Zentyal Forum, Linux Small Business Server

Zentyal Server => Contributions / Tips&Tricks / Features Requests => Topic started by: efarayenkay on September 14, 2018, 08:09:41 am

Title: How to LetsEncrypt for fun and profit
Post by: efarayenkay on September 14, 2018, 08:09:41 am
UPDATE 2018-11-12 - remove requirement to restart Apache - doesn't work in that form and isn't needed anyway

Hi there

Not sure if there's a post about this already, but I've come up with a method to automate the creation and installation of Let's Encrypt certificates which I would like to share with you.

Step 1: Install the letsencrypt package, and its prerequisities:

Code: [Select]
admin@zentyla:~$ sudo apt-get install letsencrypt
Step 2: Find where the certificates currently live:

Code: [Select]
admin@zentyla:~$ grep "^\s*SSLCertificate" /etc/apache2/sites-enabled/default-ssl.conf
Step 3: Assuming the default location, create the script:

Code: [Select]
admin@zentyla:~$ cat > update_certs.sh <<EOF
#!/bin/sh

LIVECERT=/etc/letsencrypt/live/first.domain.com/fullchain.pem
SSLCERT=/etc/ssl/certs/ssl-cert-snakeoil.pem
LIVEKEY=/etc/letsencrypt/live/first.domain.com/privkey.pem
SSLKEY=/etc/ssl/private/ssl-cert-snakeoil.key

letsencrypt certonly --webroot -w /var/www/html/ -d first.domain.com -d second.domain.com -d third.domain.com  --keep
if [ $LIVECERT -nt $SSLCERT ]
then
        cp $LIVECERT $SSLCERT
        cp $LIVEKEY $SSLKEY
        # This is both unnecessary and doesn't work anyway
        #service apache2 restart
fi

EOF
admin@zentyla:~$ chmod +x update_certs.sh

Step 3: Open root's crontab - if this is your first time it will ask you for a choice of editor.  Nano is the simplest.

Code: [Select]
admin@zentyla:~$ sudo crontab -e
Step 4: Add the following line to the open editor - replace admin with your admin username - this will set it to run on the 12th of each month at midnight (change the 12 to any number between 1 and 28 to change the day it runs - don't choose 29 to 31 since they don't always occur):

Code: [Select]
0 0 12 * * /home/admin/update_certs.sh
Step 5: Ensure port 80 on your Zentyal server can be reached from the outside (I'll leave that as an exercise for the reader) and run the script manually:

Code: [Select]
admin@zentyla:~$ sudo ./update_certs.sh
And, so long as you got a successful outcome of the letsencrypt program, you should be set.
Title: Re: How to LetsEncrypt for fun and profit
Post by: Neustradamus on November 07, 2018, 11:10:07 pm
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836
Title: Re: How to LetsEncrypt for fun and profit
Post by: efarayenkay on November 12, 2018, 12:10:54 am
I have created a ticket for Let's Encrypt support:
-> https://github.com/zentyal/zentyal/issues/1836

If I could work out how to do that, I would write a module for this.  Annoyingly, the development documentation is extremely fragmented and out of date.
Title: Re: How to LetsEncrypt for fun and profit
Post by: Neustradamus on November 15, 2018, 01:26:23 am
It will be nice to have a module adapted from "Zentyal CA".
And that all modules use the /etc/letsencrypt/live/... directly (not a copy like here).
The last folder must to have software user rights on it.

Look topics:
- https://forum.zentyal.org/index.php/topic,31228.msg109126.html#msg109126
- https://forum.zentyal.org/index.php/topic,28251.msg109125.html#msg109125
- https://forum.zentyal.org/index.php/topic,31231.msg109124.html#msg109124
- https://forum.zentyal.org/index.php/topic,30948.msg109123.html#msg109123
- https://forum.zentyal.org/index.php/topic,30675.msg109122.html#msg109122
- https://forum.zentyal.org/index.php/topic,31781.msg109121.html#msg109121
- https://forum.zentyal.org/index.php/topic,31782.msg109119.html#msg109119
- https://forum.zentyal.org/index.php/topic,31085.msg109113.html#msg109113
- https://forum.zentyal.org/index.php/topic,32374.msg109110.html#msg109110
Title: Re: How to LetsEncrypt for fun and profit
Post by: demol on February 14, 2019, 08:48:03 pm
Hello all,

I understand the changes that have to be made when it is a single domain, but when I have several domains it does not work for me. Can you please explain me?

Thank you!

Best regards,
Demol
Title: Re: How to LetsEncrypt for fun and profit
Post by: davidjm on May 17, 2019, 04:18:21 pm
Ran straight into an issue with this as in my install (4.2.12), when i run sudo apt-get install letsencrypt i get E: Unable to locate package letsencrypt

I have tried enabling universe sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu $(lsb_release -sc) universe" or sudo add-apt-repository universe and both return sudo: add-apt-repository: command not found

My install reports being completely up to date.

Assuming i can get past this i tried opening /etc/apache2/sites-enabled/default-ssl.conf i do have a default.conf but nothing about SSL

I do however have an SSL directory in etc /etc/ssl$ ls
certs  openssl.cnf  private

Surely there must be a decent resource on getting letsencrypt working with Zentyal?

Thanks, David
Title: Re: How to LetsEncrypt for fun and profit
Post by: royceb on May 18, 2019, 06:47:49 pm
There is - stop using it.  Zen is a joke when it comes to actually updating/responding to these things.  If you don't have an active support agreement SOL is pretty much where you are at.  Nethserver has this feature built in with a 1 click setup.
Title: Re: How to LetsEncrypt for fun and profit
Post by: davidjm on May 24, 2019, 09:20:02 am
Thanks Royceb, is there an easy migration path?
Title: Re: How to LetsEncrypt for fun and profit
Post by: davidb on October 07, 2019, 05:09:41 pm
So I used the instructions provided and my webadmin instance is still using the CA provided cert not the LE cert.

What or where is the conf file that specifies the ssl information for the webadmin inteface?
Title: Re: How to LetsEncrypt for fun and profit
Post by: doncamilo on October 08, 2019, 02:30:04 pm
 
So I used the instructions provided and my webadmin instance is still using the CA provided cert not the LE cert.

What or where is the conf file that specifies the ssl information for the webadmin inteface?

:)

First, do you own a domain? Your Zentyal server is connected to the Internet through a router/firewall?

 This could be useful: https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certificates-for-65000-internal-servers/ (https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certificates-for-65000-internal-servers/)

Cheers!
Title: Re: How to LetsEncrypt for fun and profit
Post by: davidb on October 10, 2019, 04:37:33 pm
Hi,
Yes, I own my domain and it's resolving sucesfully. Letsencrypt is working as the co-hosted cms and rocketchat is able to negotiate and update it's ssl cert.

It's when I try to use the webadmin interface to test the email server that the ssl incorrect ssl cert is being used.

Title: Re: How to LetsEncrypt for fun and profit
Post by: doncamilo on October 10, 2019, 05:17:21 pm
 :)

Zentyal webadmin uses nginx instead of apache2. Did you configure it in order to use Let's Encrypt?

Cheers!
Title: Re: How to LetsEncrypt for fun and profit
Post by: davidb on October 11, 2019, 02:24:58 pm
I followed the instructions from the OP.

Are there additional steps required?
Title: Re: How to LetsEncrypt for fun and profit
Post by: doncamilo on October 14, 2019, 10:34:46 am
The OP explains how he did install Let's Encrypt in apache2. Nginx requires a similar process . I would like to do  a tutorial about this topic. It could b
e pasted here this week if I have the time.

Cheers!


Title: Re: How to LetsEncrypt for fun and profit
Post by: davidb on October 14, 2019, 11:11:24 pm
The OP explains how he did install Let's Encrypt in apache2. Nginx requires a similar process . I would like to do  a tutorial about this topic. It could b
e pasted here this week if I have the time.

Cheers!

I think we're talking past each other here; I followed the instructions posted above but my mail server and webadmin server are still pointing to the local CA cert not the LE cert.

As I understood the OP and instructions, the steps I took should have copied over the LE certs and replaced the snake-oil certs.

In my posting I actually specifically asked for "where is the conf file that specifies the ssl information for the webadmin inteface?" As I'm not seeing where those configurations are made.

Title: Re: How to LetsEncrypt for fun and profit
Post by: doncamilo on October 16, 2019, 04:50:48 pm
 :)

Looking for the file of configuration:

Code: [Select]
sudo ps aux | grep nginx
root      1595  0.0  0.1  33204  3196 ?        Ss   10:05   0:00 nginx: master process /usr/sbin/nginx -c /var/lib/zentyal/conf/nginx.conf
# ...

The content of the file is:

Code: [Select]
...
server {
        listen 8443;

        ssl on;
        ssl_certificate /var/lib/zentyal/conf/ssl/ssl.pem;
        ssl_certificate_key /var/lib/zentyal/conf/ssl/ssl.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";
        ssl_prefer_server_ciphers on;

        access_log /var/log/zentyal/access.log;

        root /usr/share/zentyal/www;
...

But remember you have to do the customizations in the respective stub

Read this: https://doc.zentyal.org/en/appendix-c.html#stubs

Cheers!

Title: Re: How to LetsEncrypt for fun and profit
Post by: Neustradamus on January 18, 2021, 06:04:42 am
Since my first ticket for Let's Encrypt support: https://github.com/zentyal/zentyal/issues/1836 (it has been closed by Zentyal Team).

I have created a second ticket for Let's Encrypt support which has been closed by Zentyal Team too.

I have created a third ticket for Let's Encrypt support, can you like, comment on it?
- https://github.com/zentyal/zentyal/issues/2015
Title: Re: How to LetsEncrypt for fun and profit
Post by: shoppc on June 19, 2021, 07:50:28 pm
Thanks for creating the post showing how to setup letsencrypt etc.  However, I am a linux noob, and a zentyal noob and I think many people would appreciate a little more detail on the instructions provided, at least I would.

My installation is the community edition Zentyal 7.0.4 - It's running great, I have a Windows 10 machine joined to the 'domain' and email via SOGo works.  However I cannot get my head around the way certificates are installed/setup in Zentyal.

My backround is in IT support, and whilst I don't fully grasp every facet of SSL certificate implementation, I have installed certificates on a variety of platforms (mainly windows server, exchange, IIS etc), using wildcard certs and find the process reasonably simple.  Linux/Zentyal however seems a black art.  For every iteration of linux, and for all the different services running that might want to use a certificate (apache, ngnix etc.) it seems like a never ending process of config file changes.  Enough if the thicko moaning....

The thing is, and I know it's my lack of knowledge, I cannot tell from the the (I'm sure excellent) instructions in the forum here and in Zentyals own documents how to configure services to use a letsencrypt ssl certificate.  I can install letsencrypt, add the repo etc, as per the documentation, but for example, the following command from the manual:

> certbot --apache -m abraham@zentyal-domain.com

...clearly the 'abraham@zentyal-domain.com' needs to change, if I want to setup the certificate for the SOGo webmail service, what should this be?

The documentation instruction seems to be completely different than those posted here too...(https://forum.zentyal.org/index.php/topic,32351.msg112718.html#msg112718), with the final notes in the official documentation reading:

"When the certificate has been correctly issued and stored on your Zentyal Server, the next step is to configure the services to use this certificate. Below you can find some of the most common paths used to establish the certificate:"

But what are you supposed to do in those paths to establish the certificates?  It's a little confusing!  I'm used to just opening a GUI control, choosing the installed certificate and confirming it's use in that 'service'.

I think I understand that the process pulls down a certificate, stores it in maybe /etc/certs (but I don't really know), and then you are supposed to make numerous config changes to make use of the certificates - but I'm lost!

Also, from the web admin, I really don't understand the process, it doesn't seem to have any options to say select 'webmail' as the service, and choose the certificate for that service.  It kinda looks like you can create certificates signed by the server (so not CA approved by clients), and assign them - but 'Editing certificate' does not mean 'applying' so really don't understand what this GUI feature is actually doing (again me being thick), and the documentation really doesn't explain - it's almost like you need to know what its doing to understand what the documentation is telling you!

Apologies if this all sounds like a moan - I'm just frustrated, and really I do this for a job (although very much a jack of all, master of none), but Linux/Zentyal just seems so difficult to get my head round - will there ever be a certmgr equivalent tool that devs can utilise to simplify install and usage of certificates for people like me?

Anyway, I guess I'm asking for someone to produce a video or document with step by step instructions with explanations of what the commands do (simple), and what elements are to be tailored for an individuals setup (back to my question, why does the certbot apache command above require what looks like an email address when you are trying to apply SSL to a host/domain).

I'm pretty sure I'll be high maintenance with the responses, and me being so dim - but if anyone who has the time could respond, maybe we could email/PM to get me on the right track, or perhaps if you want the fame and er um 'fortune' post a youtube video of the whole process of applying a free lets encrypt cert on Zentyal 7 for admin console and SOGo webmail etc. - that would be awesome and frankly you would become a legend on these forums (according to me anyway).

Thankyou for making it to the end of this post!