I'm currently using LE for WebAdmin and UserPortal. Just curious if anyone else is using LE for anything else besides WebAdmin and User Portal? What other configurations can we use Let's Encrypt?
Thanks
I'm currently using LE for WebAdmin and UserPortal. Just curious if anyone else is using LE for anything else besides WebAdmin and User Portal? What other configurations can we use Let's Encrypt?
Thanks
I'm using it for
----------
Sophos user, admin and reseller.
Private Setup:
scorpionking said:
- internal webservers (bash script, that fetches the LE certificate from UTM via the built-in API
Hey Scorpionking,
would you share your bash script, this would solve the problem I m having?
Yeah, but that's a quick and dirty one suitable for my home lab. Use at your own risk!
Source (German): www.matthiaskind.de/.../41-let-s-encrypt-zertifkat-einer-sophos-utm-automatisiert-weiterverarbeiten-bash-script.html
#!/bin/bash
# Fetch Let'sEncrypt cert from UTM and check if different to local.
# If yes, overwrite and reload affected services
# Needs curl, jq and mailutils installed
log="/usr/bin/logger -i -p local0.info -t getcert_utm.sh"
log_dbg="/usr/bin/logger -i -p local0.debug -t getcert_utm.sh"
log_err="/usr/bin/logger -i -p local0.warning -t getcert_utm.sh"
#debug=true
$log "Starting getcert_utm.sh"
utmapiurl="https://<myutm.mydomain.de>:4444/api/objects/ca/host_key_cert/<REF-ID of LE-cert>"
utmapikey="<your API key here>"
# do not use whitespaces or special characters in paths!
curloutfile="/tmp/utm-le-cert_all"
tmpkeyfile="/tmp/utm-le-cert.key"
tmpcertfile="/tmp/utm-le-cert.pem"
# must match the path and certificate name in your apache, dovecot, etc. config
dstkeyfile="/etc/ssl/private/mydomain.de_SAN_LE.key"
dstcertfile="/etc/ssl/mydomain.de_SAN_LE.pem"
# false (if can be used separately) or path to intermediate
intermediateca="/etc/ssl/lets-encrypt-x3-cross-signed.pem"
tmpmailtext="/tmp/mailtext.txt"
mailsubject="LE-Cert-Fetcher on "$(hostname)": "
mailto="<your email address>"
mailresult="Nothing changed"
restartservices=false
# services to restart after certificate change
services="dovecot.service postfix.service nginx.service"
errtext=""
errdetected=false
certsubject=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile |grep -oP '(?<=Subject: )[^,]+')
certvalidity=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile |grep -oP '(?<=Not After : )[^,]+')
echo -e "Hello!\n" > $tmpmailtext
echo -e "This is to inform you about recent changes in our Let's Encrypt certificate with $certsubject:\nValid until: $certvalidity\n" >> $tmpmailtext
$log "Downloading cert from UTM API."
curl -k -X GET --header "Accept: application/json" --header "Authorization: Basic ${utmapikey}" "${utmapiurl}" -o "$curloutfile" > /tmp/getcert_utm_curl 2>&1
if [ $? -eq 0 ]; then
$log "Extracting key and certificate from output."
jq -r '.key' $curloutfile > $tmpkeyfile
res1=$?
jq -r '.certificate' $curloutfile > $tmpcertfile
res2=$?
if [ $res1 -eq 0 ] && [ $res2 -eq 0 ]; then
$log "Comparing new and old files."
diff $tmpkeyfile $dstkeyfile
if [ $? -eq 0 ]; then
$log "Key has not changed."
echo "Key has not changed." >> $tmpmailtext
else
$log "Key has changed. Copying new key."
cp $tmpkeyfile $dstkeyfile
if [ $? -eq 0 ]; then
restartservices=true
mailresult="Key changed"
echo "Key has been exchanged by a newer version." >> $tmpmailtext
else
errdetected=true
errtext=$errtext"Error copying key to destination. "
mailresult="Error"
echo "ERROR copying key to destination" >> $tmpmailtext
fi
fi
if [ $intermediateca != false ]; then
$log "Appending intermediate ca to certificate."
cat $intermediateca >> $tmpcertfile
fi
diff $tmpcertfile $dstcertfile
if [ $? -eq 0 ]; then
$log "Certificate has not changed."
echo "Certificate has not changed." >> $tmpmailtext
else
$log "Certificate has changed. Copying new key."
cp $tmpcertfile $dstcertfile
if [ $? -eq 0 ]; then
restartservices=true
mailresult="Certificate changed"
echo "Certificate has been exchanged by a newer version." >> $tmpmailtext
else
errdetected=true
errtext=$errtext"Error copying certificate to destination. "
mailresult="Error"
echo "ERROR copying certificate to destination" >> $tmpmailtext
fi
fi
if [ "$errdetected" = true ]; then
mailresult="Error"
$log_err "Failure in setting certs: $errtext"
fi
else
mailresult="Error extracting cert"
echo "Could not extract cert or key from output. Check format of output, should be JSON containing .key and .certificate section." >> $tmpmailtext
$log_err "Could not extract cert or key from output. Check format of output, should be JSON containing .key and .certificate section."
fi
else
mailresult="Error getting cert"
echo "Could not connect to $utmapiurl or error in authentication. Check connection and URL settings." >> $tmpmailtext
$log_err "Could not connect to $utmapiurl or error in authentication. Check connection and URL settings."
fi
certdetails=$(/usr/bin/openssl x509 -text -noout -in $dstcertfile)
echo -e "\nBest regards,\nroot\n\n----------\n\nCertificate details:\n\n$certdetails" >> $tmpmailtext
mail -s "${mailsubject}${mailresult}" $mailto < "${tmpmailtext}"
rm "${curloutfile}" "${tmpkeyfile}" "${tmpcertfile}" "${tmpmailtext}"
if [ "$restartservices" = true ]; then
$log "Reloading \"$services\" as some data has changed"
systemctl reload $services
fi
$log "Finished."
#Finished
----------
Sophos user, admin and reseller.
Private Setup:
Well, thank you so much!
I will give it a try also in my home Lab. If you call this a quick and dirty one, then I wouldn't know what to say when you would doing it "right"!?
Looks amazing at a first glance! Keep it rolling, thanks again!
Well, thank you so much!
I will give it a try also in my home Lab. If you call this a quick and dirty one, then I wouldn't know what to say when you would doing it "right"!?
Looks amazing at a first glance! Keep it rolling, thanks again!