Author Topic: How to LetsEncrypt for fun and profit  (Read 9702 times)

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #15 on: October 16, 2019, 04:50:48 pm »
 :)

Looking for the file of configuration:

Code: [Select]
sudo ps aux | grep nginx
root      1595  0.0  0.1  33204  3196 ?        Ss   10:05   0:00 nginx: master process /usr/sbin/nginx -c /var/lib/zentyal/conf/nginx.conf
# ...

The content of the file is:

Code: [Select]
...
server {
        listen 8443;

        ssl on;
        ssl_certificate /var/lib/zentyal/conf/ssl/ssl.pem;
        ssl_certificate_key /var/lib/zentyal/conf/ssl/ssl.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
        ssl_prefer_server_ciphers on;

        access_log /var/log/zentyal/access.log;

        root /usr/share/zentyal/www;
...

But remember you have to do the customizations in the respective stub

Read this: https://doc.zentyal.org/en/appendix-c.html#stubs

Cheers!

- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

Neustradamus

  • Zen Monk
  • **
  • Posts: 92
  • Karma: +0/-5
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #16 on: January 18, 2021, 06:04:42 am »
Since my first ticket for Let's Encrypt support: https://github.com/zentyal/zentyal/issues/1836 (it has been closed by Zentyal Team).

I have created a second ticket for Let's Encrypt support which has been closed by Zentyal Team too.

I have created a third ticket for Let's Encrypt support, can you like, comment on it?
- https://github.com/zentyal/zentyal/issues/2015

shoppc

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +2/-0
    • View Profile
Re: How to LetsEncrypt for fun and profit
« Reply #17 on: June 19, 2021, 07:50:28 pm »
Thanks for creating the post showing how to setup letsencrypt etc.  However, I am a linux noob, and a zentyal noob and I think many people would appreciate a little more detail on the instructions provided, at least I would.

My installation is the community edition Zentyal 7.0.4 - It's running great, I have a Windows 10 machine joined to the 'domain' and email via SOGo works.  However I cannot get my head around the way certificates are installed/setup in Zentyal.

My backround is in IT support, and whilst I don't fully grasp every facet of SSL certificate implementation, I have installed certificates on a variety of platforms (mainly windows server, exchange, IIS etc), using wildcard certs and find the process reasonably simple.  Linux/Zentyal however seems a black art.  For every iteration of linux, and for all the different services running that might want to use a certificate (apache, ngnix etc.) it seems like a never ending process of config file changes.  Enough if the thicko moaning....

The thing is, and I know it's my lack of knowledge, I cannot tell from the the (I'm sure excellent) instructions in the forum here and in Zentyals own documents how to configure services to use a letsencrypt ssl certificate.  I can install letsencrypt, add the repo etc, as per the documentation, but for example, the following command from the manual:

> certbot --apache -m abraham@zentyal-domain.com

...clearly the 'abraham@zentyal-domain.com' needs to change, if I want to setup the certificate for the SOGo webmail service, what should this be?

The documentation instruction seems to be completely different than those posted here too...(https://forum.zentyal.org/index.php/topic,32351.msg112718.html#msg112718), with the final notes in the official documentation reading:

"When the certificate has been correctly issued and stored on your Zentyal Server, the next step is to configure the services to use this certificate. Below you can find some of the most common paths used to establish the certificate:"

But what are you supposed to do in those paths to establish the certificates?  It's a little confusing!  I'm used to just opening a GUI control, choosing the installed certificate and confirming it's use in that 'service'.

I think I understand that the process pulls down a certificate, stores it in maybe /etc/certs (but I don't really know), and then you are supposed to make numerous config changes to make use of the certificates - but I'm lost!

Also, from the web admin, I really don't understand the process, it doesn't seem to have any options to say select 'webmail' as the service, and choose the certificate for that service.  It kinda looks like you can create certificates signed by the server (so not CA approved by clients), and assign them - but 'Editing certificate' does not mean 'applying' so really don't understand what this GUI feature is actually doing (again me being thick), and the documentation really doesn't explain - it's almost like you need to know what its doing to understand what the documentation is telling you!

Apologies if this all sounds like a moan - I'm just frustrated, and really I do this for a job (although very much a jack of all, master of none), but Linux/Zentyal just seems so difficult to get my head round - will there ever be a certmgr equivalent tool that devs can utilise to simplify install and usage of certificates for people like me?

Anyway, I guess I'm asking for someone to produce a video or document with step by step instructions with explanations of what the commands do (simple), and what elements are to be tailored for an individuals setup (back to my question, why does the certbot apache command above require what looks like an email address when you are trying to apply SSL to a host/domain).

I'm pretty sure I'll be high maintenance with the responses, and me being so dim - but if anyone who has the time could respond, maybe we could email/PM to get me on the right track, or perhaps if you want the fame and er um 'fortune' post a youtube video of the whole process of applying a free lets encrypt cert on Zentyal 7 for admin console and SOGo webmail etc. - that would be awesome and frankly you would become a legend on these forums (according to me anyway).

Thankyou for making it to the end of this post!