Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: nontrivial on August 31, 2016, 10:33:00 pm
-
So there are many posts on these forums for getting trusted certificates to work on Zentyal, and I have written a couple of them. I have been able to get lets encrypt certificates to work on Zentyal 4.2 for postfix, dovecot, and the webadmin, but not the webmail (sogo). The sogo certificate (/etc/ocsmanager/blah.org.pem) gets replaced, but then it gets clobbered again. If I replace the certificate and restart apache it seems to work just fine. I am still going to keep working on this, but any help of suggestions would be greatly appreciated.
First make sure all service certificates are enables in the webadmin, then create the executable file "/etc/zentyal/hooks/ca.postsetconf":
#!/bin/sh
cat /etc/letsencrypt/live/blah.org/privkey.pem /etc/letsencrypt/live/blah.org/cert.pem /etc/letsencrypt/live/blah.org/fullchain.pem > /tmp/temp.pem
cp -f /tmp/temp.pem /etc/dovecot/private/dovecot.pem
cp -f /tmp/temp.pem /etc/postfix/sasl/postfix.pem
cp -f /tmp/temp.pem /etc/ocsmanager/blah.org.pem
cp -f /tmp/temp.pem /var/lib/zentyal/conf/ssl/ssl.pem
rm -f /tmp/temp.pem
chmod 600 /etc/dovecot/private/dovecot.pem
chmod 400 /etc/postfix/sasl/postfix.pem
chmod 644 /etc/ocsmanager/blah.org.pem
chmod 600 /var/lib/zentyal/conf/ssl/ssl.pem
exit 0
Shockingly, Zentyal does serve up arbitrary web pages under /var/www/html, so in order to have a better looking URL to access webmail you can change /var/www/html/index.html to look like this:
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="refresh" content="0; URL='https://mysrv.blog.org/sogo'" />
<title>Please Wait</title>
</head>
<body>Please Wait...</body>
</html>
That way the URL https://mail.blah.org will get you to your webmail.
-
Also creating an openchange.postsetconf file is the best I can come up with:
#!/bin/sh
cat /etc/letsencrypt/live/blah.org/privkey.pem /etc/letsencrypt/live/blah.org/cert.pem /etc/letsencrypt/live/blah.org/fullchain.pem > /tmp/temp.pem
cp -f /tmp/temp.pem /etc/ocsmanager/nontrivial.org.pem
rm -f /tmp/temp.pem
chmod 400 /etc/postfix/sasl/postfix.pem
service apache2 restart
exit 0
It seems to work like a champ, but for all I know I'm messing up the exhange/outlook stuff. I really don't care at this point, if that works as well I will consider that a bonus.
-
It's probably also a good idea to edit /etc/apache2/mods-available/ssl.conf and change "SSLProtocol all" to "SSLProtocol all -SSLv3". Stupid poodles.
-
Hello,
You found a solution?
-
Thanks for posting this! Your directions were basically perfect and I can confirm it doesn't clobber exchange emulation.
-
The directions do work and have the scripts set to run on server startup. Might be a bit overkill but for me I have found when apache restarts the certs get clobbered and just the cert for webmail\sogo. Going to look see if I can get the script to run whenever the command to restart apache is used.
-
SOGO is being handled by an Apache Reverse Proxy. If you have your Apache (or nginx) SSL setup right, it *should* work fine.
If you look, there is a /etc/apache2/conf-available for sogo
Heh, I discovered this recently when I switched my main system out from Apache to nginx and suddenly sogo wasn't working. Found the reverse proxy config information on the web, got that into sogo, and it's good to go.
-
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836
Can you help?
-
Since my first ticket for Let's Encrypt support: https://github.com/zentyal/zentyal/issues/1836 (it has been closed by Zentyal Team).
I have created a second ticket for Let's Encrypt support which has been closed by Zentyal Team too.
I have created a third ticket for Let's Encrypt support, can you like, comment on it?
- https://github.com/zentyal/zentyal/issues/2015