Import and assigne Letsencrypt certificates to UCS

imap
postfix
letsencrypt

#1

Hi all,

I have a little luxury problem and maybe some one can suggest me a solution for that.
I run the UCS in a VM on a Synology DiskStation 15717+ which works perfect.
The DiskStation (DS) handles also the Letsencrypt Certificates in case it’s easier to forward whit NGINX the SSL Port to the Kopano Webapp and z-push whit sub domains and also in case that several Services also running on the DS whit SSL support
To do it in the other direction was not successful in case the Folder on the DS where not reachable from the UCS and to update the certs was running in the well known error.

Anyway, know I have a user whit a poor SmartPhone, this SmartPhone is not supporting active sync (z-push) and I have to reach IMAP, POP3, Caldav and SMTP etc… through Kopano and UCS.
Is there a way, to import the cert.pem, chain.pem and privkey.pem in to the UCS and assign this to IMAP (can be this connection be encrypted to or is port 143 already encrypted?), POP3, Caldav and SMTP etc…?
Where should it be placed.

Will be great to find a solution, to update the every 3 Month manually is not a great thing.

Best Carmen


#2

any ideas? I looking for a solution but can’t find anything by my self…


#3

Hey,

most services can be configured to use other certificates than the default UCS ones. This is usually done via UCR variables, e.g.

  • for Apache: apache2/ssl/certificate (point to LE’s cert.pem), apache2/ssl/certificatechain (point that to chain.pem) and apache2/ssl/key (privkey.pem)
  • for Postfix: mail/postfix/ssl/certificate (point to fullchain.pem) and mail/postfix/ssl/key (privkey.pem)
  • for mail servers it depends on which mail server solution you’re using (e.g. Dovecot, Kopano…):
    • Dovecot (via univention-mail-dovecot): mail/dovecot/ssl/certificate (fullchain.pem), mail/dovecot/ssl/key (privkey.pem)
    • Kopano: for the IMAP/POP3 gateway they’re kopano/cfg/gateway/ssl_certificate_file (fullchain.pem) and kopano/cfg/gateway/ssl_private_key_file (privkey.pem); there are similar variables for the server process (needed if you use Outlook clients) and the CalDAV gateway

Where you put the files in the file system doesn’t matter all that much as long as the variables point to the right places. You may also have to pay attention to file permissions. Some of the aforementioned servers read the certificates as user root before dropping privileges to some other user (e.g. www-data for Apache). Others, however, may (re-)read the certificates while they’re running as unprivileged users. Kopano, for example, seems to re-read its certificates when it rotates log files, too, and at that point it’s running as kopano:kopano. Therefore the file and directory permissions must allow read access to that user/group.

Kind regards,
mosu