Integrate/distribute certificates from another ACME instance

pixel · May 24, 2023, 10:34am

Hi@all,

I have a question about the SSL certificates within a UCS domain. After a standard installation you will find a local CA that provides self-signed certificates. This can be found on the master under /etc/univention/ssl:

lrwxrwxrwx 1 root            nogroup             18 Feb 15  2022  ap01 -> ap01.lan.example.de
drwxr-x--- 2 root            DC Backup Hosts   4096 Feb 15  2022  ap01.lan.example.de
lrwxrwxrwx 1 root            nogroup             21 Feb 16  2022  cloud01 -> cloud01.lan.example.de
drwxr-x--- 2 cloud01$        DC Backup Hosts   4096 Feb 16  2022  cloud01.lan.example.de
...
lrwxrwxrwx 1 root            nogroup             18 Feb 24 16:18  gw02 -> gw02.lan.example.de
drwxr-x--- 2 gw02$           DC Backup Hosts   4096 Feb 24 16:18  gw02.lan.example.de
...
-rw-rw---- 1 root            DC Backup Hosts   2842 Feb 15  2022  openssl.cnf
lrwxrwxrwx 1 root            nogroup             28 Apr 24 16:20  ox-co-60562282 -> ox-co-60562282.lan.example.de
drwxr-x--- 2 ox-co-60562282$ DC Backup Hosts   4096 Apr 24 16:20  ox-co-60562282.lan.example.de
lrwxrwxrwx 1 root            nogroup             28 Apr 22 18:01  ox-co-92600436 -> ox-co-92600436.lan.example.de
drwxr-x--- 2 ox-co-92600436$ DC Backup Hosts   4096 Apr 22 18:01  ox-co-92600436.lan.example.de
lrwxrwxrwx 1 root            DC Backup Hosts     19 Feb 15  2022  srv01 -> srv01.lan.example.de
drwxr-x--- 2 srv01$          DC Backup Hosts   4096 Mai 22 21:39  srv01.lan.example.de
drwxrwxr-x 6 root            DC Backup Hosts   4096 Apr 25 14:55  ucsCA
drwxr-x--- 2 root            DC Backup Hosts   4096 Feb 15  2022  ucs-sso.lan.example.de
drwxr-x--- 2 root            DC Backup Hosts   4096 Nov 17  2022  ucs-sso-ng.lan.example.de

There is a directory with the following files for each host of the domain:

/etc/univention/ssl/gw02.lan.example.de:
-rw-r----- 1 gw02$ DC Backup Hosts 5521 Feb 24 16:18 cert.pem
-rw-r----- 1 gw02$ DC Backup Hosts 2785 Feb 24 16:18 openssl.cnf
-rw-r----- 1 gw02$ DC Backup Hosts 1679 Feb 24 16:18 private.key
-rw-r----- 1 gw02$ DC Backup Hosts 1285 Feb 24 16:18 req.pem

I understand that these certificates are distributed by the UCS systems within the UCS domain. Is that right?

Using the example of the UCS host ‘gw02.lan.example.de’. There you will find /etc/univention/ssl:

drwxr-x--- 2 root DC Backup Hosts 4096 Mai 24 07:36 gw02
drwxr-x--- 2 root DC Backup Hosts 4096 Mai 24 07:36 gw02.lan.example.de
drwxrwxr-x 2 root DC Backup Hosts 4096 Mai 24 07:36 ucsCA

and in the directory ‘gw02.lan.example.de’ the same files as on the master within the same directory:

-rw-r----- 1 root DC Backup Hosts 5521 Mai 24 07:36 cert.pem
-rw-r----- 1 root DC Backup Hosts 2785 Mai 24 07:36 openssl.cnf
-rw-r----- 1 root DC Backup Hosts 1679 Mai 24 07:36 private.key
-rw-r----- 1 root DC Backup Hosts 1285 Mai 24 07:36 req.pem

I run ACME on another host (pfSense) which takes care of the certificates and also needs them for the HA proxy. So I can’t run Letsencrypt on the UCS host.

At the pfSense, when the certificates are renewed, I can automatically copy them to another host via scp. With this I want to distribute the certificates in the UCS domain. Now here a few question arise for me.

Where do I have the pfSense copy the certificates to? To the master in the appropriate directory? Or to the respective host?

Is there a way to have these certificates copied to the master for all UCS hosts. Are they then automatically distributed to the other UCS systems?

Using the example of ‘gw02.lan.example.de’, the files on the pfSense are:

-rw-r--r--  1 root  wheel  5351 May 23 01:04 gw02.lan.example.de.all.pem
-rw-r--r--  1 root  wheel  1826 May 23 01:04 gw02.lan.example.de.ca
-rw-r--r--  1 root  wheel  1850 May 23 01:04 gw02.lan.example.de.crt
-rw-r--r--  1 root  wheel  3676 May 23 01:04 gw02.lan.example.de.fullchain
-rw-r--r--  1 root  wheel  1675 May 23 01:04 gw02.lan.example.de.key

The certificates are integrated in Apache on the UCS host (/etc/apache2/sites-available/default-ssl.conf):

SSLCertificateFile /etc/univention/ssl/gw02.lan.example.de/cert.pem
SSLCertificateKeyFile /etc/univention/ssl/gw02.lan.example.de/private.key
SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

Do I leave the file name of the certificates as they were created by ACME or do I overwrite the files under the same file name as they were called under the ucsCA?

I guess that I don’t overwrite the files but leave the filename as ACME creates them. The configuration of the default-ssl.conf I manage about that I adapt the template accordingly.

with best
sven

pixel · May 24, 2023, 11:48am

This post answers a tail of my question:

The adjustments are not made in the default ssl or its template, but in the corresponding UCR variable of the respective service.

I assume that automatic distribution by UCS doesn’t work that directly. Or am I wrong?

So I have the files copied to the respective host and set the UCR variables on the UCS systems accordingly.

BenSommer · July 6, 2023, 6:53am

Hi Pixel

I´m using Opnsense and like to do the same. Do you have a little howto, how I can use my Opnsesne certificates in UCS. Hope you have a hint for me.

Greetings Ben

pixel · July 7, 2023, 9:59am

Hello,

on the pfSense the certificates are located at: /conf/acme/. First I copied the SSH key from the pfSense to the corresponding hosts (ssh-copy-id -i ...).

On the UCS’s I created the directory /etc/univention/letsencrypt. On the pfSense you can enter a CLI command in the ACME module for each certificate which will be executed when the certificate is renewed. Here I have entered the corresponding SCP command. Example:

scp -i /root/.ssh/id_rsa /conf/acme/srv01.lan.example.de.crt /conf/acme/srv01.lan.example.de.key /conf/acme/srv01.lan.example.de.fullchain root@srv01.lan.example.de:/etc/univention/letsencrypt/

This has to be done for each combination certificate <-> host. On the UCS, I then set the appropriate UCR variables for the corresponding services:

++ Apache2 ++
ucr set apache2/ssl/certificate                 ->      [Host].lan.example.de.crt
ucr set apache2/ssl/certificatechain            ->      [Host].lan.example.de.fullchain
ucr set apache2/ssl/key                         ->      [Host].lan.example.de.key


++ Postfix ++
mail/postfix/ssl/certificate            ->      [Host].lan.example.de.fullchain
mail/postfix/ssl/key                    ->      [Host].lan.example.de.key

++ Dovecot ++
mail/dovecot/ssl/certificate            ->      [Host].lan.example.de.fullchain
mail/dovecot/ssl/key                    ->      [Host].lan.example.de.key

Whether this is the best way I do not know. Maybe someone else can comment on it.

with best
sven