Koozali.org: home of the SME Server

let's encrypt question

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
let's encrypt question
« on: December 23, 2022, 05:48:46 AM »
Hello,

Can't say this question is one hundred percent SME Server related but the way to do it I am thinking is tied to SME so that is why I am asking.

Is it possible to add a seperate url onto a existing let's encrypt certificate for different url???

Thanks.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: let's encrypt question
« Reply #1 on: December 23, 2022, 12:54:15 PM »
You mean domains?

Yes, but then depends what you really are trying to do.

Explain your problem clearly.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #2 on: December 24, 2022, 02:38:34 AM »
Yes That's what I mean. I have a lets encrypt license for my domain on a SME Server and wanted to add another domain from a different server to the same lets encrypt license is that possible?

Thanks.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: let's encrypt question
« Reply #3 on: December 24, 2022, 03:36:59 PM »
Yes That's what I mean. I have a lets encrypt license for my domain on a SME Server and wanted to add another domain from a different server to the same lets encrypt license is that possible?

Have you read the wiki?

As I said above.

Quote
Yes, but then depends what you really are trying to do.

You need to explain exactly what you are trying to do. That makes a difference on the advice we can give.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: let's encrypt question
« Reply #4 on: December 24, 2022, 04:42:27 PM »
...add another domain from a different server to the same lets encrypt license is that possible?

This could be done, but requires careful configuration or manual adjustments when updating.

LetsEncrypt verifies each new or renewed certificate using an HTTP connection to the names requested for the cert.

If you're hosting a site on another server, how do you get the SME to respond to the LetsEncrypt challenge? 

If the second host is "behind" the SME, you could get the SME to intercept /.well-known/acme-challenge locally while sending other traffic to the second host, then distribute the cert to the second host after it's updated.

I do this on my home network with a SME in server-only mode, but I have to play with my firewall rules every time I need to renew my certificates

I have a set of WAF rules in my sophos firewall that redirect /.well-known/acme-challenge to the system that manages the LetsEncrypt certificates.  However, I'm collecting certs on different hosts using the same names, so I still need to turn some rules on and off every 90 days while doing updates...

[pointless extra details]

SME (office.mydomain.tld)
+ autodiscover.mydomain.tld
+ etherpad.mydomain.tld

NethServer (neth.mydomain.tld)
+ collabora.mydomain.tld
+ mattermost.mydomain.tld
+ etherpad.mydomain.tld

Ubuntu (cloud.mydomain.tld)
+ collabora.mydomain.tld
+ etherpad.mydomain.tld
+ passbolt.mydomain.tld
+ wiki.mydomain.tld
+ docker.mydomain.tld
+ office.mydomain.tld
+ router.mydomain.tld

Sophos (router.mydomain.tld)
--> I have a script on cloud.mydomain.tld that will push the letsencrypt cert to the router
--> Once the router has the new cert, I have to manually update the cert settings in the router for affected services

Docker (docker.mydomain.tld)
--> cronjob looks for new cert on cloud.mydomain.tld
--> if there is a new cert, load it and restart the 'onlyoffice' docker container

I could simplify the above, but I keep it as-is in order to teach myself about the various platforms (SME, Neth, Ubuntu, Docker, Sophos)

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: let's encrypt question
« Reply #5 on: December 24, 2022, 11:29:53 PM »
there are few workaround and way to update a ssl cert for a server behind sme.

could use proxypass
could use a nfs or sshfs share to the well-known/ acme challenge directory
could use a script to deploy the certificate to the local server when renewed.

and more. depends on how you are happy with one server having access to the other one or sharing a nfs share or even having the local server accessible from the internet

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #6 on: December 27, 2022, 12:36:14 PM »
Thanks for the helpful info everyone. Yeah It would be okay for the servers to share info with each other what I am doing is I need to get an security certificate for a "different server" but this server is a streaming server while the one server that I would like to attach to its security certificate is the SME "secure" server. But the more I think about it and with what you guys have said looks like I would be opening up my SME server to security risks by attaching another server on to its security certificate. So I will go another direction with this.

Thanks!

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: let's encrypt question
« Reply #7 on: December 27, 2022, 05:40:05 PM »
You are making this a xyinfo issue.....

https://xyproblem.info/

It depends where your other server lives....

As I said right at the start, explain exactly what you want to achieve including host/domain examples etc.

Host X here, domain X there, SME box here, firewall there, etc etc.

It's fine to deploy cert elsewhere if you know the servers.

Using hook scripts you can deploy certs. But it depends on what you are trying to achieve, and that bit you still haven't clarified.

So you may "go another direction" which may be completely wrong.

We can't be precise unless you are. If you give us a good description we can give you a sensible answer.

Otherwise you'll be back again stumbling blindly looking for a solution to the wrong problem.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #8 on: January 12, 2023, 11:19:09 AM »
Yeah your right on the X-Y issue I still don't know what to do on the previous problem I got a Security Certificate online but it didn't associate with the Ice cast Streaming Server like I wanted it too so I doubt tacking it on to the SME Server Security Certificate would have worked either.....

Different Issue I didn't want to make another Topic post so thought I would post here.

I'm trying to do something similar but instead of it being a different server I want to add another completely different  domain which will be hosted by the same server as the original domain to the original domains Lets Encrypt security certificate. I know that's possible and this post is more of a I want to check to make sure I know what to do before I go messing with the Certificate and screw it all up.

So do I need to do a Completely new certificate to add the new domain or can I just use the command below to add it?

sudo letsencrypt --apache -d mydomain.com

Thanks



Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: let's encrypt question
« Reply #9 on: January 12, 2023, 12:25:03 PM »
Yeah your right on the X-Y issue I still don't know what to do on the previous problem I got a Security Certificate online but it didn't associate with the Ice cast Streaming Server like I wanted it too so I doubt tacking it on to the SME Server Security Certificate would have worked either.....


As we STILL don't know your exact layout we really can't help you.

As I have said repeatedly, describe your situation accurately and we may be able to assist.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: let's encrypt question
« Reply #10 on: January 12, 2023, 12:25:23 PM »
Quote
Different Issue I didn't want to make another Topic post so thought I would post here.

Well then you should create a new thread and post it in the correct forum which is Contribs. You are just creating work and confusion here, which means you won't get much help.

Quote
I'm trying to do something similar but instead of it being a different server I want to add another completely different  domain which will be hosted by the same server as the original domain to the original domains Lets Encrypt security certificate. I know that's possible and this post is more of a I want to check to make sure I know what to do before I go messing with the Certificate and screw it all up.

So do I need to do a Completely new certificate to add the new domain or can I just use the command below to add it?

You need to read the wiki where this is described.

https://wiki.koozali.org/Letsencrypt#Hosts_and_domains_for_the_certificate

Quote
sudo letsencrypt --apache -d mydomain.com

Where does it tell you to do that in the wiki?

When did Koozali SME use sudo ? Please, stop reading pages that relate to different server and letsecnrypt installations types and start reading the documentation for Koozali SME.

You are going to make a complete mess of your server otherwise.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: let's encrypt question
« Reply #11 on: January 12, 2023, 12:53:28 PM »
if you have an externally provided certificate you can associate it to a httpd virtualhost (domain db) as httpd template can now use SNI. 

Template will use this certificate for this domain, and will keep using the LE cert for others where nothing is defined.


SME doew not support separated per domain LE/dehydrated certificate because of the limitation it would impose on other services than httpd using the same certificate (including emails).
currently you can user any domain to connect to those services, of we separated  the domain per uniq certificate only httpd would handle them all using SNI and other would only use primary domain.

EDIT 2: revert original post
« Last Edit: January 12, 2023, 05:29:14 PM by Jean-Philippe Pialasse »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: let's encrypt question
« Reply #12 on: January 12, 2023, 05:18:45 PM »
Quote
if you have an externally provided certificate you can associate it to a httpd virtualhost (domain db) as httpd template can now use SNI. 

Template will use this certificate for this domain, and will keep using the LE cert for others where nothing is defined.

interesting, I missed it..
could you please give me a link in the wiki?
thank you mate




Damn.. I edited your post, not quoted, my bad :-(
EDIT: moved comment from previous message

« Last Edit: January 12, 2023, 05:26:51 PM by Jean-Philippe Pialasse »

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: let's encrypt question
« Reply #13 on: January 12, 2023, 05:31:27 PM »
interesting, I missed it..
could you please give me a link in the wiki?
thank you mate

probably need documenting in wiki

this is part of the NFR of SME10. i could point to some fragments in httpd/ virtualhost

Offline JRBATM20192021

  • ***
  • 111
  • +0/-0
Re: let's encrypt question
« Reply #14 on: January 12, 2023, 09:19:48 PM »
Okay first problem layout

Internet - Server one SME Server - Server two Icecast Streaming server there both on the same network you would call it but they have different IP addresses.

Second Problem
Okay I didn't have access to the wiki earlier it gave me a really weird error..... Now it works. So if I Start at Step by Step Configuration and go all the way up to test mode but not including test mode It should work and I shouldn't mess up my original certificate?

Thanks