Cool Solution - Let's Encrypt
From Univention Wiki
This article explains how to install a small Let's Encrypt client using the "ACME" protocoll by running a wrapper script, which UCR variables must be configured and how to obtain the certificates.
After installing the package
univention-letsencrypt the client is ready for configuration:
1 univention-install univention-letsencrypt
The package brings a new UCR variable which is read by the wrapper script from
univention-letsencrypt. By default,
letsencrypt/domains is empty and
letsencrypt/services/* are set to 'no'.
||Whether the Apache2 webserver should be configured automatically or not, valid values are "Yes" or "No"|
||Whether the postfix service should be configured automatically or not, valid values are "Yes" or "No"|
||Whether the dovecot service should be configured automatically or not, valid values are "Yes" or "No"|
||A list of DNS names on which the server is reachable, separated by spaces||service1.example.com service2.example.com|
Obtaining the certificate
Run the script
/usr/share/univention-letsencrypt/setup-letsencrypt to automatically register an account, create the needed files and start the certificate creation and validation for the domains saved in the UCR variable letsencrypt/domains. The script installs a cronjob that periodically checks if the certificates must be renewed. All actions from the script are written into a the log file
The certificate is saved in the directory
At the end,
setup-letsencrypt checks the three service UCR variables and, if one is found set to "Yes", runs the needed scripts from the
post-refresh.d directories to configure the Apache2 webserver, postfix, or dovecot. Additional services can be configured by placing appropriate configuration scripts into these directories.
When the list of domains in letsencrypt/domains changes and
setup-letsencrypt is run again, a prompt asks for deleting the current csr-file and recreates it with the new UCR variable's content.
The lifetime of the certificates issued by Let's Encrypt is limited to 90 days. By default, a cron job of univention-letsencrypt will update the certificate on the first day of every month at 3:30am. Services (like postfix, dovecot, apache) that have been setup via univention-letsencrypt will be restarted automatically during this process.