Bug 48204 - Letsencrypt: extra virtualhost entry for external dns name
Letsencrypt: extra virtualhost entry for external dns name
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Let's Encrypt
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-3-errata
Assigned To: Jannik Ahlers
Jürn Brodersen
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-26 14:42 CET by Jannik Ahlers
Modified: 2019-02-26 08:50 CET (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jannik Ahlers univentionstaff 2018-11-26 14:42:39 CET
create an extra virtualhost entry for external dns name
Comment 1 Jannik Ahlers univentionstaff 2018-11-29 16:12:29 CET
As far as I understand the problem:
If you have set up your UCS using an internal domain, e.g. mydomain.intranet, but have it accessible from the outside by a different domain, you can't generate a let's encrypt cert for the internal domain, so you need two certs to have the internal domain encrypted as well. Thus, vitualhost entries are needed for the different domains to deliver different certs.
Comment 2 Michel Smidt 2018-12-07 15:12:14 CET
Still a very important feature for various use cases by customers
Comment 3 Jannik Ahlers univentionstaff 2019-01-08 15:48:28 CET
- I migrated the univention-letsencrypt package to the UCS git repo
- We probably have to make an app update once the package is released to finish the migration

- the app still works the same if the cert is only used for the normal domain only
- if the cert is valid for domains that are not the ucs domain, virtual hosts will be created in the apache config file univention-letsencrypt.conf
- the cronjob that checks if the cert is still valid should stop delivery of the cert for all domains it is valid for

- I built the package both for 4.3-3 and 4.4. Please take an extra look at the yamls and how the packages are built, I'm not 100% sure that I did everything correctly.

- I have an AWS machine that you can use for QA, just ask me
----------------
Successful build
Package: univention-letsencrypt
Version: 1.2.2-4A~4.3.0.201901081457
Branch: ucs_4.3-0
Scope: errata4.3-3

Successful build
Package: univention-letsencrypt
Version: 2.0.0-1A~4.4.0.201901081528
Branch: ucs_4.4-0
Scope: 

univention-letsencrypt (2.0.0-1)
6a799e8a87b1 | Bug #48204: 4.4 version bump, copyright 2019

univention-letsencrypt.yaml
2b2192b3b460 | Bug #48204: YAML
8cf27cd56c23 | Bug #48204: YAML

univention-letsencrypt (1.2.2-4)
5caa221523a6 | Bug #48204: let letsencrypt add an apache virtualhost entry instead of replacing the ucsCA cert

univention-letsencrypt (1.2.2-3)
e86514888d62 | Bug #48204: migrate univention-letsencrypt to ucs git
Comment 4 Jürn Brodersen univentionstaff 2019-01-10 12:22:09 CET
As discussed the package will be moved into:
https://git.knut.univention.de/univention/components/letsencrypt
Comment 5 Jannik Ahlers univentionstaff 2019-01-10 16:39:47 CET
As discussed:
- I moved the package to the new repository
- I removed the yamls
- I built the package and uploaded it to the test app center
- Philipp removed the packages from the ucs 4.3 and 4.4 repositories

letsencrypt git:
commit 44a9f2dfc7845ce0ea3c38fc49af93d8d1da3844
Author: Jannik Ahlers <ahlers@univention.de>
Date:   Thu Jan 10 12:27:12 2019 +0100

    Bug #48204: move package unvention-letsencrypt into own repo

Successful build
Package: univention-letsencrypt
Version: 1.2.2-4A~4.3.0.201901101252
Branch: ucs_4.3-0
Scope: letsencrypt

----------------------------------------
4.3-3:
commit b46e5a76a8f333452676cbb60093460fb959736d
Author: Jannik Ahlers <ahlers@univention.de>
Date:   Thu Jan 10 16:32:01 2019 +0100

    Bug #48204: remove unnecessary yaml

commit 7aad80fb04f31dc3ac2e4505a13ebf9bc08c349a
Author: Jannik Ahlers <ahlers@univention.de>
Date:   Thu Jan 10 12:31:21 2019 +0100

    Bug #48204: move package unvention-letsencrypt into own repo

4.4-0:
commit 3092baf4d2d655dedef5bc359940a3545defe6a3
Author: Jannik Ahlers <ahlers@univention.de>
Date:   Thu Jan 10 16:30:37 2019 +0100

    Bug #48315, #48204: remove unnecessary yamls

commit 3c3c36b9b646dcff830f7a7012fb2462dda5c11c
Author: Jannik Ahlers <ahlers@univention.de>
Date:   Thu Jan 10 12:32:39 2019 +0100

    Bug #48204: move package unvention-letsencrypt into own repo
Comment 6 Jannik Ahlers univentionstaff 2019-01-16 10:36:36 CET
The default certificate ucr variables for apache, dovecot and postfix will now get reset to their default values if letsencrypt is disabled for the service. 
(except for when they were set to custom values).

Successful build
Package: univention-letsencrypt
Version: 1.2.2-5A~4.3.0.201901161029
Branch: ucs_4.3-0
Scope: letsencrypt

univention-letsencrypt (1.2.2-5)
920f9582f8d1 | Bug #48204: correctly reset ucr values for disabled services
Comment 7 Jürn Brodersen univentionstaff 2019-01-17 10:18:23 CET
Looks good :)

I fixed a small bug (Using ucr keys as variables like "$apache2_ssl_certificate" only works if 'eval "$(ucr shell)"' was called before)
[4.3 c2277c4] Bug #48204: Fix ucr variable

What I tested:
Use letsencrypt for fqdn -> OK
  (As discussed this breaks https for the hostname e.g https://myhost/, but I guess that needs to be fixed in our apache config)
Use letsencrypt for a domain different from the fqdn -> OK
Use letsencrypt for multiple domains -> OK
Activate/Deactivate letsencrypt for apache -> OK
Comment 8 Felix Botner univentionstaff 2019-01-17 14:58:23 CET
released