Add second vHost leading to the UCS portal
Question
It might be required, to have the portal or UCS system running under a different domain name, which causes issues in the Diagnostics checks (Found invalid certificate '/opt/certs/ucs01.my-great-external-domain.de.fullchain.pem'). In general it’s highly recommended, to still have the own Servername reachable by HTTPS and not simply changing the SSL certificate in the Apache configuration or similar.
$ apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server ucs-5680.univention.intranet (/etc/apache2/sites-enabled/default-ssl.conf)
→ the main server certificate has to be for ucs-5680.univention.intranet, not ucs01.my-great-external-domain.de or similar.
How can this be achieved?
Answer
This consists of multiple steps, I’d like to cover here.
First of all it’s important to keep the Infrastucture in mind. If your Infrastructure is operating as reverse proxy doing TLS termination and not passthrough / nat / direct routing it might make sense to simple let the proxy handle all the work changing the domain name and thus certificate. This should be achievable for almost all proxy solutions.
If this is not possible and the configuration on the system is required, first of all make sure you have a valid certificate. If you have your own way deploying certificates, it’s now the time to ensure it’s present, if not, you can also use the univention-ca in order to create a certificate:
$ univention-certificate new -name ucs01.my-great-external-domain.de
Next we want to duplicate the /etc/apache2/sites-available/default-ssl.conf the univention way. In this example we will cover the base configuration, further settings can be replicated by the same pattern. The default configuration might look as follows:
<VirtualHost *:443>
IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/univention/ssl/ucs-5680.univention.intranet/cert.pem
SSLCertificateKeyFile /etc/univention/ssl/ucs-5680.univention.intranet/private.key
SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
[…]
</VirtualHost>
This can be replicated (with an adjusted domain name) as follows:
ucr set apache2/vhosts/ucs01.my-great-external-domain.de/443/enabled=true
ucr set apache2/vhosts/ucs01.my-great-external-domain.de/443/ssl/certificate=/etc/univention/ssl/ucs01.my-great-external-domain.de/cert.pem
ucr set apache2/vhosts/ucs01.my-great-external-domain.de/443/ssl/key=/etc/univention/ssl/ucs01.my-great-external-domain.de/private.key
ucr set apache2/vhosts/ucs01.my-great-external-domain.de/443/files="/etc/apache2/ucs-sites.conf.d/*.conf"
This will generate the following univention-vhost:
<VirtualHost *:443>
ServerName ucs01.my-great-external-domain.de
IncludeOptional /etc/apache2/ucs-sites.conf.d/*.con[f]
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/univention/ssl/ucs01.my-great-external-domain.de/cert.pem
SSLCertificateKeyFile /etc/univention/ssl/ucs01.my-great-external-domain.de/private.key
</VirtualHost>
After restarting the Apache, you should be able to reach UCS using both domains (expected they are both pointing to UCS), which making sure that existing configurations or internal connections still work.