Letencrypt certs from other host into UCS

Jan · July 1, 2019, 6:59am

Hi,

because of a web Proxy in front of UCS, i need to copy the letsencrypt generated certs to UCS host.
What files of webproxy:/etc/letsencrypt/[domain]/live/* will bee needed in which format in ucs:/etc/univention/letsencrypt/

Additiona Info: Letsencrypt was installed on UCS and running before the WebProxy was installed. Therefore everything is in the right place and all daemons use (the old) letsencrypt generated certs.

In other words: what files of the webproxy

cert.pem  chain.pem  fullchain.pem  privkey.pem

are corrosponding on ucs to

account.key
chained.pem
domain.csr
domain.key
intermediate.pem
signed.crt

Jan

Jan · July 2, 2019, 6:37am

Is nobody out there, who knows about the letsencrypt keys?
I need the new keys on the UCS Server, because they are out of time.

Jan

Jan · July 5, 2019, 8:07am

Hi Forum,

it’s a pity, that nobody knows about that problem.

Jan

fbartels · July 5, 2019, 9:58am

controversial question: what is keeping you from opening the files and comparing them?

Jan · July 5, 2019, 10:13am

Hi Fynn,

easy answer: I absoltly dont know, what to compare with.
Of course i have looked into all that files, but i dont know, which files to be merged to what.
Also i had read somewhere, that some files must be converted through gpg, to get the right format !?

Jan

fbartels · July 5, 2019, 11:24am

No, no kind of conversion required. The only case where I could imagine that this is the case is when you are working with windows systems pr .net. There you would need to convert your key from openssl into the binary key format of microsoft (for the lack of a better name).

I mean: you now have fewer files on your webproxy and when you look into the acutal apache configuration you will notice that not even all the files in etc/univention/letsencrpy are even using by Apache.

The document that is important for you is Using your own SSL certificates. cert.pem is named the same in the example as it is named on your proxy. private.key is likely you privkey.pem and if you want to include the chain then you should probably use fullchain.pem for that.

Jan · July 10, 2019, 12:30pm

Hi FB,

Sounds easy, but it isn’t.
ucs/Apache use this files:

	SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
	SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
	SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
	SSLCertificateChainFile /etc/univention/letsencrypt/intermediate.pem

certbot generated files on the proxy are:

	cert.pem  
	chain.pem  
	fullchain.pem  
	privkey.pem

I’m sorry, but I can’t identify, which files are corresponding togehther.
The structure/content looks different to me.

Jan

Moritz_Bunkus · July 11, 2019, 1:35pm

cert.pem contains the server’s certificate, to be used with SSLCertificateFile. The corresponding key to the certificate is in privkey.pem, to be used with SSLCertificateKeyFile.

The chain.pem is the so-called intermediate certificate: the certificate used for signing the server certificate cert.pem. If one exists, Apache makes use of it with SSLCertificateChainFile.

fullchain.pem contains both the intermediate certificate as well as the server certificate in a single file. This can be used with server software that requires both to be present in the same file (or to put it differently: for software that doesn’t have a separate configuration setting for the intermediate file). You don’t need to use that file with Apache. Other software might need it.

The fourth Apache configuration directive, SSLCACertificateFile, is only used when Apache itself connects to other servers via HTTPS, e.g. when you use this Apache as a reverse proxy for other internal hosts. In that case this Apache will verify that the server certificate used by the other internal host was really signed by the certificate authority (CA) given with SSLCACertificateFile. Normally this setting has nothing to with Let’s Encrypt.