Author Topic: Letsencrypt and 3rd party certificates  (Read 8943 times)

kzchico

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +3/-0
    • View Profile
Letsencrypt and 3rd party certificates
« on: June 26, 2017, 12:44:06 pm »
When are you going to enable integration of Letsencrypt and 3rd party certificates without us tinkering around with the config files?

markus.neubauer

  • Zen Monk
  • **
  • Posts: 59
  • Karma: +8/-0
    • View Profile
[Solved] Re: Letsencrypt and 3rd party certificates
« Reply #1 on: March 08, 2018, 06:11:30 pm »
In the meantime there is a simple script solution for zentyal 5 at https://www.std-soft.com/hm-service/code/28-zentyal-mit-zertifikat-von-letsencrypt-fit-machen
The script is meant for /usr/local/sbin/ and should do what is necessary for the official services, just make it executable an run once interactive.
« Last Edit: October 30, 2018, 10:53:56 am by markus.neubauer »

corky

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #2 on: May 13, 2018, 08:41:16 am »
The script was exactly what I was looking for but could you modify it for nginx and not apache please

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #3 on: May 28, 2018, 08:10:29 am »
If you mean the web admin page then you could edit /usr/share/zentyal/stubs/core/nginx.conf.mas.

Edit the ssl certificate lines to read :
Code: [Select]
        ssl_certificate      /etc/letsencrypt/live/<my_Domain_Name>/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/<my_Domain_Name>/privkey.pem;


A more permanent way to do this is to use hooks see http://blogs.zentyal.org/jacalvo/2011/01/04/how-to-customize-the-configuration-files-generated-by-zentyal/comment-page-1/
If you are using nginx in other ways edit  /etc/nginx/snippets/snakeoil.conf  similarly.

markus.neubauer

  • Zen Monk
  • **
  • Posts: 59
  • Karma: +8/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #4 on: October 30, 2018, 11:11:46 am »
The script has changed to also reload nginx.

@half_life: Sorry, but i disagree in "A more permanent way to do this is to use hooks see"

After some years of Zentyal expirience I noticed that mas files and configs can change. The way I'm using/suggesting is not bound to a release but does the system part independently. If you are focused on the "right way" and can keep an eye on it every time an update occurs, then you are right  ;)

Neustradamus

  • Zen Monk
  • **
  • Posts: 92
  • Karma: +0/-5
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #5 on: November 06, 2018, 05:32:49 pm »
There are problems with the script.

root@server:/home/xxxxxxxxxx# nano /usr/local/sbin/check-letsencrypt
root@server:/home/xxxxxxxxxx# chmod 750 /usr/local/sbin/check-letsencrypt

root@server:/home/xxxxxxxxxx# /usr/local/sbin/check-letsencrypt
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
Dovecot reloaded ...
Checking postfix cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
postfix/postfix-script: refreshing the Postfix mail system
Postfix reloaded ...
Checking apache cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cp: target '"s#/certs/#/private/#".key' is not a directory
Apache reloaded ...
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
Update script installed at /etc/cron.daily/letsencrypt-check

No installation of letsencrypt and if I install manually:

root@server:/home/xxxxxxxxxx# /usr/local/sbin/check-letsencrypt
/usr/bin/letsencrypt
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
Dovecot reloaded ...
Checking postfix cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
postfix/postfix-script: refreshing the Postfix mail system
Postfix reloaded ...
Checking apache cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cp: target '"s#/certs/#/private/#".key' is not a directory
Apache reloaded ...
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)


There are:
- webadmin (nginx)
- sogo (apache2)
- postfix
- dovecot
- vsftpd
- ejabberd
- freeradius
- virt
« Last Edit: November 07, 2018, 11:01:01 pm by Neustradamus »

Neustradamus

  • Zen Monk
  • **
  • Posts: 92
  • Karma: +0/-5
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #6 on: November 07, 2018, 11:01:51 pm »
I have created a ticket for the Let's Encrypt support.
-> https://github.com/zentyal/zentyal/issues/1836

markus.neubauer

  • Zen Monk
  • **
  • Posts: 59
  • Karma: +8/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #7 on: November 27, 2018, 06:02:13 pm »
Quote
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory

Usually this means there are no certificates generated - check your content in directory /etc/letsencrypt/live/
Due to the nature of letsencrypt, this can have many reasons:
  • is your http reachable from internet on port 80? (maybe a forward from your router if you are NATed)
  • does directory /var/www/html/.well-known exist?
  • check with letsencrypt manually

Suggestions for the script are welcome - or maybe your request finds its way into the product.  ;)
« Last Edit: November 27, 2018, 06:04:12 pm by markus.neubauer »

Neustradamus

  • Zen Monk
  • **
  • Posts: 92
  • Karma: +0/-5
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #8 on: November 28, 2018, 03:36:17 am »
I think we need to create group/user with rights for it.
And modify old cert links by the new letsencrypt links

demol

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #9 on: February 13, 2019, 04:00:18 am »
Hello Markus,

Thank you very much for the script!

I am new to zentyal and I need to manage the emails of two small domains. Please clarify some doubts:

1. Does the script work for more than 1 domain?
2. After executing the script. If all goes well, will the customer's email services recognize the certificate correctly?

Thank you.

Best regards,
Demol

markus.neubauer

  • Zen Monk
  • **
  • Posts: 59
  • Karma: +8/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #10 on: February 27, 2019, 01:18:06 pm »
Sorry for late reply!

1. Does the script work for more than 1 domain?
2. After executing the script. If all goes well, will the customer's email services recognize the certificate correctly?

1. As you're using letsencrypt, it will work with more domains/hosts (alternate names) and as long as the http(!) request reaches your letsencrypt setup (.well-known...) you are free to combine host/domain names.
2. All services are using the certificate and shall/will be restarted upon renewal (should be done within the script).

So far the script is active on several systems with no problems or dropouts.

davidjm

  • Zen Apprentice
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #11 on: May 24, 2019, 09:41:49 am »
Does the script function OK on Zentyal 4?

compuit

  • Zen Apprentice
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #12 on: August 24, 2019, 01:30:10 pm »
Hello Markus,
The script you have put forward does it work on Zentyal 6.01? I would not like to break anything on our Zentyal 6.01 Mail server but our staff are not happy about the certificate showing the CN as mail01.zentyal-domain.lan and therefore shows the "Not secure message" in the Browser when using SoGo. Now I understand that because the certificate is self assigned it creates the CN as  hostname.zentyal-domain.lan I notice too the certificate DNS shows the same. When the certificate is generated through the Zentyal UI the correct common name is inputted but not created as expected.
I would really be glad if there was the capability to setup say lets Encrypt via the Zentyal UI. Can someone help as I am certain many have had similar issues?

Neustradamus

  • Zen Monk
  • **
  • Posts: 92
  • Karma: +0/-5
    • View Profile
Re: Letsencrypt and 3rd party certificates
« Reply #13 on: January 18, 2021, 06:05:18 am »
Since my first ticket for Let's Encrypt support: https://github.com/zentyal/zentyal/issues/1836 (it has been closed by Zentyal Team).

I have created a second ticket for Let's Encrypt support which has been closed by Zentyal Team too.

I have created a third ticket for Let's Encrypt support, can you like, comment on it?
- https://github.com/zentyal/zentyal/issues/2015