LetsEncrypt setup

I had some free time, and an upcoming expiring cert on my GMS server so I decided to give LE a shot on GMS.
I thought I would share how I set it up, in case anyone was curious. Seems to be working OK with Android and IOS. I have no Windows phone to test it on, but I wouldn't expect any issues.

I am running on SLES11 SP4, and using acme.sh for my LE client.

here is the basic setup:

install acme.sh using wget
acme.sh github


#wget -O - https://get.acme.sh|sh


issue certs using acme.sh, adding autodiscover as a SAN
with mobile.domain.com being your GMS server fqdn


#acme.sh --issue -d mobile.domain.com --standalone -d autodiscover.domain.com


If you receive an error(I did) about missing netcat(nc), even though netcat is installed, install netcat-openbsd through YAST and try again.

This will create a cron entry that will run every night, but only generate new certs every 60 days.
certs will be downloaded to ~/.acme.sh/mobile.domain.com/

to create the cert that GMS can use:

#cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;


I added this bit to see if the file has changed from last time, and if it has, copy to where GMS can see it and restart GMS.

ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;
ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;

if [ $ck1 != $ck2 ]
then
/bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;
/bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;
/usr/sbin/rcgms restart;
fi;
Parents

  • Cool, just tried this on one of my test servers here and it worked like champ.. I had never heard of LE before.



    Thanks,



    Morris




    >>> reverendjb<reverendjb@no-mx.forums.microfocus.com> 2/7/2017 3:06 PM >>>







    I had some free time, and an upcoming expiring cert on my GMS server so

    I decided to give LE a shot on GMS.

    I thought I would share how I set it up, in case anyone was curious.

    Seems to be working OK with Android and IOS. I have no Windows phone to

    test it on, but I wouldn't expect any issues.




    I am running on SLES11 SP4, and using acme.sh for my LE client.




    here is the basic setup:




    install acme.sh using wget

    'acme.sh github' (https://github.com/Neilpang/acme.sh)







    Code:

    --------------------


    #wget -O - https://get.acme.sh|sh





    --------------------







    issue certs using acme.sh, adding autodiscover as a SAN

    with mobile.domain.com being your GMS server fqdn







    Code:

    --------------------



    #acme.sh --issue -d mobile.domain.com --standalone -d autodiscover.domain.com



    --------------------







    If you receive an error(I did) about missing netcat(nc), even though

    netcat is installed, install netcat-openbsd through YAST and try again.




    This will create a cron entry that will run every night, but only

    generate new certs every 60 days.

    certs will be downloaded to ~/.acme.sh/mobile.domain.com/




    to create the cert that GMS can use:




    Code:

    --------------------



    #cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;



    --------------------







    I added this bit to see if the file has changed from last time, and if

    it has, copy to where GMS can see it and restart GMS.







    Code:

    --------------------

    ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;

    ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;



    if [ $ck1 != $ck2 ]

    then

    /bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;

    /bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;

    /usr/sbin/rcgms restart;

    fi;



    --------------------







    --

    reverendjb

    ------------------------------------------------------------------------
    reverendjb's Profile: https://forums.novell.com/member.php?userid=7391


    View this thread: https://forums.novell.com/showthread.php?t=502375

  • After a little research, I've found that the certs are only valid for a 3 month time span, so you would have to renew a lot more often that most public CA's. Also found this, so use at your own risk:



    http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html




    --Morris



    >>> Morris Blackham<MBlackham@no-mx.forums.microfocus.com> 2/8/2017 12:05 PM >>>


    Cool, just tried this on one of my test servers here and it worked like champ.. I had never heard of LE before.




    Thanks,




    Morris




    >>> reverendjb<reverendjb@no-mx.forums.microfocus.com> 2/7/2017 3:06 PM >>>







    I had some free time, and an upcoming expiring cert on my GMS server so

    I decided to give LE a shot on GMS.

    I thought I would share how I set it up, in case anyone was curious.

    Seems to be working OK with Android and IOS. I have no Windows phone to

    test it on, but I wouldn't expect any issues.




    I am running on SLES11 SP4, and using acme.sh for my LE client.




    here is the basic setup:




    install acme.sh using wget

    'acme.sh github' (https://github.com/Neilpang/acme.sh)







    Code:

    --------------------


    #wget -O - https://get.acme.sh|sh





    --------------------







    issue certs using acme.sh, adding autodiscover as a SAN

    with mobile.domain.com being your GMS server fqdn







    Code:

    --------------------



    #acme.sh --issue -d mobile.domain.com --standalone -d autodiscover.domain.com



    --------------------







    If you receive an error(I did) about missing netcat(nc), even though

    netcat is installed, install netcat-openbsd through YAST and try again.




    This will create a cron entry that will run every night, but only

    generate new certs every 60 days.

    certs will be downloaded to ~/.acme.sh/mobile.domain.com/




    to create the cert that GMS can use:




    Code:

    --------------------



    #cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;



    --------------------







    I added this bit to see if the file has changed from last time, and if

    it has, copy to where GMS can see it and restart GMS.







    Code:

    --------------------

    ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;

    ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;



    if [ $ck1 != $ck2 ]

    then

    /bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;

    /bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;

    /usr/sbin/rcgms restart;

    fi;



    --------------------







    --

    reverendjb

    ------------------------------------------------------------------------
    reverendjb's Profile: https://forums.novell.com/member.php?userid=7391


    View this thread: https://forums.novell.com/showthread.php?t=502375
  • I will think about a coolsolutions article, but maybe wait for a little feedback first.

    @mblackham -
    yes LE certs are only valid for 90 days, which is why the cron job created will replace the cert every 60 days.

    Without going in to how much I disagree with that article, none of the 'bad' applies to a GMS implementation.
  • In article <reverendjb.7tm5ao@no-mx.forums.microfocus.com>, Reverendjb
    wrote:
    > Without going in to how much I disagree with that article, none of the
    > 'bad' applies to a GMS implementation.


    I think much of the initial shock we are seeing is that TLS protected
    sites used to be for 'special folks/sites', a certain sense of class
    elitism. Let's Encrypt just finished the job of bringing cert cost down
    to no currency needed that was already going on. Let's Encrypt appears
    to be doing more validation than some of the Certificate Authorities out
    there, so it really hasn't made it that much of a difference for the
    scammers out there. What it really highlights to me is that anti-
    phishing training just needs to step up some to include "don't blindly
    trust that lock on the browser, check a few other things" if they don't
    already have it. There are anti-phishing training options out there,
    with Phishme A nice write up on the topic at
    https://textslashplain.com/2017/01/16/certified-malice/
    The Cat is out of the bag, no getting it back in.

    I would at least fleshout your Cool Solutions profile
    https://www.novell.com/communities/coolsolutions/author/reverendjb/ (and
    perhaps your Forum one as well while you are at it) while fleshing out
    some more introductory wording at the beginning of your article.

    I think this would be a great article and am looking forward to it. You
    have a group here that'll help you with it if you want.


    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!
    GMS troubleshooting tips at http://www.konecnyad.ca/andyk/gwmobility.htm


Reply
  • In article <reverendjb.7tm5ao@no-mx.forums.microfocus.com>, Reverendjb
    wrote:
    > Without going in to how much I disagree with that article, none of the
    > 'bad' applies to a GMS implementation.


    I think much of the initial shock we are seeing is that TLS protected
    sites used to be for 'special folks/sites', a certain sense of class
    elitism. Let's Encrypt just finished the job of bringing cert cost down
    to no currency needed that was already going on. Let's Encrypt appears
    to be doing more validation than some of the Certificate Authorities out
    there, so it really hasn't made it that much of a difference for the
    scammers out there. What it really highlights to me is that anti-
    phishing training just needs to step up some to include "don't blindly
    trust that lock on the browser, check a few other things" if they don't
    already have it. There are anti-phishing training options out there,
    with Phishme A nice write up on the topic at
    https://textslashplain.com/2017/01/16/certified-malice/
    The Cat is out of the bag, no getting it back in.

    I would at least fleshout your Cool Solutions profile
    https://www.novell.com/communities/coolsolutions/author/reverendjb/ (and
    perhaps your Forum one as well while you are at it) while fleshing out
    some more introductory wording at the beginning of your article.

    I think this would be a great article and am looking forward to it. You
    have a group here that'll help you with it if you want.


    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!
    GMS troubleshooting tips at http://www.konecnyad.ca/andyk/gwmobility.htm


Children
No Data