Any tutorial how to implement it?
I see that in the german forum exist post about that but i can’t understand… thanks
There’s an implementation available as Cool Solution: http://wiki.univention.de/index.php?title=Cool_Solutions_-_Let’s_Encrypt
It will be also available for UCS 4.2 soon-ish.
IIRC some people use the dehydrated client with UCS as an alternative: https://github.com/lukas2511/dehydrated
For dehydrated, you probably also need http://sdb.univention.de/1243
Best regards,
Michael Grandjean
Yes, same here. I have installed Letsencrypt, all seems ok with the install.
When doing setup-letsencrypt I keep getting error on line 20. This means the key doesn’t get created.
Been looking for a solution, I’m sure it’s a simple setting I’m overlooking somewhere.
My logs:
root@ucs:/etc/apache2/sites-enabled# /usr/share/univention-letsencrypt/setup-letsencrypt
WARNING: UCR variable letsencrypt/domains does not match domains in CSR.
Delete and recreate /etc/univention/letsencrypt/domain.csr? [yn] y
Removing domain.csr…
Creating domain.csr…
Multi domain mode
run-parts: executing /etc/univention/letsencrypt/setup.d//apache2
Setting apache2/ssl/certificatechain
Setting apache2/ssl/certificate
Setting apache2/ssl/key
Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php
Module: kopano-cfg
Multifile: /etc/apache2/sites-available/default-ssl
run-parts: executing /etc/univention/letsencrypt/setup.d//dovecot
run-parts: executing /etc/univention/letsencrypt/setup.d//postfix
Setting apache2/force_https
File: /etc/apache2/mods-available/ssl.conf
Module: kopano-cfg
Syntax error on line 20 of /etc/apache2/sites-enabled/default-ssl:
SSLCertificateFile: file ‘/etc/univention/letsencrypt/signed.crt’ does not exist or is empty
Action ‘configtest’ failed.
The Apache error log may have more information.
failed!
invoke-rc.d: initscript apache2, action “restart” failed.
Setting apache2/force_https
File: /etc/apache2/mods-available/ssl.conf
Module: kopano-cfg
Syntax error on line 20 of /etc/apache2/sites-enabled/default-ssl:
SSLCertificateFile: file ‘/etc/univention/letsencrypt/signed.crt’ does not exist or is empty
Action ‘configtest’ failed.
The Apache error log may have more information.
failed!
invoke-rc.d: initscript apache2, action “restart” failed.
Hello @stevenr
the given information is a bit vague, but I can see that you are using UCS 4.1 with letsencrypt multiple domains activated, at least for Apache. Please correct me, if I am wrong.
It seem that you run setup-letsencrypt multiple times. That is okay! But the real error message should be displayed in your previous run(s).
I could reproduce the “error on line 20” if I enter some invalid domains and set apache2/force_https=yes. The problem is, that the certificate creation fails, but certificate is already referenced in the apache configuration.
To solve this
- please double check the values in
letsencrypt/domainswhich should be separated by spaces, or even better: first start with one domain only. The domains must be reached from external for the letsencrypt acme-challenge request. - temporary configure
ucr unset apache2/force_https - re run
/usr/share/univention-letsencrypt/setup-letsencrypt - if all went fine, check your configuration with
apache2ctl configtestand setapache2/force_https=yesif you want. Then restart Apache if “Syntax OK” was displayed byservice apache2 restart
If this still does not work, and apache fails to start, you could unset the UCR variables to UCS default:
ucr unset apache2/ssl/certificate apache2/ssl/certificatechain apache2/ssl/key
and retry the steps from above 
Hi,
I am very sorry for my late reply. But I’ve got it working.
- Upgraded to the latest version of UCS (4.2.x)
- Then I followed this (in the meantime) updated guide: http://wiki.univention.de/index.php?title=Cool_Solutions_-_Let's_Encrypt (now also for 4.2!)
And it worked!
Hi all,
I’m testing the platform and I like it a lot, but I have a problem:
I have to manage several mail domains. When I generate the certificates with letsencrypt and restart the server. In the webmail interface, the last generated certificate always appears well, the others are shown as not safe. Can you please indicate if it is possible that the generated certificates are shown for each of the domains?
Thank you.
Hi,
I’m using UCS and letsencrypt as well for several domains. For my setup only one letsencrypt-certificate is covering all of my domains. In order to achive this you need to add all the relevant domins into the letsencrypt configuration - e.g:
Hi tpfann,
Thank you very much for your answer. That way it works for me.
Best regards,