Univention Bugzilla – Bug 55365
documentation for letsencrypt based setups
Last modified: 2023-11-14 18:46:40 CET
A partner reported that it is not straight forward to configure the Keycloak App in a letsencrypt based setup. We should support the ucs-sso-ng subdomain out of the box for these scenarios or at least add some documentation for the potential users.
(In reply to Thorsten from comment #0) > A partner reported that it is not straight forward to configure the Keycloak > App in a letsencrypt based setup. We should support the ucs-sso-ng subdomain > out of the box for these scenarios or at least add some documentation for > the potential users. the let's encrypt App supports a list of domains it retrieves the certificates for and includes them in the Apache configuration. This works also for the ucs-sso-ng subdomain. I don't see an easy way to have a default setup for this, as (typical for let's encrypt) it depends on the datacenter infrastructure (public DNS, Reverse Proxies etc.). All I see is to have a documentation for this.
(In reply to Ingo Steuwer from comment #2) > the let's encrypt App supports a list of domains it retrieves the > certificates for and includes them in the Apache configuration. This works > also for the ucs-sso-ng subdomain. Yes, this is what the partner also discovered and documented. It would be great if that process would be already documented as part of the product. > I don't see an easy way to have a default setup for this, as (typical for > let's encrypt) it depends on the datacenter infrastructure (public DNS, > Reverse Proxies etc.). All I see is to have a documentation for this. Is there really a significant difference between the support for the main hostname and the ucs-sso-ng at least for the standard use case, that a customer wants to setup UCS and tryout the Keycloak app while there is just one UCS instance also hosting the Keycloak app? This probably will cover the common scenario and for "everything" else the customer should find some advice way in the documentation.
Wouldn't it be possible to have a config option in the LetsEncrypt app similar to "use certificate in apache/postfix/dovecot" when the Keycloak app is installed as well on that server? If the checkmark is then set by the user & the config is being saved, the following would need to happen (amongst other checks): 1) renew the SSL cert 2) if successful, the the UCRV: "ucr set keycloak/apache2/ssl/certificate=/etc/univention/letsencrypt/signed_chain.crt keycloak/apache2/ssl/key=/etc/univention/letsencrypt/domain.key" 3) restart the services to load the new certs But I agree: this (setting of UCRV) should also be added to the documentation. I'll create a docu bug for that...