UCS portal uses self-signed certificate despite letsencrypt

UCS - Univention Corporate Server
4

Hi,

regarding letsencrypt, please find my guide for full wildcard support here: Letsencrypt app - wildcards supported?
Note: Your UCS DNS must be responsible for your domain. So you have to set a “glue record” with your domain registrar to register your DNS.

Regarding the firewall, in a nutshell: I have disabled the package rules and set my own rules. You can use them as a guide for your config.

echo -e '#!/bin/sh
iptables --wait -I INPUT 4 -s 172.16.0.0/16 -j ACCEPT
iptables --wait -I INPUT 4 -s 172.17.0.0/16 -j ACCEPT' \
> /etc/security/packetfilter.d/50_local.sh
chmod +x /etc/security/packetfilter.d/50_local.sh
ucr set security/packetfilter/tcp/22/all="ACCEPT"
ucr set security/packetfilter/tcp/22/all/en="SSHD"
ucr set security/packetfilter/tcp/22222/all="ACCEPT"
ucr set security/packetfilter/tcp/22222/all/en="GitLab"
ucr set security/packetfilter/tcp/25/all="ACCEPT"
ucr set security/packetfilter/tcp/25/all/en="SMTP"
ucr set security/packetfilter/tcp/53/all="ACCEPT"
ucr set security/packetfilter/tcp/53/all/en="DNS"
ucr set security/packetfilter/udp/53/all="ACCEPT"
ucr set security/packetfilter/udp/53/all/en="DNS"
ucr set security/packetfilter/tcp/80/all="ACCEPT"
ucr set security/packetfilter/tcp/80/all/en="HTTP"
ucr set security/packetfilter/tcp/110/all="ACCEPT"
ucr set security/packetfilter/tcp/110/all/en="POP3"
ucr set security/packetfilter/tcp/123/all="ACCEPT"
ucr set security/packetfilter/tcp/123/all/en="NTP"
ucr set security/packetfilter/tcp/143/all="ACCEPT"
ucr set security/packetfilter/tcp/143/all/en="IMAP"
ucr set security/packetfilter/tcp/443/all="ACCEPT"
ucr set security/packetfilter/tcp/443/all/en="HTTPS"
ucr set security/packetfilter/tcp/465/all="ACCEPT"
ucr set security/packetfilter/tcp/465/all/en="SSMTP"
ucr set security/packetfilter/tcp/587/all="ACCEPT"
ucr set security/packetfilter/tcp/587/all/en="SMTP/submission"
ucr set security/packetfilter/tcp/993/all="ACCEPT"
ucr set security/packetfilter/tcp/993/all/en="IMAPS"
ucr set security/packetfilter/tcp/995/all="ACCEPT"
ucr set security/packetfilter/tcp/995/all/en="POP3"
ucr set security/packetfilter/use_packages="no"
ucr set security/packetfilter/defaultpolicy="DROP"
service univention-firewall restart

Note: I have added a script to allow all traffic from docker containers, which use the networks 172.16.0.0/16 and 172.17.0.0/16. You might want to be more restrictive here.

Hope it helps. :slight_smile:

Best regards
pate1337

1 Like