Votes

32

Automatic certificate update (letsencrypt)

by: Tomáš T. | over a year ago | Administration
Cast your vote or comment ...
return to idea list

Many sites use letsencrypt certificate authority. Adding automatic renewal of certificates would make management of filr server much easier.

acme.sh letsencrypt shell client could be the way as it has no additional package dependencies.
Crontab runs update script that has multiple hooks what to do before and after an update.
Custom script converts certificate and updates vaserver.* file in /vastorage/conf/certs directory.
Making certificate active in admin interface is the only thing i need to do as there is no info about what it actually does.

by: Tomáš T. | over a year ago | Administration

Comments

  • Simply overwrite the 3 certificate files and reload/reboot filr.
    I use scp with public/private-key-auth, copy this 3 files and reboot filr. No interaction is required.

    /bin/cp -f /root/.acme.sh/www.domain.com/fullchain.cer /vastorage/conf/certs/vachain.crt
    /bin/cp -f /root/.acme.sh/www.domain.com/www.domain.comkey /vastorage/conf/certs/vaserver.key
    /bin/cp -f /root/.acme.sh/www.domain.com/www.domain.com.cer /vastorage/conf/certs/vaserver.crt

    Heiko

    by: Heiko S. | over a year ago

  • May work, but I like for my customers an official supported solution

    by: Thomas Michael M. | over a year ago

  • Same here! We need an official and automated solution!

    by: Anders G. | over a year ago

  • same for Content Editor.

    by: edwin r. | over a year ago

  • @Heiko: does this work for Content Manager?

    by: edwin r. | over a year ago

  • If this idea gets migrated to the new community and this site doesn't automatically redirect to the migrated idea, could someone post a link to the community site where this idea gets moved to?

    by: Jared P. | over a year ago

  • @edwin r.
    which product you mean? I don't know "Content Manager".
    You can use this certficates for every http-service on Microfocus or other products. This certificates are not product specific. I use this with a small script for Filr, Vibe, Groupwise Mobile Server and Groupwise Webmail.

    Maybe Microfocus will this include in own products in some years, if it is stable. I think so.Currently doesn't exists a stable mechanism/script for renew certificates. I think, a company like Microfocus cannot maintain a foreign script.
    Simply build your own certificate-update "appliance" and deploy all certificates in your company. Microfocus-, Microsoft-, and Linux-Products.

    by: Heiko S. | over a year ago

  • @Heiko Agree on the need for workarounds while waiting for MF to finish official solutions. Have used something like this on other MF products, but am puzzled on how to apply to Vibe. Any hints on what you did?

    by: Peter M. | over a year ago

  • you need 2 steps to create a new keystore file for tomcat.


    # copy the new certs from LE to /home/certs/* to the VIBE-box

    #---------------------------------------------------
    # then do this on the VIBE-box
    ## ! make a valid Backup of the keystore-file before: /opt/novell/teaming/apache-tomcat/conf/.keystore !
    cd /home/certs
    openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name tomcat -CAfile ca.cer -caname root -passout pass:myPassword
    [ -e server.keystore ] && rm server.keystore
    /opt/novell/teaming/jre/bin/keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass myPassword -alias tomcat
    cp server.keystore /opt/novell/teaming/apache-tomcat/conf/.keystore
    /etc/init.d/teaming restart

    # End ---------------------------------------------------


    Thats it.
    Heiko

    by: Heiko S. | over a year ago

  • Heiko, this is genius. We're still using a cert per host instead of a wildcard, so in order to get acme.sh to work on the vibe server, I had to dismantle the iptables port redirection described in Ch 11 of the install manual, but with that your solution worked beautifully. I think that if we use the SUSEfirewall2 port redirection described in that same chapter, it can be scripted to autorenew. Thank you again! And may MF build this into the products.

    by: Peter M. | over a year ago

  • Peter, you can use multiple domains in one request from only one server and copy the same certificate to more than one box. Its easier to NAT only one box for port 80. Letsencrypt and the acme.sh-script supports Subject Alternative Name (SAN) in certificates.


    dom1="filr.domain.com"
    dom1="smtp.domain.com"
    dom2="imap.domain.com"
    log=/var/log/letsencrypt.log
    cmd=/tmp/cmd
    ## scripts runs every day and check the expiration
    if openssl x509 -checkend 259200 -noout -in /root/.acme.sh/$dom1/$dom1.cer
    then
    echo "$NOW Certificate is good for longer than 3 days, exit script." >>$log
    exit 0
    fi

    /root/.acme.sh/acme.sh --issue --force -d $dom1 -d $dom1 -d $dom2 --standalone

    # use scp to copy certificates to all boxes
    # .........

    #restart FILR (and other boxes)remote
    IP=1.2.3.4
    echo "/etc/init.d/filr restart" > $cmd
    ssh $IP 'bash -s' < $cmd

    by: Heiko S. | over a year ago