Browser now 'Refuses to connect'?

UCS - Univention Corporate Server
, ,
#1

Hi All,
After using ClearOS and then trying Zentyal, NethServer, I believe UCS is the right package for us at home.

At this point, I only have my Windows Clients connecting running Win11 and Win10

I am looking to use UCS as AD, OpnSense with ZenArmor (formerly Sensei L2-L7 packet filtering) as firewall-DHCP, and then a Qnap as the fileserver and Additional Domain Controller (for backup).

I have kept coming back to UCS and have used it on and off for a year. A little over a week ago I started seeing ERR_CONNECTION_REFUSED. Edge, Firefox nor Chrome will connect.

I have made sure all Browsers and PC Network settings do not have a proxy, I temporarily disabled PC firewalls, and I can’t seem to get useful information from Browser Dev Tools.

My Main box is Win11 using 1GbE and BitDefender (tested off), and unfortunately, I have the same problem on a Win10 Laptop; tested with both of its Nics and wifi

I can ping the box, I can login via SSH and terminal to it. I can use the VM directly.
I rolled the VM back predating the problem occurring and still the same problem exists. I have checked OpnSense and cannot see anything obvious in the logs.
I would be really grateful for some help to track down this problem.

Thanks ever so much.
Jon

#2

First of all clear the broser cache.
Is the webserver running on your UCS server?

#3

Morning :slight_smile:

I had checked the browser cache, apologies for missing that in my OP and good call. Apologies for the delay; CLI hasn’t been my bag since DOS 6.22 :wink: so I wanted to look up how to check rather than keep asking questions.

It is Apache2 failing to restart due to letsencrypt not having a certificate filed.

Regrettably, I am certain I caused this problem by choosing the option for ‘testing’ by thinking this would remain until manually changed. (I left a comment on the UCS blog for UCS with letsencrypt asking how to run UCS as a true ‘home’ Lan only system and never got a response), So I went ahead, tried it in ‘test’, and it worked; at that point.

This Server would be for internal Lan only and my thoughts are to only host for us ‘at home’. I still wish for it to send certificates to each machine. I set up let’s encrypt, realised the 30-day renewal, and placed it into testing mode; as I do not want to expose ports needlessly, presumably, I could more securely use ACME and Cron in Opnsense later.

I have two networks administrated by Opnsense, IoT and Lan. I own an Internet domain; however, I am not using it. I have a spare computer (awaiting VM’s) available on the IoT side of the network for this. I wanted to keep to best practice and keep the LAN side locked down.

I see the below as my options; I would be grateful for any further questions to aid in any advice toward moving down the correct path.

  1. Can I place let’s encrypt in a more permanent test mode to get it back up and running. If the effort does not outweigh doing this correctly?
  2. Do I remove let’s encrypt for now? If so, could I have some aid, please, as I cannot seem to find any pages on how to do this?
  3. Could I have some aid in doing this correctly via Opnsense to minimise risks, please?.
  4. Or, would it be better to setup a VM on the IoT PC and run a UCS read-only Server or similar; as perhaps the core of UCS is wholly designed to have internet access, and it would not be easy to run it as a secure and isolated ‘Home’ server ?
  • There is no ‘Home’ Category on the forum. Is there any chance one could be created? There are very few options for ‘Home’ Servers, fewer with AD in the Home environment (with at least two struggling), and many HomeLab’ers use PFSense / Opnsense. I would hope it could be helpful to all

My sincere thanks for your reply :smiley:

Home Category, Please :)
#4

I finally came across this discussion which provided the command univention-app remove letsencrypt

I have removed Letsencrypt then restarted the Apache 2 server with invoke-rc.d apache2 restart.
I now have access again :smiley:

#5

I would be very grateful still to know if you can run UCS as a home only server for email etc. but on the home lan, so it can be used for internal family organising, i.e. shared calendar, emails from parents to kids internally only?

Is it possible to pass certificates from Opnsense to UCS for UCS to distribute?
or should I use an updating LE list and an updating FQDN list and pass these only through to UCS so that Lets encrypt can connect and update every 30 days?

Does UCS need Wan Access in which case

Thanks,
Jon

Mastodon