I have one UCS-VM which I installed only for “additional” Apps.
I installed “Open Project” and “Zammad” from App-Center.
When I access “Open Project” I get the right ssl-Certificate which is generated by Let’s Encrypt -App.
When I access “Zammad” on standard port (10412 for SSL) it serves the self-generated SSL-Certificate not the Let’s Encrypt one.
The idea is not to connect to the ports of Docker apps directly, but instead connect to the regular Apache running on the regular 443 which will act as a reverse proxy for all the Docker apps. That Apache will then use the LE certificate (or you can configure it to do so).
Caveat: I haven’t tried Zammad on UCS myself yet. The above is general advice for how apps usually work on UCS.
Solution:
nano /etc/apache2/sites-available/zammad.conf
Listen 0.0.0.0:10412
<VirtualHost *:10412>
ServerName subdomain.domain.tld
ServerAlias *.domain.tld
<Proxy 127.0.0.1:40002>
Require local
</Proxy>
# Enable SSL
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem
RewriteEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /ws ws://127.0.0.1:40002/ws "retry=1 acque=3000 timeout=600 keepalive=On"
ProxyPass / http://127.0.0.1:40002/ "retry=1 acque=3000 timeout=600 keepalive=On"
</VirtualHost>
Maybe the Zammad developers will want to check how these scenarios are handled in other apps. The code for this in the Mattermost app is located at https://stash.z-hub.io/projects/K4U/repos/mattermost/browse/configure_host#48-94