Difference between revisions of "Cool Solution - Let's Encrypt"

From Univention Wiki

Jump to: navigation, search
(Initial creation)
 
(Page update)
Line 2: Line 2:
 
{{Cool Solutions Disclaimer|Repository=yes}}
 
{{Cool Solutions Disclaimer|Repository=yes}}
 
{{Review-Status}}
 
{{Review-Status}}
This article explains how to install the small Let's Encrypt client "ACME" using a wrapper package, which UCR variables must be configured and how to obtain the certificates.
+
This article explains how to install a small Let's Encrypt client using the "ACME" protocoll by running a wrapper script, which UCR variables must be configured and how to obtain the certificates.
  
 
__TOC__
 
__TOC__
Line 14: Line 14:
 
== Prerequisite ==
 
== Prerequisite ==
 
The package brings a new UCR variable which is read by the wrapper script from <code>univention-letsencrypt</code>:
 
The package brings a new UCR variable which is read by the wrapper script from <code>univention-letsencrypt</code>:
{| class=wikitable"
+
{| class="wikitable"
 
|-
 
|-
|!UCR Variable || Description || Example
+
!UCR Variable                             || Description                                                                                             || Example
 
|-
 
|-
|letsencrypt/domains || Public reachable FQDN || server.example.com
+
|<code>letsencrypt/services/apache2</code> || Whether the Apache2 webserver should be configured automatically or not, valid values are "Yes" or "No" ||
 +
|-
 +
|<code>letsencrypt/services/postfix</code> || Whether the postfix service should be configured automatically or not, valid values are "Yes" or "No"  ||
 +
|-
 +
|<code>letsencrypt/services/dovecot</code> || Whether the dovecot service should be configured automatically or not, valid values are "Yes" or "No"  ||
 +
|-
 +
|<code>letsencrypt/domains</code>          || Public reachable FQDN                                                                                   || server.example.com
 
|}
 
|}
  
Line 26: Line 32:
 
The certificate is saved in the directory <code>/etc/univention/letsencrypt</code>.
 
The certificate is saved in the directory <code>/etc/univention/letsencrypt</code>.
  
== Apache2 configuration ==
+
At the end, <code>'''setup-letsencrypt'''</code> checks the three service UCR variables and, if one is found set to "Yes", runs the needed scripts from the <code>setup.d</code> and <code>post-refresh.d</code> directories to configure the Apache2 webserver, postfix, or dovecot. Additional services can be configured by placing appropriate configuration scripts into these directories.
To use the new certificate with the installed Apache server, some '''apache2/ssl''' UCR variables must be set:
 
<syntaxhighlight lang="bash" line="1">
 
ucr set \
 
apache2/ssl/certificate="/etc/univention/letsencrypt/signed.crt" \
 
apache2/ssl/certificatechain="/etc/univention/letsencrypt/chained.pem" \
 
apache2/ssl/key="/etc/univention/letsencrypt/domain.key"
 
</syntaxhighlight>
 
 
 
After the Apache service is restarted the new certificate is used to encrypt the connection.
 
 
 
== Known issues ==
 
Sometimes it can happen that the <code>account.key</code> and <code>domain.key</code> files, created by <code>'''setup-letsencrypt'''</code>, have a wrong ownership. To fix this, run the following command:
 
<syntaxhighlight lang="bash" line="1">
 
chown letsencrypt /etc/univention/letsencrypt/{account,domain}.key
 
</syntaxhighlight>
 
This must be done once.
 

Revision as of 11:45, 8 February 2017

Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.

This article explains how to install a small Let's Encrypt client using the "ACME" protocoll by running a wrapper script, which UCR variables must be configured and how to obtain the certificates.

Installation

After installing the package univention-letsencrypt the client is ready for configuration:

1 univention-install univention-letsencrypt

Prerequisite

The package brings a new UCR variable which is read by the wrapper script from univention-letsencrypt:

UCR Variable Description Example
letsencrypt/services/apache2 Whether the Apache2 webserver should be configured automatically or not, valid values are "Yes" or "No"
letsencrypt/services/postfix Whether the postfix service should be configured automatically or not, valid values are "Yes" or "No"
letsencrypt/services/dovecot Whether the dovecot service should be configured automatically or not, valid values are "Yes" or "No"
letsencrypt/domains Public reachable FQDN server.example.com

Obtaining the certificate

Run the script /usr/share/univention-letsencrypt/setup-letsencrypt to automatically register an account, create the needed files and start the certificate creation and validation for the domain saved in the UCR variable letsencrypt/domains. The script installs a cronjob that periodically checks if the certificate must be renewed. All actions from the script are written into a the log file /var/log/univention/letsencrypt.log.

The certificate is saved in the directory /etc/univention/letsencrypt.

At the end, setup-letsencrypt checks the three service UCR variables and, if one is found set to "Yes", runs the needed scripts from the setup.d and post-refresh.d directories to configure the Apache2 webserver, postfix, or dovecot. Additional services can be configured by placing appropriate configuration scripts into these directories.

Personal tools