Let's encrypt issues

UCS - Univention Corporate Server
,
#21

The bigger question for me is: what is Thunderbird requesting on the domain controller? I was not able to find out so far.

Plus, the request is made for domain, not a specific server, e.g. domain.example (without any servername). I am not even sure it is possible to request such a certificate from letsencrypt.

#22

Hi @riess82,

Yes that seems very strange, I’m still looking for a solution to replace the Domain Controller Certificates.
Just didn’t have a lot of time the past 4 days.

#23

Ok, I found a solution,

I set up a separate VM with certbot installed and requested new certificates for my domain.
This assumes that you have a DNS record publicly set up. I use Cloudflare for this.

On Debian/Ubuntu system use:

sudo apt install certbot

Then request the certificates for you domain (example.com << use your domain here)

sudo certbot --manual --preferred-challenges dns certonly -d example.com

Follow the instructions. Make sure to create a new TXT record in Cloudflare when prompted during the certbot request:

_acme-challenge.example.com

The new certificates can be found in the

/etc/letsencrypt/archive/example.com/cert1.pem
/etc/letsencrypt/archive/example.com/chain1.pem
/etc/letsencrypt/archive/example.com/fullchain1.pem
/etc/letsencrypt/archive/example.com/privkey1.pem

I copied the fullchain1.pem and privkey1.pem to a custom directory I created on my Univention server:

/etc/myssl/fullchain1.pem
/etc/myssl/privkey1.pem

Please note that the certificates will be renewed automatically but not copied to the Univention server. Perhaps a script can automate this process. Should I find a solution then I will update this post. If someone else has a better solution or a script please feel free to post it here :slight_smile:

With the certificates in place I followed this forum post:

Ensure you change the name of your certificate if needed.

Dovecot

Dovecot is the default IMAP server since UCS 4.0-2 and supersedes Cyrus.

The UCR variables mail/dovecot/ssl/certificate and mail/dovecot/ssl/key must be set for Dovecot:

ucr set mail/dovecot/ssl/certificate="/etc/myssl/fullchain1.pem"
ucr set mail/dovecot/ssl/key="/etc/myssl/privkey1.pem"

Then restart the daemon:
service dovecot restart

Postfix:

The UCR variables mail/postfix/ssl/certificate and mail/postfix/ssl/key need to be configured:

ucr set mail/postfix/ssl/certificate="/etc/myssl/fullchain1.pem"
ucr set mail/postfix/ssl/key="/etc/myssl/privkey1.pem"

Then the mail server has to be restarted:
service postfix restart

I want to thank everyone for your help and I hope this guide helps others which are in the same situation where http-01 challenges are not an option.
I hope Univention will add DNS challenges in the future.

Mastodon