Highlighted
Super Contributor.
Super Contributor.
4131 views

LetsEncrypt setup

I had some free time, and an upcoming expiring cert on my GMS server so I decided to give LE a shot on GMS.
I thought I would share how I set it up, in case anyone was curious. Seems to be working OK with Android and IOS. I have no Windows phone to test it on, but I wouldn't expect any issues.

I am running on SLES11 SP4, and using acme.sh for my LE client.

here is the basic setup:

install acme.sh using wget
acme.sh github


#wget -O - https://get.acme.sh|sh


issue certs using acme.sh, adding autodiscover as a SAN
with mobile.domain.com being your GMS server fqdn


#acme.sh --issue -d mobile.domain.com --standalone -d autodiscover.domain.com


If you receive an error(I did) about missing netcat(nc), even though netcat is installed, install netcat-openbsd through YAST and try again.

This will create a cron entry that will run every night, but only generate new certs every 60 days.
certs will be downloaded to ~/.acme.sh/mobile.domain.com/

to create the cert that GMS can use:

#cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;


I added this bit to see if the file has changed from last time, and if it has, copy to where GMS can see it and restart GMS.

ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;
ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;

if [ $ck1 != $ck2 ]
then
/bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;
/bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;
/usr/sbin/rcgms restart;
fi;
Labels (1)
29 Replies
Highlighted
Honored Contributor.
Honored Contributor.

Hi: @Rimser,

Working on  the NGINX Reverse Proxy fronting GW WEB. Cerbot provides the following:

 `privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).

 

Groupwise Web Request the following for SSL: 

NOTE: /opt/novell/gw/certs should contain the server.key and server.crt files.
You can add --restart always after run -d in the command to have the image restart
automatically after rebooting the docker server.

To satisfy the Groupwise Web requirement, shall I rename fullchain.pem and privkey.pem to server.crt and server.key respectively?

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

As a test, renaming them is pretty easy. Please let us know if it works
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Hi, 

Seems like renaming fullchain.pem worked like a charm.

Thanks

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Let me try to post my notes tomorrow. I have an example setting it up for Mobility and Filr.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Useful links:
https://www.cyberciti.biz/faq/how-to-install-nginx-on-suse-linux-enterprise-server-12/
https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-reverse-proxy-for-apache
https://www.snel.com/support/securing-your-nginx-site-with-lets-encrypt-acme-sh/

Installed on  SLES 12 SP2

Add ngnix repo
ngnix:~ # sudo zypper addrepo -G -t yum -c 'http://nginx.org/packages/sles/12' nginx

Get signing key
ngnix:~ # wget http://nginx.org/keys/nginx_signing.key

Import it:

ngnix:~ # sudo rpm --import nginx_signing.key

Install ngnix
ngnix:~ # sudo zypper install nginx

 

Installera Acme
curl https://get.acme.sh | sh

edit conf file default.conf:
location /.well-known/acme-challenge/ {
alias /var/www/search.pedago.fi/.well-known/acme-challenge/;
}

sudo systemctl restart nginx
cd .acme.sh
./acme.sh --issue -d homer.acme.com -d lisa.acme.com -w /var/www/homer.acme.com

mkdir -p /etc/nginx/certs
cp /root/.acme.sh/homer.acme.com/* /etc/nginx/certs

server {
listen 443 ssl;
ssl_certificate /etc/nginx/certs/homer.acme.com.cer;
ssl_certificate_key /etc/nginx/certs/homer.acme.com.key;
}

acme.sh --issue -d homer.acme.com.fi -d lisa.acme.com -w /var/www/homer.acme.com

add to cron:
/root/.acme.sh/acme.sh --install-cert -d homer.acme.com --cert-file /etc/nginx/certs/homer.acme.com.cer --key-file /etc/nginx/certs/homer.acme.com.key --fullchain-file /etc/nginx/certs/fullchain.cer --reloadcmd "systemctl restart nginx"

 

Highlighted
Knowledge Partner
Knowledge Partner

I posted my brief writeup in the public thread
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.