WebProxy -> UCS -> Letsencrypt

Jan · February 19, 2019, 1:44pm

Hallo,

vor unserem UCS Server steht ein web Proxy, welcher ab sofort auch die LE Zertifikate verwaltet und eine entsprechende Weiterleitung macht.
Nun stellt sich mir die Frage, wie man dieses korrekt abbildet, damit USC / Postfix / Kopano auch die passenden LE Zertifikate hat.
Sollten diese vom Proxy kopiert werden oder kann der UCS LE Client eigene holen?

Jan

jolentes · February 19, 2019, 3:51pm

Hallo Jan,
Englisch wird hier im Forum bevorzugt.
Daher:

If your reverse proxy already does SSL offloading you don’t need LE certificates on UCS.
I still prefer to communicate via SSL between proxy and UCS but use self-signed certs here.

I don’t know if LE behind a proxy works at all.

BR,
Jörn

Jan · February 20, 2019, 5:57am

Hi Jörn.

very well… but UCS needs to have the certs for encrypted smtp, imap and pop.
So how can i do this?

Jan

fbartels · February 20, 2019, 8:56am

Unless you are doing dns validation it likely won’t (unless you also proxy through the http validation, but that also means that the system behind the proxy will obtain the cert, and not the proxy).

You will then need to find a way to deploy the certificates from the front facing system to any other depending systems (or just buy a certificate which has a longer validity). At home I am using https://github.com/lukas2511/dehydrated, which has hooks (https://github.com/lukas2511/dehydrated/blob/master/docs/examples/hook.sh) that can be triggered after renewing a certificate. I am using these hooks to the scp the certificate to other systems and then issue a restart of depending services through ssh.

matias · July 31, 2020, 11:36am

Can You please more information how you “deploy the certificates from the front facing system to any other depending systems”?

fbartels · July 31, 2020, 11:58am

Hi @matias,

I had already linked to their example hook file which sets up the basic structure. You’d have to add your customisation to the deploy_cert function.

For me it looks like the following:

deploy_cert() {
    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"

    case $1 in
    domain.synology.com|domain.new-synology.com)
	CERT_DIR=$(ssh -y -i /data/id_rsa $DOMAIN "cat /usr/syno/etc/certificate/_archive/DEFAULT")
        scp -i /data/id_rsa /etc/dehydrated/certs/${DOMAIN}/{cert.pem,fullchain.pem,privkey.pem} $DOMAIN:/usr/syno/etc/certificate/_archive/${CERT_DIR}/
        scp -i /data/id_rsa /etc/dehydrated/certs/${DOMAIN}/{cert.pem,fullchain.pem,privkey.pem} $DOMAIN:/usr/syno/etc/certificate/system/default/
        ssh -y -i /data/id_rsa $DOMAIN /usr/syno/sbin/synoservicectl --restart nginx 2>&1
        ;;
    [...]
    esac
}

Although I must say that I am for a while already toying with the idea to replace the direct connection (through ssh/scp) with a middle step to upload the obtained certs into Hasicorp Vault and then let the other system fetch it from there.

matias · August 1, 2020, 8:36am

@fbartels Thank you!
I am going to try it in the coming days.
Can I keep the second line?
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"

fbartels · August 1, 2020, 10:49am

Yes, of course you can keep the line. It’s also in the linked example.