UCS portal uses self-signed certificate despite letsencrypt

UCS - Univention Corporate Server
#1

Hi,

I’m currently working on the following setup:
UCS 4.4 running on a KVM root server, acting as:

  • public DNS
  • public NTP
  • dovecot+postfix with SPF, DKIM, DMARC configured
  • nextcloud
  • firewall
  • SSHD with certificate access
  • maybe additional services like JITSI, etc.

Once finished, I’d love to write a (blog) post about my setup, since it might be useful for others.

During my initial setup, I have activated letsencrypt for mydomain.tld, but now decided to change it to hostname.mydomain.tld. Unfortunately, the UCS portal is still serving hostname.mydomain.tld with the domain’s self signed certificate.

So far I’ve checked the following:

UCS variables

apache2/ssl/certificate=/etc/univention/letsencrypt/signed_chain.crt
apache2/ssl/key=/etc/univention/letsencrypt/domain.key

Certificates

openssl x509 -in signed_chain.crt --text

Apache2 Config
/etc/apache2/sites-enabled/default-ssl.conf
shows

<IfModule mod_ssl.c>

<VirtualHost *:443>
        IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
        SSLEngine on
        SSLProxyEngine on
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
        SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
        SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

        #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        ### To enable special log format for HTTPS-access
        # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
        # CustomLog /var/log/apache2/access.log combinedssl     ## with port number

<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=10886400; includeSubDomains"
</IfModule>

        ProxyPass /nextcloud http://127.0.0.1:40000/nextcloud retry=0
        ProxyPassReverse /nextcloud http://127.0.0.1:40000/nextcloud

</VirtualHost>
</IfModule>

So the certificate seems to be ok and also the apache2 config… I have not idea, else might be wrong. :frowning:
I’d highly appreciate your help.

Best regards
pate

#2

Could figure it out by myself… I feel such ashame! :smiley:
Obviously, Firefox utilizes a certificate cache, which still had the self-signed certificate in the cache! - Cosequently, not an issue with UCS!

#3

Hello,
I’m working on almost the same configuration, but I decided to use acme.sh to get certs instead of certbot.
Also may I ask you how you solve problem with firewall (too many opened ports to internet)

#4

Hi,

regarding letsencrypt, please find my guide for full wildcard support here: Letsencrypt app - wildcards supported?
Note: Your UCS DNS must be responsible for your domain. So you have to set a “glue record” with your domain registrar to register your DNS.

Regarding the firewall, in a nutshell: I have disabled the package rules and set my own rules. You can use them as a guide for your config.

echo -e '#!/bin/sh
iptables --wait -I INPUT 4 -s 172.16.0.0/16 -j ACCEPT
iptables --wait -I INPUT 4 -s 172.17.0.0/16 -j ACCEPT' \
> /etc/security/packetfilter.d/50_local.sh
chmod +x /etc/security/packetfilter.d/50_local.sh
ucr set security/packetfilter/tcp/22/all="ACCEPT"
ucr set security/packetfilter/tcp/22/all/en="SSHD"
ucr set security/packetfilter/tcp/22222/all="ACCEPT"
ucr set security/packetfilter/tcp/22222/all/en="GitLab"
ucr set security/packetfilter/tcp/25/all="ACCEPT"
ucr set security/packetfilter/tcp/25/all/en="SMTP"
ucr set security/packetfilter/tcp/53/all="ACCEPT"
ucr set security/packetfilter/tcp/53/all/en="DNS"
ucr set security/packetfilter/udp/53/all="ACCEPT"
ucr set security/packetfilter/udp/53/all/en="DNS"
ucr set security/packetfilter/tcp/80/all="ACCEPT"
ucr set security/packetfilter/tcp/80/all/en="HTTP"
ucr set security/packetfilter/tcp/110/all="ACCEPT"
ucr set security/packetfilter/tcp/110/all/en="POP3"
ucr set security/packetfilter/tcp/123/all="ACCEPT"
ucr set security/packetfilter/tcp/123/all/en="NTP"
ucr set security/packetfilter/tcp/143/all="ACCEPT"
ucr set security/packetfilter/tcp/143/all/en="IMAP"
ucr set security/packetfilter/tcp/443/all="ACCEPT"
ucr set security/packetfilter/tcp/443/all/en="HTTPS"
ucr set security/packetfilter/tcp/465/all="ACCEPT"
ucr set security/packetfilter/tcp/465/all/en="SSMTP"
ucr set security/packetfilter/tcp/587/all="ACCEPT"
ucr set security/packetfilter/tcp/587/all/en="SMTP/submission"
ucr set security/packetfilter/tcp/993/all="ACCEPT"
ucr set security/packetfilter/tcp/993/all/en="IMAPS"
ucr set security/packetfilter/tcp/995/all="ACCEPT"
ucr set security/packetfilter/tcp/995/all/en="POP3"
ucr set security/packetfilter/use_packages="no"
ucr set security/packetfilter/defaultpolicy="DROP"
service univention-firewall restart

Note: I have added a script to allow all traffic from docker containers, which use the networks 172.16.0.0/16 and 172.17.0.0/16. You might want to be more restrictive here.

Hope it helps. :slight_smile:

Best regards
pate1337

1 Like
#5

Thank you for your answer.
I did the same but with iptables records only in /etc/security/packetfilter.d/50_local.sh flushed INPUT chain before

Mastodon