Cool Solution - Let's Encrypt

From Univention Wiki

Revision as of 16:12, 7 February 2017 by Denissen (talk | contribs) (Initial creation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.

This article explains how to install the small Let's Encrypt client "ACME" using a wrapper package, which UCR variables must be configured and how to obtain the certificates.


After installing the package univention-letsencrypt the client is ready for configuration:

1 univention-install univention-letsencrypt


The package brings a new UCR variable which is read by the wrapper script from univention-letsencrypt:

!UCR Variable Description Example
letsencrypt/domains Public reachable FQDN

Obtaining the certificate

Run the script /usr/share/univention-letsencrypt/setup-letsencrypt to automatically register an account, create the needed files and start the certificate creation and validation for the domain saved in the UCR variable letsencrypt/domains. The script installs a cronjob that periodically checks if the certificate must be renewed. All actions from the script are written into a the log file /var/log/univention/letsencrypt.log.

The certificate is saved in the directory /etc/univention/letsencrypt.

Apache2 configuration

To use the new certificate with the installed Apache server, some apache2/ssl UCR variables must be set:

1 ucr set \
2 apache2/ssl/certificate="/etc/univention/letsencrypt/signed.crt" \
3 apache2/ssl/certificatechain="/etc/univention/letsencrypt/chained.pem" \
4 apache2/ssl/key="/etc/univention/letsencrypt/domain.key"

After the Apache service is restarted the new certificate is used to encrypt the connection.

Known issues

Sometimes it can happen that the account.key and domain.key files, created by setup-letsencrypt, have a wrong ownership. To fix this, run the following command:

1 chown letsencrypt /etc/univention/letsencrypt/{account,domain}.key

This must be done once.

Personal tools