UCS + Kopano - How do I change the certificates?

Hi,

I have created my own server certificate from an external CA and I would like to swap the certificates on my UCS kopano server for all the services (webapp, imap, active sync, etc.…)

From searching the forum I found some files in /etc/kopano/ssl

• private.key (looks like a private key)
• cert.pem (looks like a cert)
• server.pem (looks like cert+key)

So I copied my own files to that folder:

• mail.domain.local.key (my private key)
• mail.domain.local.crt (my cert file)
• mail.domain.local.pem (my cert+key file)

Then I changed all the kopano ssl settings in the ucs registry that I could find:

kopano/cfg/gateway/ssl_certificate_file = /etc/kopano/ssl/mail.domain.local.crt
kopano/cfg/gateway/ssl_private_key_file = /etc/kopano/ssl/mail.domain.local.key
kopano/cfg/ical/ssl_certificate_file = /etc/kopano/ssl/mail.domain.local.crt
kopano/cfg/ical/ssl_private_key_file = /etc/kopano/ssl/mail.domain.local.key
kopano/cfg/server/server_ssl_key_file = /etc/kopano/ssl/mail.domain.local.pem

I changed the ownership to kopano chown kopano:kopano ……

But: Nothing happens. Even after a reboot all the services still use the old certificates. Not even an error message
Is there somewhere a guide that says what file is used for what service and what registry value does what?
Is there even a better way to change the certificates? Somewhere in die UI?

Cheers
Michael

Hi @michael-hennemann,

the approach you have taken sounds valid to me. Setting a certificate through a ucr variable normally updates the config file and then on the next restart of the given service the new certificate should be used.

The first thing I would check is if the config files are properly updated.

Further debugging hints can be found at https://kb.kopano.io/display/K4U/Debugging+Kopano+on+Univention.

Hi fbartels

thanks for your reply!
In the meantime I gave it another shot and I think I got it working:

I put key and cert in only one file (mail.domain.pem) and removed the single key/cert files as I figured I don’t need them.

I put one copy of the file each to

• /etc/kopano/ssl
• /etc/univention/ssl//

For the one I put in the kopano folder I changed permissions
“chown kopano:kopano mail.domain.local.pem”

For the web services (UCS Web-UI, Webapp, ActiveSync) I changed the following registry settings:

apache2/ssl/certificate = /etc/univention/ssl//mail.domain.local.pem
apache2/ssl/key = /etc/univention/ssl//mail.domain.local.pem

For IMAP I changed the following two registry settings:

kopano/cfg/gateway/ssl_certificate_file = /etc/kopano/ssl/mail.domain.local.pem
kopano/cfg/gateway/ssl_private_key_file = /etc/kopano/ssl/mail.domain.local.pem

It seems to work so far…

Did I miss something? Ideas for Improvement?
Is there a change that changing the certificate for the website interferes with another service on UCS ?

cheers
Michael

Technically speaking everything that is web-based on ucs is served by the same apache webserver. As long as the cert chain can be validated there should be no problems however.

Hello @michael-hennemann,

Your approach is correct. Yes, kopano/cfg/gateway/ssl_certificate_file and kopano/cfg/ical/ssl_certificate_file indeed needs a chained certificate file. There is nothing much to improve your approach, all good.

Not an improvement, more a matter of personal preference: Personally I prefer not to mix system certificate paths and external certificates, as the later update of the external certs is greatly simplified. So instead using paths as /etc/kopano/ssl/... and /etc/univention/ssl/ and …, personally I would create a directory '/etc/external_certificates/`, including something like this:

/etc/external_certificates/sub_domain_de.key
/etc/external_certificates/sub_domain_de.crt
/etc/external_certificates/sub_domain_de_bundle.crt
/etc/external_certificates/intermediate.crt
/etc/external_certificates/root-ca.crt

After adapting the rights setfacl -m u:kopano:r "/etc/external_certificates/..." you could set all relevant registry settings pointing to the same cert. However, this is a personal preference only.

And of cause to make sure to monitor certificate expiry… but I guess this is common sense.

Regards Lutz

Thanks for your reply !
So one improvement would be to find a good place to store the files, sounds like a good idea!
You mention the root ca and intermediate certs in your list, so I guess it might also be a good idea to put them on the UCS server as well?
At what places in the UCS registry would I have to add them?

At work, I often deal with private (non public) CAs

I got into the habit to always store the complete chain, which also includes the root-ca. This enables me to manually check validity with ease, any time. That is why - without giving it a second thought - I wrote down /etc/external_certificates/root-ca.crt as well. So this is only a personal preference, because I am used to it.

Absolutely not needed if you work with a public CA, as the root-ca is already stored within the system certificate trust store. So ignore it - not needed in your case. (But it does not hurt either)

For your specific use-case (cert exchange only for the Kopano services), the intermediate is also not needed as single file. (as it is already part of the sub_domain_de_bundle.crt file) However, you may want to consider storing this file - in case you plan to use this certificate for other services hosted on the same domain. A possible use-case could be the postfix service:

mail/postfix/ssl/cafile: /etc/external_certificates/intermediate.crt
mail/postfix/ssl/certificate: /etc/external_certificates/sub_domain_de.crt
mail/postfix/ssl/key: /etc/external_certificates/sub_domain_de.key

Another use-case I can think of is the Apache service:

apache2/ssl/certificate: etc/external_certificates/sub_domain_de.crt
apache2/ssl/certificatechain: /etc/external_certificates/intermediate.crt
apache2/ssl/key: /etc/external_certificates/sub_domain_de.key