Zammad doesn't use Let's Encrypt Certificate

zammad

#1

I have one UCS-VM which I installed only for “additional” Apps.
I installed “Open Project” and “Zammad” from App-Center.

When I access “Open Project” I get the right ssl-Certificate which is generated by Let’s Encrypt -App.
When I access “Zammad” on standard port (10412 for SSL) it serves the self-generated SSL-Certificate not the Let’s Encrypt one.


#2

The idea is not to connect to the ports of Docker apps directly, but instead connect to the regular Apache running on the regular 443 which will act as a reverse proxy for all the Docker apps. That Apache will then use the LE certificate (or you can configure it to do so).

Caveat: I haven’t tried Zammad on UCS myself yet. The above is general advice for how apps usually work on UCS.


#3

Solution:

nano /etc/apache2/sites-available/zammad.conf

Listen 0.0.0.0:10412

<VirtualHost *:10412>
        ServerName subdomain.domain.tld
        ServerAlias *.domain.tld

        <Proxy 127.0.0.1:40002>
        Require local
    </Proxy>

    # Enable SSL
    SSLEngine on
    SSLProxyEngine on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
    SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
    SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem

    RewriteEngine On
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /ws ws://127.0.0.1:40002/ws "retry=1 acque=3000 timeout=600 keepalive=On"
    ProxyPass / http://127.0.0.1:40002/ "retry=1 acque=3000 timeout=600 keepalive=On"
</VirtualHost>

#4

Maybe the Zammad developers will want to check how these scenarios are handled in other apps. The code for this in the Mattermost app is located at https://stash.z-hub.io/projects/K4U/repos/mattermost/browse/configure_host#48-94