuration-files-generated-by-zentyal/comment-page-1/
If you are using nginx in other ways edit  /etc/nginx/snippets/snakeoil.conf  similarly.

markus.neubauer

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +7/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #4 on: October 30, 2018, 11:11:46 am »
The script has changed to also reload nginx.

@half_life: Sorry, but i disagree in "A more permanent way to do this is to use hooks see"

After some years of Zentyal expirience I noticed that mas files and configs can change. The way I'm using/suggesting is not bound to a release but does the system part independently. If you are focused on the "right way" and can keep an eye on it every time an update occurs, then you are right  ;)

Neustradamus

  • Zen Monk
  • **
  • Posts: 63
  • Karma: +0/-2
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #5 on: November 06, 2018, 05:32:49 pm »
There are problems with the script.

root@server:/home/xxxxxxxxxx# nano /usr/local/sbin/check-letsencrypt
root@server:/home/xxxxxxxxxx# chmod 750 /usr/local/sbin/check-letsencrypt

root@server:/home/xxxxxxxxxx# /usr/local/sbin/check-letsencrypt
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
Dovecot reloaded ...
Checking postfix cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
postfix/postfix-script: refreshing the Postfix mail system
Postfix reloaded ...
Checking apache cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cp: target '"s#/certs/#/private/#".key' is not a directory
Apache reloaded ...
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
Update script installed at /etc/cron.daily/letsencrypt-check

No installation of letsencrypt and if I install manually:

root@server:/home/xxxxxxxxxx# /usr/local/sbin/check-letsencrypt
/usr/bin/letsencrypt
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
Dovecot reloaded ...
Checking postfix cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
postfix/postfix-script: refreshing the Postfix mail system
Postfix reloaded ...
Checking apache cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cp: target '"s#/certs/#/private/#".key' is not a directory
Apache reloaded ...
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)


There are:
- webadmin (nginx)
- sogo (apache2)
- postfix
- dovecot
- vsftpd
- ejabberd
- freeradius
- virt
« Last Edit: November 07, 2018, 11:01:01 pm by Neustradamus »

Neustradamus

  • Zen Monk
  • **
  • Posts: 63
  • Karma: +0/-2
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #6 on: November 07, 2018, 11:01:51 pm »
I have created a ticket for the Let's Encrypt support.
-> https://github.com/zentyal/zentyal/issues/1836

markus.neubauer

  • Zen Apprentice
  • *
  • Posts: 48
  • Karma: +7/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #7 on: November 27, 2018, 06:02:13 pm »
Quote
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory

Usually this means there are no certificates generated - check your content in directory /etc/letsencrypt/live/
Due to the nature of letsencrypt, this can have many reasons:
  • is your http reachable from internet on port 80? (maybe a forward from your router if you are NATed)
  • does directory /var/www/html/.well-known exist?
  • check with letsencrypt manually

Suggestions for the script are welcome - or maybe your request finds its way into the product.  ;)
« Last Edit: November 27, 2018, 06:04:12 pm by markus.neubauer »

Neustradamus

  • Zen Monk
  • **
  • Posts: 63
  • Karma: +0/-2
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #8 on: November 28, 2018, 03:36:17 am »
I think we need to create group/user with rights for it.
And modify old cert links by the new letsencrypt links