Zentyal Forum, Linux Small Business Server

Zentyal Server => Email and Groupware => Topic started by: kzchico on June 26, 2017, 12:44:06 pm

Title: Letsencrypt and 3rd party certificates
Post by: kzchico on June 26, 2017, 12:44:06 pm
When are you going to enable integration of Letsencrypt and 3rd party certificates without us tinkering around with the config files?
Title: [Solved] Re: Letsencrypt and 3rd party certificates
Post by: markus.neubauer on March 08, 2018, 06:11:30 pm
In the meantime there is a simple script solution for zentyal 5 at https://www.std-soft.com/hm-service/code/28-zentyal-mit-zertifikat-von-letsencrypt-fit-machen
The script is meant for /usr/local/sbin/ and should do what is necessary for the official services, just make it executable an run once interactive.
Title: Re: Letsencrypt and 3rd party certificates
Post by: corky on May 13, 2018, 08:41:16 am
The script was exactly what I was looking for but could you modify it for nginx and not apache please
Title: Re: Letsencrypt and 3rd party certificates
Post by: half_life on May 28, 2018, 08:10:29 am
If you mean the web admin page then you could edit /usr/share/zentyal/stubs/core/nginx.conf.mas.

Edit the ssl certificate lines to read :
Code: [Select]
        ssl_certificate      /etc/letsencrypt/live/<my_Domain_Name>/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/<my_Domain_Name>/privkey.pem;


A more permanent way to do this is to use hooks see http://blogs.zentyal.org/jacalvo/2011/01/04/how-to-customize-the-configuration-files-generated-by-zentyal/comment-page-1/
If you are using nginx in other ways edit  /etc/nginx/snippets/snakeoil.conf  similarly.
Title: Re: Letsencrypt and 3rd party certificates
Post by: markus.neubauer on October 30, 2018, 11:11:46 am
The script has changed to also reload nginx.

@half_life: Sorry, but i disagree in "A more permanent way to do this is to use hooks see"

After some years of Zentyal expirience I noticed that mas files and configs can change. The way I'm using/suggesting is not bound to a release but does the system part independently. If you are focused on the "right way" and can keep an eye on it every time an update occurs, then you are right  ;)
Title: Re: Letsencrypt and 3rd party certificates
Post by: Neustradamus on November 06, 2018, 05:32:49 pm
There are problems with the script.

root@server:/home/xxxxxxxxxx# nano /usr/local/sbin/check-letsencrypt
root@server:/home/xxxxxxxxxx# chmod 750 /usr/local/sbin/check-letsencrypt

root@server:/home/xxxxxxxxxx# /usr/local/sbin/check-letsencrypt
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
Dovecot reloaded ...
Checking postfix cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
postfix/postfix-script: refreshing the Postfix mail system
Postfix reloaded ...
Checking apache cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cp: target '"s#/certs/#/private/#".key' is not a directory
Apache reloaded ...
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
Update script installed at /etc/cron.daily/letsencrypt-check

No installation of letsencrypt and if I install manually:

root@server:/home/xxxxxxxxxx# /usr/local/sbin/check-letsencrypt
/usr/bin/letsencrypt
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
Dovecot reloaded ...
Checking postfix cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
postfix/postfix-script: refreshing the Postfix mail system
Postfix reloaded ...
Checking apache cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cp: target '"s#/certs/#/private/#".key' is not a directory
Apache reloaded ...
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)


There are:
- webadmin (nginx)
- sogo (apache2)
- postfix
- dovecot
- vsftpd
- ejabberd
- freeradius
- virt
Title: Re: Letsencrypt and 3rd party certificates
Post by: Neustradamus on November 07, 2018, 11:01:51 pm
I have created a ticket for the Let's Encrypt support.
-> https://github.com/zentyal/zentyal/issues/1836
Title: Re: Letsencrypt and 3rd party certificates
Post by: markus.neubauer on November 27, 2018, 06:02:13 pm
Quote
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory

Usually this means there are no certificates generated - check your content in directory /etc/letsencrypt/live/
Due to the nature of letsencrypt, this can have many reasons:

Suggestions for the script are welcome - or maybe your request finds its way into the product.  ;)
Title: Re: Letsencrypt and 3rd party certificates
Post by: Neustradamus on November 28, 2018, 03:36:17 am
I think we need to create group/user with rights for it.
And modify old cert links by the new letsencrypt links
Title: Re: Letsencrypt and 3rd party certificates
Post by: demol on February 13, 2019, 04:00:18 am
Hello Markus,

Thank you very much for the script!

I am new to zentyal and I need to manage the emails of two small domains. Please clarify some doubts:

1. Does the script work for more than 1 domain?
2. After executing the script. If all goes well, will the customer's email services recognize the certificate correctly?

Thank you.

Best regards,
Demol
Title: Re: Letsencrypt and 3rd party certificates
Post by: markus.neubauer on February 27, 2019, 01:18:06 pm
Sorry for late reply!

1. Does the script work for more than 1 domain?
2. After executing the script. If all goes well, will the customer's email services recognize the certificate correctly?

1. As you're using letsencrypt, it will work with more domains/hosts (alternate names) and as long as the http(!) request reaches your letsencrypt setup (.well-known...) you are free to combine host/domain names.
2. All services are using the certificate and shall/will be restarted upon renewal (should be done within the script).

So far the script is active on several systems with no problems or dropouts.
Title: Re: Letsencrypt and 3rd party certificates
Post by: davidjm on May 24, 2019, 09:41:49 am
Does the script function OK on Zentyal 4?
Title: Re: Letsencrypt and 3rd party certificates
Post by: compuit on August 24, 2019, 01:30:10 pm
Hello Markus,
The script you have put forward does it work on Zentyal 6.01? I would not like to break anything on our Zentyal 6.01 Mail server but our staff are not happy about the certificate showing the CN as mail01.zentyal-domain.lan and therefore shows the "Not secure message" in the Browser when using SoGo. Now I understand that because the certificate is self assigned it creates the CN as  hostname.zentyal-domain.lan I notice too the certificate DNS shows the same. When the certificate is generated through the Zentyal UI the correct common name is inputted but not created as expected.
I would really be glad if there was the capability to setup say lets Encrypt via the Zentyal UI. Can someone help as I am certain many have had similar issues?
Title: Re: Letsencrypt and 3rd party certificates
Post by: Neustradamus on January 18, 2021, 06:05:18 am
Since my first ticket for Let's Encrypt support: https://github.com/zentyal/zentyal/issues/1836 (it has been closed by Zentyal Team).

I have created a second ticket for Let's Encrypt support which has been closed by Zentyal Team too.

I have created a third ticket for Let's Encrypt support, can you like, comment on it?
- https://github.com/zentyal/zentyal/issues/2015