TLS Config - Let's Encrypt - Add option to set own ACME server

loxe

Hi,
as there are more and more (FOSS as well as Proprietary) CA tools with ACME support (e.g. step-ca or EJBCA) it would be really nice to be able to set an own ACME server url in the TLS configuration.

crpb

loxe
Do you mean for the automatic le-setup during grommunio-setup?
If so, then i suggest creating a pull request with the changes needed.

I personally just create the certificate either before and choose it or let the self-signed stuff run as a provided path to a cert/key only get a cp $source $dest and not an ln -s $source $dest

because of that i always run something like this after i finished the initial setup.

rm /etc/grommunio-common/ssl/*
ln -s /etc/ssl/acme/$(dnsdomainname)/fullchain.pem /etc/grommunio-common/ssl/server-bundle.pem
ln -s /etc/ssl/acme/$(dnsdomainname)/key.pem /etc/grommunio-common/ssl/server.key

this particular thing is with certificates which get uploaded from another system via sftp where the upload-user has write-access for that particular folder... but it shows where to put the links 😛

loxe

Yes correct, I mean the le-setup during the grommunio-setup of the appliance.

Is it possible to just use the self-signed certificate during setup and afterwards issue the certbot command with a custom ACME server url manually? That would also be a suitable solution but it would be more comfortable to be able to set the URL during the setup guide.

I will try to find some time for the code change.
Do you think it is better to add a 4th option (e.g. "Automatically generate certificate from own ACME server") to the SSL install types or to just extend the already existing Let's Encrypt setup?

crpb

loxe Is it possible to just use the self-signed certificate during setup and afterwards issue the certbot command with a custom ACME server url manually? That would also be a suitable solution but it would be more comfortable to be able to set the URL during the setup guide.

of course: the ssl-certificate paths are stil the same as mentioned above which is used by all services.
/me squints at /usr/share/grommunio-setup/common/ssl_setup letsencrypt()

loxe Do you think it is better to add a 4th option (e.g. "Automatically generate certificate from own ACME server") to the SSL install types or to just extend the already existing Let's Encrypt setup?

no idea how they would like it if at all, you can discuss that with them in the merge-request