How to copy acme sh issued certitiface to Nethserver

oneitonitram · May 9, 2022, 8:03am

I issued a Letsencrypt SSL certificate to a domain not pointed to nethserver,
using this tutorial: userguide:let_s_encrypt_for_internal_servers [NethServer Wiki]
for the purpose of making use of matrix on domain, not the subdomain, and pointed the srv records.

After issuing the cert, now all the other certs on the server have been removed, does it mean i have to issue including those other certs as well, and will not not make use of the builtin Nethserver ssl tool on the dashboard?

How can i copy the requested/issued certificate to nethserver?
with the error command not found i got below, i am not sure if i did it correctly

oneitonitram · May 9, 2022, 9:58am

is it possible to define the crts differently so that they are handled differently. the one for nethserver still remains to be handled with nethsever, while the one for dns challenge, gets to be handled separately.

Acme Sh was used, because the version of cerbot that comes with Nethserver 7 does not include all the latest DNS providers.

mrmarkuz · May 9, 2022, 11:08am

I think that would be the simplest way.

danb35 · May 9, 2022, 11:28am

How did this happen? Perhaps it would be better to back up and explain exactly what you did. Because nothing that wiki page tells you to do would have affected any other cert on your system.

This will be the case by default. Nethserver will obtain and renew the one, single cert you’ve told it to manage, which will be whatever you last issued through the GUI. You’re on your own to deal with any other certificates.

oneitonitram · May 9, 2022, 11:54am

Initially, Nethserver had org.domainA.tld, wiki.domainA.tld and chat.domainB.tld
both with issued ssl certs
i wanted to obtain ssl for domainB.tld which is not pointed to the server, so after setting up acme sh and config, i ran the command below.

acme.sh --issue --debug --dns dns_cloudns  domainB.tld \
--cert-file /etc/pki/tls/certs/cert.crt \
--ca-file /etc/pki/tls/certs/cert-chain.crt \
--key-file /etc/pki/tls/private/cert.key \
--reloadcmd "/sbin/e-smith/signal-event certificate-update"

After the command above was issued, LE was issued via dns to the domain not pointing to Nethserver, but all other domains on Nethserver which had ssl handled by nethserver were now giving ssl error, even after rebooting server and trying all manner of things.

so to bring back ssl, as i di dnot want to tamper
i issued the command below

acme.sh --issue --debug --force --dns dns_cloudns -d org.domainA.tld -d wiki.domainA.tld  -d chat.domainB.tld -d domainB.tld \
--cert-file /etc/pki/tls/certs/cert.crt \
--ca-file /etc/pki/tls/certs/cert-chain.crt \
--key-file /etc/pki/tls/private/cert.key \
--reloadcmd "/sbin/e-smith/signal-event certificate-update"

Above command was issued on the server to give it cert for alll the domains.

so it got me thinking, why would getting LE via acme sh also remove the previous issued cert on nethsever,

and how can acme sh be used to issue LE certs, without affecting existing Nethserver.

danb35 · May 9, 2022, 12:08pm

So this is what happens when you use a guide for something it wasn’t designed for, without making appropriate adaptations. The guide you used was to obtain a cert for Nethserver itself, so it has you tell Nethserver to look in a particular place for your cert and key files, and then tell acme.sh to put those files in that place. You wanted to obtain a cert not for Nethserver itself, but you still told Nethserver to use that cert.

Because you explicitly told it to.

By not telling it to overwrite the existing default Nethserver cert.

oneitonitram · May 9, 2022, 12:17pm

so, what was the best thing to do in this case scenrio, so that it would not replace the certs fro nethserver itself

danb35 · May 9, 2022, 12:34pm

Specify different paths for the cert/key files, or just leave them in /root/.acme.sh and tell your application to use them from there.