LetsEncrypt setup

I had some free time, and an upcoming expiring cert on my GMS server so I decided to give LE a shot on GMS.
I thought I would share how I set it up, in case anyone was curious. Seems to be working OK with Android and IOS. I have no Windows phone to test it on, but I wouldn't expect any issues.

I am running on SLES11 SP4, and using acme.sh for my LE client.

here is the basic setup:

install acme.sh using wget
acme.sh github


#wget -O - https://get.acme.sh|sh


issue certs using acme.sh, adding autodiscover as a SAN
with mobile.domain.com being your GMS server fqdn


#acme.sh --issue -d mobile.domain.com --standalone -d autodiscover.domain.com


If you receive an error(I did) about missing netcat(nc), even though netcat is installed, install netcat-openbsd through YAST and try again.

This will create a cron entry that will run every night, but only generate new certs every 60 days.
certs will be downloaded to ~/.acme.sh/mobile.domain.com/

to create the cert that GMS can use:

#cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;


I added this bit to see if the file has changed from last time, and if it has, copy to where GMS can see it and restart GMS.

ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;
ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;

if [ $ck1 != $ck2 ]
then
/bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;
/bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;
/usr/sbin/rcgms restart;
fi;
Parents
  • wow, that was EASY!  Thanks!

    I've been renewing and installing my GMS cert by hand every 90 days for years, thinking "one of these days I'll figure out how to automate it", but I kept thinking it was going to be a major ordeal that I just didn't have time for.

    Notes for anyone doing it now:

    1)you need socat tools:

    #zypper in socat

    2)you do need port 80 access from the internet to the gms server.  I didn't have it, since nothing used port 80 before.  don't worry about exposing anything though, nothing is listening on port 80 - it's only live for a second or two every 60 days when the domain is validated

    3)create a script to do the additional steps needed for gms:

    /root/sslinstall.sh: 

     

     

    cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem; ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`; ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`; if [ $ck1 != $ck2 ] then /bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem; /bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem; /usr/sbin/rcgms restart; fi;

     

     

    then add a cron entry (/var/spool/cron/tabs/root):

    20 0 * * *  "/root/sslinstall.sh"

    (that just runs 5 minutes after the acme.sh script that was installed automatically; it does nothing unless the certificate has changed)

     

  • After my success with acme.sh on my GMS server running SLES12SP3, I started trying to install it on another server running SLES11SP4/OES2015SP1.  Couldn't even get the acme.sh script due to SSL errors.  Spent awhile tearing my hair out until I figured out I needed a wget that can use TLSv1.2/SSLv3:

    Long version: https://www.suse.com/documentation/suse-best-practices/singlehtml/securitymodule/securitymodule.html

    Short version (this assumes you otherwise are patched up to date):

    find out which repo is the security repo: #zypper repos | grep Security

    enable the repo: #zypper modifyrepo -e 8 <--- whichever repo number you got from the first command

    install the alternate wget: #zypper in wget-openssl1

    activate it: #update-alternatives --set wget /usr/bin/wget.openssl1

    now proceed with the acme.sh install: #wget -O - https://get.acme.sh|sh

     

  • I'd like to follow-up with this issue and request comment from anyone else using acme/letsencrypt certficates.

    I noticed that whenever we change certificate some devices require removal of the account from the device and re-add to all mail to flow. 

    Blackberry Key Two and Google Pixel devices accepts new acme certificates. no removal required. 

    Samsung and iPhone devices require removal of exchange accounts and re-add.

    Has anyone else seen this behavior?

     

     

     

  • I.e. I have a different approach. I run a proxy in front of many services - sles12 with nginx. This proxy is also responsible to get all the certificates via LetsEncrypt. I think more than 10 certs for each server. But a server can run more than one service (GroupWise and Messenger i.e.). So my proxy will host all the certificates - what's happening in the background is unimportant.

    My proxy will re-direct all access request and forward (hopefully) to the right server. Sometimes some certs and services are a little bit tricky (Filr;  offered a solution for this).
    I never had to remove and reestablish my GroupWise account for my Android using GMS in the background.

  •  .Devices can now sync but cannot send mail from devices.

    was wondering if you seen this and how it was resolved.

     

     

  • Are you familiar with dsapp?

    Dsapp can place the certs at the right locations. However dsapp can generate LetsEncrypt certs directly but I had to replace this feature because acme code was outdated.

    So lets generate your certs with your acme code. Afterwards use dsapp you place your certs in the right way. Dsapp will check if key and crt (or pem) fit together.

    Coming back to your question - no, I do not see any problems in sending mails from devices to the world. Do you see any delays in receiving mails on your device?

  • Thanks fir responding.

    I think i figured it out.

    The Gmail app (exchange) causes havoc on my system. Mail gets stuck in the outbox and when synching, causes high load where memory and disk utilization red lines the system. not sure what the app is doing.

    Samsung mail app and blackberry hub works fine. I need  to ban users from using the Gmail App.

     

  • Current Situation:

    when 1 user adds second device using Gmail App.

     

  • ok,  

    which build do you use? If you check your server, what is causing high load (top)?

  • Hi

     

    18.2.0 Build 527. I will try to reproduce the error during off hours FYI this behavior also occurred on the field patch 18.2.1 that i downgraded from.

  • Downgraded? I think the official version is 544 ! I use 547.

  • Correct.

    The shipping version GMS is 18.2.0 build 544. i went up to 18.2.1 build 547  where the server hosed, before moving back to 18.2.0 build 544 to diagnose this issue.

     

     

     

     

Reply Children