Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Untanglit
    Join Date
    Sep 2009
    Posts
    15

    Default Let's Encrypt with Untangle!

    Hi guys!

    I've written a how-to for getting Untangle to use a valid SSL certificate with Let's Encrypt... especially since it seemed like there wasn't anyone who knew how to make this work. So I went through the process and made it work!

    See here: https://heimkoma.com/install-lets-encrypt-on-untangle/ and enjoy Let's Encrypt support!

    If you have issues, naturally, feel free to ask and I'll help you out here.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,725

    Default

    It's installed... until it isn't...

    I've learned hard way that you cannot simply replace apache.pem, and have it stick. Though, if the agent is updating the certificate regularly enough it won't be down long.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untanglit
    Join Date
    Sep 2009
    Posts
    15

    Default

    Quote Originally Posted by sky-knight View Post
    It's installed... until it isn't...

    I've learned hard way that you cannot simply replace apache.pem, and have it stick. Though, if the agent is updating the certificate regularly enough it won't be down long.
    Damn, I forgot about that step. I'll update my post to reflect that.

    Edit: Actually, it looks like acme.sh updates apache.pem rather than installing a completely different .pem file...
    Last edited by Keiro; 09-28-2016 at 03:41 PM.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,725

    Default

    If you want it to work with Untangle it must replace that file. The problem is there are certain conditions during upgrades wherein Untangle will replace that file.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untanglit
    Join Date
    Sep 2009
    Posts
    15

    Default

    Quote Originally Posted by sky-knight View Post
    If you want it to work with Untangle it must replace that file. The problem is there are certain conditions during upgrades wherein Untangle will replace that file.
    Ah. Actually, I recently went through an upgrade and it didn't do that for me. I even double and triple-checked by hard-refreshing and bouncing the apache2 server. Still the same cert from LE. It also installs a cron-job that checks for the expiry time of the certs and renews them for you.

    Mine's due to be renewed next month on the 30th, so I'll post back the results of the automated renewal and whether or not I'd have to renew the SSL cert manually.

    But I'll add that as a note, just in case to my post.

    Edit: Post has been updated to reflect the notes. Thank you for your feedback!
    Last edited by Keiro; 09-28-2016 at 03:58 PM.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,725

    Default

    Like I said, if the agent is working properly the worst case would be a broken .pem for a short time before the agent replaces it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untanglit
    Join Date
    Sep 2009
    Posts
    15

    Default

    Quote Originally Posted by sky-knight View Post
    Like I said, if the agent is working properly the worst case would be a broken .pem for a short time before the agent replaces it.
    I hear ya. Still, better to ensure that people know about it if one wishes to use this method of getting LE certs installed... I most certainly was unaware of the possible risks of apache.pem breaking during Untangle upgrades.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,725

    Default

    I'm hoping that we get official support soonish. In the meantime I have a box that's doing something similar, except I didn't install the agent on Untangle. I use scp to deliver the file via script from another system and tell apache to restart.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangler
    Join Date
    Aug 2016
    Posts
    70

    Default

    Well, crap... I missed this when I posted last night :facepalm:
    That said, my set up is slightly different in that I have a dedicated host renewing my certificates in an attempt to reduce overall attack vector, and then I scp the cert from said host to Untangle.

    @sky-knight
    Given then chance of an update overwriting apache.pem, should renewal cron jobs be changed to check for an updated cert hourly?

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,725

    Default

    I don't think it needs to be that crazy, the only time I've seen the .pem file get replaced us during an upgrade.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2