Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    Untangler
    Join Date
    Aug 2019
    Posts
    35

    Default Lets Encrpt Server Certificate

    This may be of use to people, I created this script and have been running it without any issues, updated Untangle as well with no ill effects.

    This uses acme.sh to generate a certificate which replaces the one shown in the certificate section in the UI, it updates on each run and if the certificate is renewed it replaces the one used by untangle and restarts apache. if the certificate isn’t renewed, it still checks if the certificate untangle is using is the one cached by acme.sh and it will replace it and restart apache if necessary.

    The crontab entries allow it to do a certificate check at reboot and also at 4am every morning.

    You’ll need to download acme.sh, but it requires no extra dependencies over what is supplied in untangle, you will need to edit the acme.sh configuration file to match how you update the cert.

    https://github.com/Neilpang/acme.sh

    Here are my crontab entries

    Code:
    @reboot root /root/updatecert >/dev/null
    
    0 4     * * *   root    /root/updatecert >/dev/null
    this is the updatecert script which needs to be placed in /root with executable permissions.

    Code:
    #!/bin/bash
    
    domainname="gateway.mydomain.com"
    
    /root/.acme.sh/acme.sh --issue --dns dns_cf -d "$domainname" > /dev/null
    
    updatestatus=$?
    
    if [ $updatestatus -eq 0 ]; then
            cat "/root/.acme.sh/$domainname/$domainname.cer" > /tmp/apache.pem
            cat "/root/.acme.sh/$domainname/$domainname.key" >> /tmp/apache.pem
    
            cp /tmp/apache.pem /etc/apache2/ssl/apache.pem
            cp /tmp/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem
    
            service apache2 restart
    
    elif [ $updatestatus -eq 2 ]; then
            cat "/root/.acme.sh/$domainname/$domainname.key" > /tmp/apache.pem
            cat "/root/.acme.sh/$domainname/$domainname.cer" >> /tmp/apache.pem
    
            diff /etc/apache2/ssl/apache.pem /tmp/apache.pem > /dev/null
    
            if [ $? -ne 0 ]; then
                    cp /tmp/apache.pem /etc/apache2/ssl/apache.pem
                    cp /tmp/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem
    
                    service apache2 restart
            fi
    fi
    Change the value of domainname to match that of the dns name for your untangle server.
    Last edited by jcoffin; 08-28-2019 at 05:58 AM. Reason: Updated code with latest post

  2. #2
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    nice, I was just messing with this a couple of weeks ago; I got as far as getting acme.sh downloaded and installed, but I hadn't sorted out the validation method; I tried -apache mode, which is what I use on my email server, but it didn't work on untangle. then I installed socat-tools and tried -direct mode (which I use on another server) which also didn't work here, but I think I didn't get the right access rule. not much fiddling later I got busy with other things and hadn't gotten back to it.

    Thanks for sorting out the rest of it. I'm not sure if I can use -dns mode with network solutions DNS though, I haven't tried it but didn't see it listed in the instructions for -dns mode.

    Even though this is clearly in the Hacks forum it's worth a reminder that doing this is certainly not supported, and may cause your entire install to become unsupported. It may also disappear during upgrades, but obviously it's easy enough to put it back.

  3. #3
    Untangler
    Join Date
    Aug 2019
    Posts
    35

    Default

    Quote Originally Posted by johnsonx42 View Post
    nice, I was just messing with this a couple of weeks ago; I got as far as getting acme.sh downloaded and installed, but I hadn't sorted out the validation method; I tried -apache mode, which is what I use on my email server, but it didn't work on untangle. then I installed socat-tools and tried -direct mode (which I use on another server) which also didn't work here, but I think I didn't get the right access rule. not much fiddling later I got busy with other things and hadn't gotten back to it.

    Thanks for sorting out the rest of it. I'm not sure if I can use -dns mode with network solutions DNS though, I haven't tried it but didn't see it listed in the instructions for -dns mode.

    Even though this is clearly in the Hacks forum it's worth a reminder that doing this is certainly not supported, and may cause your entire install to become unsupported. It may also disappear during upgrades, but obviously it's easy enough to put it back.
    Absolutely! No warranty...blah...blah...at your own risk!

    I’d highly recommend switching DNS providers to Cloudflare if that’s an option, works perfectly with acme.sh

    I have another script which I run which backs up all my modifications every day, so it’s easy to recover should they dissapear!

  4. #4
    Untangler
    Join Date
    Aug 2019
    Posts
    35

    Default

    Oops, just spotted a typo, I was testing something and left it in, the actual script should be:

    Code:
    #!/bin/bash
    
    domainname="gateway.mydomain.com"
    
    /root/.acme.sh/acme.sh --issue --dns dns_cf -d "$domainname" > /dev/null
    
    updatestatus=$?
    
    if [ $updatestatus -eq 0 ]; then
            cat "/root/.acme.sh/$domainname/$domainname.cer" > /tmp/apache.pem
            cat "/root/.acme.sh/$domainname/$domainname.key" >> /tmp/apache.pem
    
            cp /tmp/apache.pem /etc/apache2/ssl/apache.pem
            cp /tmp/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem
    
            service apache2 restart
    
    elif [ $updatestatus -eq 2 ]; then
            cat "/root/.acme.sh/$domainname/$domainname.key" >> /tmp/apache.pem
            cat "/root/.acme.sh/$domainname/$domainname.cer" > /tmp/apache.pem
    
            diff /etc/apache2/ssl/apache.pem /tmp/apache.pem > /dev/null
    
            if [ $? -ne 0 ]; then
                    cp /tmp/apache.pem /etc/apache2/ssl/apache.pem
                    cp /tmp/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem
    
                    service apache2 restart
            fi
    fi

  5. #5
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    you should edit your original post and put the corrected script there. otherwise someone will use the original script and miss the correction

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,755

    Default

    This would be far safer, if you ran your scripts on another platform. Because honestly, with the way letsencrypt works you need a dedicated platform for managing all of your certificates and deploy from there. Untangle could then be remotely modified via SSH without any customization to the local platform.
    donhwyo likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Aug 2019
    Posts
    35

    Default

    I can’t edit my original post, I did try.

  8. #8
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,186

    Default

    Quote Originally Posted by fizzyade View Post
    I can’t edit my original post, I did try.
    oh, right, I forgot there's a time limit

  9. #9
    Untangler
    Join Date
    Aug 2019
    Posts
    35

    Default

    spotted another typo when i was messing with formatting.

    Code:
    #!/bin/bash
    
    domainname="gateway.mydomain.com"
    
    /root/.acme.sh/acme.sh --issue --dns dns_cf -d "$domainname" > /dev/null
    
    updatestatus=$?
    
    if [ $updatestatus -eq 0 ]; then
            cat "/root/.acme.sh/$domainname/$domainname.cer" > /tmp/apache.pem
            cat "/root/.acme.sh/$domainname/$domainname.key" >> /tmp/apache.pem
    
            cp /tmp/apache.pem /etc/apache2/ssl/apache.pem
            cp /tmp/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem
    
            service apache2 restart
    
    elif [ $updatestatus -eq 2 ]; then
            cat "/root/.acme.sh/$domainname/$domainname.key" > /tmp/apache.pem
            cat "/root/.acme.sh/$domainname/$domainname.cer" >> /tmp/apache.pem
    
            diff /etc/apache2/ssl/apache.pem /tmp/apache.pem > /dev/null
    
            if [ $? -ne 0 ]; then
                    cp /tmp/apache.pem /etc/apache2/ssl/apache.pem
                    cp /tmp/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem
    
                    service apache2 restart
            fi
    fi
    wish i’d linked this to a gist instead so that i could update and remove old versions.

  10. #10
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,175

    Default

    I'll update the original post with the code above.
    Jim.Alles likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2