Univention Bugzilla – Bug 48204
Letsencrypt: extra virtualhost entry for external dns name
Last modified: 2019-02-26 08:50:51 CET
create an extra virtualhost entry for external dns name
As far as I understand the problem: If you have set up your UCS using an internal domain, e.g. mydomain.intranet, but have it accessible from the outside by a different domain, you can't generate a let's encrypt cert for the internal domain, so you need two certs to have the internal domain encrypted as well. Thus, vitualhost entries are needed for the different domains to deliver different certs.
Still a very important feature for various use cases by customers
- I migrated the univention-letsencrypt package to the UCS git repo - We probably have to make an app update once the package is released to finish the migration - the app still works the same if the cert is only used for the normal domain only - if the cert is valid for domains that are not the ucs domain, virtual hosts will be created in the apache config file univention-letsencrypt.conf - the cronjob that checks if the cert is still valid should stop delivery of the cert for all domains it is valid for - I built the package both for 4.3-3 and 4.4. Please take an extra look at the yamls and how the packages are built, I'm not 100% sure that I did everything correctly. - I have an AWS machine that you can use for QA, just ask me ---------------- Successful build Package: univention-letsencrypt Version: 1.2.2-4A~4.3.0.201901081457 Branch: ucs_4.3-0 Scope: errata4.3-3 Successful build Package: univention-letsencrypt Version: 2.0.0-1A~4.4.0.201901081528 Branch: ucs_4.4-0 Scope: univention-letsencrypt (2.0.0-1) 6a799e8a87b1 | Bug #48204: 4.4 version bump, copyright 2019 univention-letsencrypt.yaml 2b2192b3b460 | Bug #48204: YAML 8cf27cd56c23 | Bug #48204: YAML univention-letsencrypt (1.2.2-4) 5caa221523a6 | Bug #48204: let letsencrypt add an apache virtualhost entry instead of replacing the ucsCA cert univention-letsencrypt (1.2.2-3) e86514888d62 | Bug #48204: migrate univention-letsencrypt to ucs git
As discussed the package will be moved into: https://git.knut.univention.de/univention/components/letsencrypt
As discussed: - I moved the package to the new repository - I removed the yamls - I built the package and uploaded it to the test app center - Philipp removed the packages from the ucs 4.3 and 4.4 repositories letsencrypt git: commit 44a9f2dfc7845ce0ea3c38fc49af93d8d1da3844 Author: Jannik Ahlers <ahlers@univention.de> Date: Thu Jan 10 12:27:12 2019 +0100 Bug #48204: move package unvention-letsencrypt into own repo Successful build Package: univention-letsencrypt Version: 1.2.2-4A~4.3.0.201901101252 Branch: ucs_4.3-0 Scope: letsencrypt ---------------------------------------- 4.3-3: commit b46e5a76a8f333452676cbb60093460fb959736d Author: Jannik Ahlers <ahlers@univention.de> Date: Thu Jan 10 16:32:01 2019 +0100 Bug #48204: remove unnecessary yaml commit 7aad80fb04f31dc3ac2e4505a13ebf9bc08c349a Author: Jannik Ahlers <ahlers@univention.de> Date: Thu Jan 10 12:31:21 2019 +0100 Bug #48204: move package unvention-letsencrypt into own repo 4.4-0: commit 3092baf4d2d655dedef5bc359940a3545defe6a3 Author: Jannik Ahlers <ahlers@univention.de> Date: Thu Jan 10 16:30:37 2019 +0100 Bug #48315, #48204: remove unnecessary yamls commit 3c3c36b9b646dcff830f7a7012fb2462dda5c11c Author: Jannik Ahlers <ahlers@univention.de> Date: Thu Jan 10 12:32:39 2019 +0100 Bug #48204: move package unvention-letsencrypt into own repo
The default certificate ucr variables for apache, dovecot and postfix will now get reset to their default values if letsencrypt is disabled for the service. (except for when they were set to custom values). Successful build Package: univention-letsencrypt Version: 1.2.2-5A~4.3.0.201901161029 Branch: ucs_4.3-0 Scope: letsencrypt univention-letsencrypt (1.2.2-5) 920f9582f8d1 | Bug #48204: correctly reset ucr values for disabled services
Looks good :) I fixed a small bug (Using ucr keys as variables like "$apache2_ssl_certificate" only works if 'eval "$(ucr shell)"' was called before) [4.3 c2277c4] Bug #48204: Fix ucr variable What I tested: Use letsencrypt for fqdn -> OK (As discussed this breaks https for the hostname e.g https://myhost/, but I guess that needs to be fixed in our apache config) Use letsencrypt for a domain different from the fqdn -> OK Use letsencrypt for multiple domains -> OK Activate/Deactivate letsencrypt for apache -> OK
released