Zentyal Forum, Linux Small Business Server
Zentyal Server => Email and Groupware => Topic started by: kzchico on June 26, 2017, 12:44:06 pm
-
When are you going to enable integration of Letsencrypt and 3rd party certificates without us tinkering around with the config files?
-
In the meantime there is a simple script solution for zentyal 5 at https://www.std-soft.com/hm-service/code/28-zentyal-mit-zertifikat-von-letsencrypt-fit-machen
The script is meant for /usr/local/sbin/ and should do what is necessary for the official services, just make it executable an run once interactive.
-
The script was exactly what I was looking for but could you modify it for nginx and not apache please
-
If you mean the web admin page then you could edit /usr/share/zentyal/stubs/core/nginx.conf.mas.
Edit the ssl certificate lines to read :
ssl_certificate /etc/letsencrypt/live/<my_Domain_Name>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<my_Domain_Name>/privkey.pem;
A more permanent way to do this is to use hooks see http://blogs.zentyal.org/jacalvo/2011/01/04/how-to-customize-the-configuration-files-generated-by-zentyal/comment-page-1/
If you are using nginx in other ways edit /etc/nginx/snippets/snakeoil.conf similarly.
-
The script has changed to also reload nginx.
@half_life: Sorry, but i disagree in "A more permanent way to do this is to use hooks see"
After some years of Zentyal expirience I noticed that mas files and configs can change. The way I'm using/suggesting is not bound to a release but does the system part independently. If you are focused on the "right way" and can keep an eye on it every time an update occurs, then you are right ;)
-
There are problems with the script.
root@server:/home/xxxxxxxxxx# nano /usr/local/sbin/check-letsencrypt
root@server:/home/xxxxxxxxxx# chmod 750 /usr/local/sbin/check-letsencrypt
root@server:/home/xxxxxxxxxx# /usr/local/sbin/check-letsencrypt
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
Dovecot reloaded ...
Checking postfix cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
postfix/postfix-script: refreshing the Postfix mail system
Postfix reloaded ...
Checking apache cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cp: target '"s#/certs/#/private/#".key' is not a directory
Apache reloaded ...
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
Update script installed at /etc/cron.daily/letsencrypt-check
No installation of letsencrypt and if I install manually:
root@server:/home/xxxxxxxxxx# /usr/local/sbin/check-letsencrypt
/usr/bin/letsencrypt
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
Dovecot reloaded ...
Checking postfix cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cat: /etc/letsencrypt/live/xxx.xxxx.xxx/privkey.pem: No such file or directory
postfix/postfix-script: refreshing the Postfix mail system
Postfix reloaded ...
Checking apache cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
cp: target '"s#/certs/#/private/#".key' is not a directory
Apache reloaded ...
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)
There are:
- webadmin (nginx)
- sogo (apache2)
- postfix
- dovecot
- vsftpd
- ejabberd
- freeradius
- virt
-
I have created a ticket for the Let's Encrypt support.
-> https://github.com/zentyal/zentyal/issues/1836
-
Checking dovecot cert status - cp: cannot stat '/etc/letsencrypt/live/xxx.xxxx.xxx/fullchain.pem': No such file or directory
Usually this means there are no certificates generated - check your content in directory /etc/letsencrypt/live/
Due to the nature of letsencrypt, this can have many reasons:
- is your http reachable from internet on port 80? (maybe a forward from your router if you are NATed)
- does directory /var/www/html/.well-known exist?
- check with letsencrypt manually
Suggestions for the script are welcome - or maybe your request finds its way into the product. ;)
-
I think we need to create group/user with rights for it.
And modify old cert links by the new letsencrypt links
-
Hello Markus,
Thank you very much for the script!
I am new to zentyal and I need to manage the emails of two small domains. Please clarify some doubts:
1. Does the script work for more than 1 domain?
2. After executing the script. If all goes well, will the customer's email services recognize the certificate correctly?
Thank you.
Best regards,
Demol
-
Sorry for late reply!
1. Does the script work for more than 1 domain?
2. After executing the script. If all goes well, will the customer's email services recognize the certificate correctly?
1. As you're using letsencrypt, it will work with more domains/hosts (alternate names) and as long as the http(!) request reaches your letsencrypt setup (.well-known...) you are free to combine host/domain names.
2. All services are using the certificate and shall/will be restarted upon renewal (should be done within the script).
So far the script is active on several systems with no problems or dropouts.
-
Does the script function OK on Zentyal 4?
-
Hello Markus,
The script you have put forward does it work on Zentyal 6.01? I would not like to break anything on our Zentyal 6.01 Mail server but our staff are not happy about the certificate showing the CN as mail01.zentyal-domain.lan and therefore shows the "Not secure message" in the Browser when using SoGo. Now I understand that because the certificate is self assigned it creates the CN as hostname.zentyal-domain.lan I notice too the certificate DNS shows the same. When the certificate is generated through the Zentyal UI the correct common name is inputted but not created as expected.
I would really be glad if there was the capability to setup say lets Encrypt via the Zentyal UI. Can someone help as I am certain many have had similar issues?
-
Since my first ticket for Let's Encrypt support: https://github.com/zentyal/zentyal/issues/1836 (it has been closed by Zentyal Team).
I have created a second ticket for Let's Encrypt support which has been closed by Zentyal Team too.
I have created a third ticket for Let's Encrypt support, can you like, comment on it?
- https://github.com/zentyal/zentyal/issues/2015