First Last Prev Next    This bug is not in your last search results.
Bug 55365 - documentation for letsencrypt based setups
documentation for letsencrypt based setups
Status: NEW
Product: UCS
Classification: Unclassified
Component: Keycloak
UCS 5.0
Other Windows NT
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-31 08:52 CET by Thorsten
Modified: 2023-11-14 18:46 CET (History)
3 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thorsten univentionstaff 2022-10-31 08:52:05 CET 
A partner reported that it is not straight forward to configure the Keycloak App in a letsencrypt based setup. We should support the ucs-sso-ng subdomain out of the box for these scenarios or at least add some documentation for the potential users.
Comment 2 Ingo Steuwer univentionstaff 2022-11-02 13:08:01 CET 
(In reply to Thorsten from comment #0)
> A partner reported that it is not straight forward to configure the Keycloak
> App in a letsencrypt based setup. We should support the ucs-sso-ng subdomain
> out of the box for these scenarios or at least add some documentation for
> the potential users.

the let's encrypt App supports a list of domains it retrieves the certificates for and includes them in the Apache configuration. This works also for the ucs-sso-ng subdomain.

I don't see an easy way to have a default setup for this, as (typical for let's encrypt) it depends on the datacenter infrastructure (public DNS, Reverse Proxies etc.). All I see is to have a documentation for this.
Comment 3 Thorsten univentionstaff 2022-11-02 16:27:26 CET 
(In reply to Ingo Steuwer from comment #2)
> the let's encrypt App supports a list of domains it retrieves the
> certificates for and includes them in the Apache configuration. This works
> also for the ucs-sso-ng subdomain.
Yes, this is what the partner also discovered and documented. It would be great if that process would be already documented as part of the product. 

> I don't see an easy way to have a default setup for this, as (typical for
> let's encrypt) it depends on the datacenter infrastructure (public DNS,
> Reverse Proxies etc.). All I see is to have a documentation for this.
Is there really a significant difference between the support for the main hostname and the ucs-sso-ng at least for the standard use case, that a customer wants to setup UCS and tryout the Keycloak app while there is just one UCS instance also hosting the Keycloak app? This probably will cover the common scenario and for "everything" else the customer should find some advice way in the documentation.
Comment 4 Ingo Jürgensmann univentionstaff 2023-02-01 11:29:02 CET 
Wouldn't it be possible to have a config option in the LetsEncrypt app similar to "use certificate in apache/postfix/dovecot" when the Keycloak app is installed as well on that server?

If the checkmark is then set by the user & the config is being saved, the following would need to happen (amongst other checks): 
1) renew the SSL cert
2) if successful, the the UCRV: "ucr set keycloak/apache2/ssl/certificate=/etc/univention/letsencrypt/signed_chain.crt keycloak/apache2/ssl/key=/etc/univention/letsencrypt/domain.key"
3) restart the services to load the new certs

But I agree: this (setting of UCRV) should also be added to the documentation. I'll create a docu bug for that...
First Last Prev Next    This bug is not in your last search results.