reverendjb Absent Member.
Absent Member.
2788 views

LetsEncrypt setup

I had some free time, and an upcoming expiring cert on my GMS server so I decided to give LE a shot on GMS.
I thought I would share how I set it up, in case anyone was curious. Seems to be working OK with Android and IOS. I have no Windows phone to test it on, but I wouldn't expect any issues.

I am running on SLES11 SP4, and using acme.sh for my LE client.

here is the basic setup:

install acme.sh using wget
acme.sh github


#wget -O - https://get.acme.sh|sh


issue certs using acme.sh, adding autodiscover as a SAN
with mobile.domain.com being your GMS server fqdn


#acme.sh --issue -d mobile.domain.com --standalone -d autodiscover.domain.com


If you receive an error(I did) about missing netcat(nc), even though netcat is installed, install netcat-openbsd through YAST and try again.

This will create a cron entry that will run every night, but only generate new certs every 60 days.
certs will be downloaded to ~/.acme.sh/mobile.domain.com/

to create the cert that GMS can use:

#cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;


I added this bit to see if the file has changed from last time, and if it has, copy to where GMS can see it and restart GMS.

ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;
ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;

if [ $ck1 != $ck2 ]
then
/bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;
/bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;
/usr/sbin/rcgms restart;
fi;
Labels (1)
8 Replies
snielson1 Absent Member.
Absent Member.

Re: LetsEncrypt setup

Very nice. You should write this up as a cool solution! 🙂

Shane Nielson Kind of alright at doing stuff with the computer thing
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: LetsEncrypt setup

Reverendjb,

> I had some free time, and an upcoming expiring cert on my GMS server so
> I decided to give LE a shot on GMS.
> I thought I would share how I set it up, in case anyone was curious.
> Seems to be working OK with Android and IOS. I have no Windows phone to
> test it on, but I wouldn't expect any issues.
>
> I am running on SLES11 SP4, and using acme.sh for my LE client.


This would be great information to put into a CoolSolutions document 🙂

https://www.novell.com/communities/coolsolutions/about-us/how-to-create-and-submit-content/

Pam

0 Likes
mblackham Absent Member.
Absent Member.

Re: LetsEncrypt setup


Cool, just tried this on one of my test servers here and it worked like champ.. I had never heard of LE before.



Thanks,



Morris




>>> reverendjb<reverendjb@no-mx.forums.microfocus.com> 2/7/2017 3:06 PM >>>







I had some free time, and an upcoming expiring cert on my GMS server so

I decided to give LE a shot on GMS.

I thought I would share how I set it up, in case anyone was curious.

Seems to be working OK with Android and IOS. I have no Windows phone to

test it on, but I wouldn't expect any issues.




I am running on SLES11 SP4, and using acme.sh for my LE client.




here is the basic setup:




install acme.sh using wget

'acme.sh github' (https://github.com/Neilpang/acme.sh)







Code:

--------------------


#wget -O - https://get.acme.sh|sh





--------------------







issue certs using acme.sh, adding autodiscover as a SAN

with mobile.domain.com being your GMS server fqdn







Code:

--------------------



#acme.sh --issue -d mobile.domain.com --standalone -d autodiscover.domain.com



--------------------







If you receive an error(I did) about missing netcat(nc), even though

netcat is installed, install netcat-openbsd through YAST and try again.




This will create a cron entry that will run every night, but only

generate new certs every 60 days.

certs will be downloaded to ~/.acme.sh/mobile.domain.com/




to create the cert that GMS can use:




Code:

--------------------



#cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;



--------------------







I added this bit to see if the file has changed from last time, and if

it has, copy to where GMS can see it and restart GMS.







Code:

--------------------

ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;

ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;



if [ $ck1 != $ck2 ]

then

/bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;

/bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;

/usr/sbin/rcgms restart;

fi;



--------------------







--

reverendjb

------------------------------------------------------------------------
reverendjb's Profile: https://forums.novell.com/member.php?userid=7391


View this thread: https://forums.novell.com/showthread.php?t=502375
0 Likes
mblackham Absent Member.
Absent Member.

Re: LetsEncrypt setup


After a little research, I've found that the certs are only valid for a 3 month time span, so you would have to renew a lot more often that most public CA's. Also found this, so use at your own risk:



http://www.datamation.com/security/lets-encrypt-the-good-and-the-bad.html




--Morris



>>> Morris Blackham<MBlackham@no-mx.forums.microfocus.com> 2/8/2017 12:05 PM >>>


Cool, just tried this on one of my test servers here and it worked like champ.. I had never heard of LE before.




Thanks,




Morris




>>> reverendjb<reverendjb@no-mx.forums.microfocus.com> 2/7/2017 3:06 PM >>>







I had some free time, and an upcoming expiring cert on my GMS server so

I decided to give LE a shot on GMS.

I thought I would share how I set it up, in case anyone was curious.

Seems to be working OK with Android and IOS. I have no Windows phone to

test it on, but I wouldn't expect any issues.




I am running on SLES11 SP4, and using acme.sh for my LE client.




here is the basic setup:




install acme.sh using wget

'acme.sh github' (https://github.com/Neilpang/acme.sh)







Code:

--------------------


#wget -O - https://get.acme.sh|sh





--------------------







issue certs using acme.sh, adding autodiscover as a SAN

with mobile.domain.com being your GMS server fqdn







Code:

--------------------



#acme.sh --issue -d mobile.domain.com --standalone -d autodiscover.domain.com



--------------------







If you receive an error(I did) about missing netcat(nc), even though

netcat is installed, install netcat-openbsd through YAST and try again.




This will create a cron entry that will run every night, but only

generate new certs every 60 days.

certs will be downloaded to ~/.acme.sh/mobile.domain.com/




to create the cert that GMS can use:




Code:

--------------------



#cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;



--------------------







I added this bit to see if the file has changed from last time, and if

it has, copy to where GMS can see it and restart GMS.







Code:

--------------------

ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;

ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;



if [ $ck1 != $ck2 ]

then

/bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;

/bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;

/usr/sbin/rcgms restart;

fi;



--------------------







--

reverendjb

------------------------------------------------------------------------
reverendjb's Profile: https://forums.novell.com/member.php?userid=7391


View this thread: https://forums.novell.com/showthread.php?t=502375
0 Likes
reverendjb Absent Member.
Absent Member.

Re: LetsEncrypt setup

I will think about a coolsolutions article, but maybe wait for a little feedback first.

@mblackham -
yes LE certs are only valid for 90 days, which is why the cron job created will replace the cert every 60 days.

Without going in to how much I disagree with that article, none of the 'bad' applies to a GMS implementation.
0 Likes
Knowledge Partner
Knowledge Partner

Re: LetsEncrypt setup

In article <reverendjb.7tm5ao@no-mx.forums.microfocus.com>, Reverendjb
wrote:
> Without going in to how much I disagree with that article, none of the
> 'bad' applies to a GMS implementation.


I think much of the initial shock we are seeing is that TLS protected
sites used to be for 'special folks/sites', a certain sense of class
elitism. Let's Encrypt just finished the job of bringing cert cost down
to no currency needed that was already going on. Let's Encrypt appears
to be doing more validation than some of the Certificate Authorities out
there, so it really hasn't made it that much of a difference for the
scammers out there. What it really highlights to me is that anti-
phishing training just needs to step up some to include "don't blindly
trust that lock on the browser, check a few other things" if they don't
already have it. There are anti-phishing training options out there,
with Phishme A nice write up on the topic at
https://textslashplain.com/2017/01/16/certified-malice/
The Cat is out of the bag, no getting it back in.

I would at least fleshout your Cool Solutions profile
https://www.novell.com/communities/coolsolutions/author/reverendjb/ (and
perhaps your Forum one as well while you are at it) while fleshing out
some more introductory wording at the beginning of your article.

I think this would be a great article and am looking forward to it. You
have a group here that'll help you with it if you want.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!
GMS troubleshooting tips at http://www.konecnyad.ca/andyk/gwmobility.htm


___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
davemrm Super Contributor.
Super Contributor.

Re: LetsEncrypt setup

wow, that was EASY!  Thanks!

I've been renewing and installing my GMS cert by hand every 90 days for years, thinking "one of these days I'll figure out how to automate it", but I kept thinking it was going to be a major ordeal that I just didn't have time for.

Notes for anyone doing it now:

1)you need socat tools:

#zypper in socat

2)you do need port 80 access from the internet to the gms server.  I didn't have it, since nothing used port 80 before.  don't worry about exposing anything though, nothing is listening on port 80 - it's only live for a second or two every 60 days when the domain is validated

3)create a script to do the additional steps needed for gms:

/root/sslinstall.sh: 

 

 

cat ~/.acme.sh/mobile.domain.com/mobile.domain.com.key ~/.acme.sh/mobile.domain.com/fullchain.cer > ~/.acme.sh/mobile.domain.com/server.pem;

ck1=`md5sum ~/.acme.sh/mobile.domain.com/server.pem|awk -F" " '{print $1}'`;
ck2=`md5sum /var/lib/datasync/device/mobility.pem|awk -F" " '{print $1}'`;

if [ $ck1 != $ck2 ]
then
/bin/cp -f ~/.acme.sh/mobile.domain.com/server.pem /var/lib/datasync/webadmin/server.pem;
/bin/cp -f /var/lib/datasync/webadmin/server.pem /var/lib/datasync/device/mobility.pem;
/usr/sbin/rcgms restart;
fi;

 

 

then add a cron entry (/var/spool/cron/tabs/root):

20 0 * * *  "/root/sslinstall.sh"

(that just runs 5 minutes after the acme.sh script that was installed automatically; it does nothing unless the certificate has changed)

 

0 Likes
davemrm Super Contributor.
Super Contributor.

Re: LetsEncrypt setup

After my success with acme.sh on my GMS server running SLES12SP3, I started trying to install it on another server running SLES11SP4/OES2015SP1.  Couldn't even get the acme.sh script due to SSL errors.  Spent awhile tearing my hair out until I figured out I needed a wget that can use TLSv1.2/SSLv3:

Long version: https://www.suse.com/documentation/suse-best-practices/singlehtml/securitymodule/securitymodule.html

Short version (this assumes you otherwise are patched up to date):

find out which repo is the security repo: #zypper repos | grep Security

enable the repo: #zypper modifyrepo -e 8 <--- whichever repo number you got from the first command

install the alternate wget: #zypper in wget-openssl1

activate it: #update-alternatives --set wget /usr/bin/wget.openssl1

now proceed with the acme.sh install: #wget -O - https://get.acme.sh|sh

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.