Let's encrypt issues

UCS - Univention Corporate Server
,
23

Ok, I found a solution,

I set up a separate VM with certbot installed and requested new certificates for my domain.
This assumes that you have a DNS record publicly set up. I use Cloudflare for this.

On Debian/Ubuntu system use:

sudo apt install certbot

Then request the certificates for you domain (example.com << use your domain here)

sudo certbot --manual --preferred-challenges dns certonly -d example.com

Follow the instructions. Make sure to create a new TXT record in Cloudflare when prompted during the certbot request:

_acme-challenge.example.com

The new certificates can be found in the

/etc/letsencrypt/archive/example.com/cert1.pem
/etc/letsencrypt/archive/example.com/chain1.pem
/etc/letsencrypt/archive/example.com/fullchain1.pem
/etc/letsencrypt/archive/example.com/privkey1.pem

I copied the fullchain1.pem and privkey1.pem to a custom directory I created on my Univention server:

/etc/myssl/fullchain1.pem
/etc/myssl/privkey1.pem

Please note that the certificates will be renewed automatically but not copied to the Univention server. Perhaps a script can automate this process. Should I find a solution then I will update this post. If someone else has a better solution or a script please feel free to post it here :slight_smile:

With the certificates in place I followed this forum post:

Ensure you change the name of your certificate if needed.

Dovecot

Dovecot is the default IMAP server since UCS 4.0-2 and supersedes Cyrus.

The UCR variables mail/dovecot/ssl/certificate and mail/dovecot/ssl/key must be set for Dovecot:

ucr set mail/dovecot/ssl/certificate="/etc/myssl/fullchain1.pem"
ucr set mail/dovecot/ssl/key="/etc/myssl/privkey1.pem"

Then restart the daemon:
service dovecot restart

Postfix:

The UCR variables mail/postfix/ssl/certificate and mail/postfix/ssl/key need to be configured:

ucr set mail/postfix/ssl/certificate="/etc/myssl/fullchain1.pem"
ucr set mail/postfix/ssl/key="/etc/myssl/privkey1.pem"

Then the mail server has to be restarted:
service postfix restart

I want to thank everyone for your help and I hope this guide helps others which are in the same situation where http-01 challenges are not an option.
I hope Univention will add DNS challenges in the future.