Difference between revisions of "Cool Solution - Let's Encrypt"

From Univention Wiki

Jump to: navigation, search
(Initial creation)
 
(move to App Center)
 
(16 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Version|UCS=4.1}}
+
{{#seo:
{{Cool Solutions Disclaimer|Repository=yes}}
+
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
{{Review-Status}}
+
<!--|description=-->
This article explains how to install the small Let's Encrypt client "ACME" using a wrapper package, which UCR variables must be configured and how to obtain the certificates.
+
}}
  
__TOC__
+
Let's Encrypt has been moved to the Univention App Center and can be reached under https://www.univention.com/products/univention-app-center/app-catalog/letsencrypt/.
 
 
== Installation ==
 
After installing the package <code>univention-letsencrypt</code> the client is ready for configuration:
 
<syntaxhighlight lang="bash" line="1">
 
univention-install univention-letsencrypt
 
</syntaxhighlight>
 
 
 
== Prerequisite ==
 
The package brings a new UCR variable which is read by the wrapper script from <code>univention-letsencrypt</code>:
 
{| class=wikitable"
 
|-
 
|!UCR Variable || Description || Example
 
|-
 
|letsencrypt/domains || Public reachable FQDN || server.example.com
 
|}
 
 
 
== Obtaining the certificate ==
 
Run the script <code>'''/usr/share/univention-letsencrypt/setup-letsencrypt'''</code> to automatically register an account, create the needed files and start the certificate creation and validation for the domain saved in the UCR variable '''letsencrypt/domains'''. The script installs a cronjob that periodically checks if the certificate must be renewed. All actions from the script are written into a the log file <code>/var/log/univention/letsencrypt.log</code>.
 
 
 
The certificate is saved in the directory <code>/etc/univention/letsencrypt</code>.
 
 
 
== Apache2 configuration ==
 
To use the new certificate with the installed Apache server, some '''apache2/ssl''' UCR variables must be set:
 
<syntaxhighlight lang="bash" line="1">
 
ucr set \
 
apache2/ssl/certificate="/etc/univention/letsencrypt/signed.crt" \
 
apache2/ssl/certificatechain="/etc/univention/letsencrypt/chained.pem" \
 
apache2/ssl/key="/etc/univention/letsencrypt/domain.key"
 
</syntaxhighlight>
 
 
 
After the Apache service is restarted the new certificate is used to encrypt the connection.
 
 
 
== Known issues ==
 
Sometimes it can happen that the <code>account.key</code> and <code>domain.key</code> files, created by <code>'''setup-letsencrypt'''</code>, have a wrong ownership. To fix this, run the following command:
 
<syntaxhighlight lang="bash" line="1">
 
chown letsencrypt /etc/univention/letsencrypt/{account,domain}.key
 
</syntaxhighlight>
 
This must be done once.
 

Latest revision as of 09:44, 11 October 2018

Let's Encrypt has been moved to the Univention App Center and can be reached under https://www.univention.com/products/univention-app-center/app-catalog/letsencrypt/.

Personal tools