Help with Lets Encrypt Issue - Not applying Cert to Services

edwar1j · October 9, 2020, 10:23am

Hi All

New to the forum and after some help. We installed the UCS VM some time ago (around 12 - 18 months ago) and it has been working great internally for us. We are looking to expand this out to allow file transfer with external companies and so have looked into using the lets Encrypt module. Initially we had some issues with our firewall which we resolved and we finally got a certificate, unfortunately the certificate does not seem to apply to the web services and this is where we need the assistance.

I have to add that we have virtually no linux experience so we would need some detailed help to walk us through any processes but any help at this point would be hugely appreciated.

Thanks
John

Kevo · October 9, 2020, 12:21pm

I haven’t had any issues like that with Let’s Encrypt. Maybe if you could detail what you’re seeing on the let’s encrypt settings page, apache logs, and what is happening in the browser we could offer some kind of help. Anything I offer based on what you’ve posted so far would be a guess in the dark.

edwar1j · October 9, 2020, 1:27pm

Hi Kevo

Thanks for the reply, when I check The Lets Encrypt Status it shows the below…

Current status of the App

Certificate refreshed at Fri 9 Oct 10:41:27 BST 2020

I tried to re-apply the settings this morning hence the recent date.

In the browser the Cert is showing as the original self signed Univention SSL cert I setup during the initial setup. Can you link me to an article or advise the best way to pull out the relevant logs, I have very limited linux knowledge but have SSH access to the virtual appliance.

Thanks
John

Kevo · October 9, 2020, 1:53pm

Are you logging into the site with a name that matches the let’s encrypt cert? What names show up in the settings page of let’s encrypt? Is your DNS setup with all the names you use? How do you know your cert is working in the email services?

edwar1j · October 9, 2020, 3:01pm

We have internal and external DNS setup and working - cloud.domain.co.uk, this is also the name I entered into the lets Encrypt settings. We are not using the mail feature, only the owncloud solution which is what I want the cert for really.

We access the site with https://cloud.domain.co.uk and owncloud is working internally and externally although at present we have to tell the client to trust the self signed SSL cert.

We are only forwarding tcp 443 on the firewall for this service so we know owncloud is fully working over SSL.

We don’t have or require any other names / domains, obviously for Owncloud that is simply tagged to the end of the URL but is not a sub domain so I didn’t think it would be needed.

https cloud dot domain dot co dot uk/Owncloud (new user so limited to how many domains I can reference)

As I mention we do not use the mail as we have Exchange on prem but I know the Univention cert created in the Univention Certificate services is active by checking the cert in the browser or owncloud client.

Apologies for the limited info but as mentioned Linux is not a strong point for me.

Thanks
John

Kevo · October 9, 2020, 3:26pm

I’m not sure how you could get the certificate if you are not allowing port 80 through. In that case I would expect an error though rather than the certificate refreshed message. Seems like there is something else going on, but without the domain info there’s no way for me to investigate from here.

Have you tried restarting the apache service, or the server itself?

From what you’ve said it seems like it must still be providing the self signed cert to the clients.

Is your domain name listed in the Let’s Encrypt settings and the box for Apache checked?

Mornsgrans · October 11, 2020, 8:44pm

Port 80 must be opened for Letsencrypt as well as port 443.

You will find the error results in /var/log/univention/letsencrypt.log

edwar1j · October 14, 2020, 7:32am

Hi Kevo

Sorry for the delay in responding, Outbound rule allows all traffic from the Univention Server, inbound is 443 only so I will adjust this today to allow 443 & 80.

Hi Monsgrans

Thanks for the info, I will review the logs and drop them in here if I find anything, also planning to adjust the firewall to allow 80 and retest.

Thanks both
John

mexpert · September 25, 2023, 1:54pm

This maybe an old topic, but still a problem.
UCS 5.0-5 errata813, downloaded the ISO-Image, running as VM on Proxmox. Static IP, all ports open (FireWall disabled completely, because it is only a test environment).
Installation of Lets Encrypt (no errors), activating the domain, checking all services (postfix, dovecot, apache), no error.
Using the command “update-ca-certificates” as mentioned, no error.
Rebooting the UCS.
Opening the domain, result: unsafe connection (there is still the self created root certificate from the UCS active).

UCS looks soooo easy but seems to be soooo buggy as so easy installations as Lets Encrypt don’t work.