[solved] Enable certificate renewal-hook in nethserver

I have placed a script in /etc/letsencrypt/renewal-hooks/post/ as I want the letsencrypt certificate being pushed to my rooter upon renewal. The script works fine, as it is executed when issuing: certbot renew --dry-run thus the certificate appears on my router.

Is it possible that this is not the case with normal renewal within nethserver renewal routine? I am asking, as issuing /usr/libexec/nethserver/letsencrypt-certs -f does not make appear the certificate on my router.

By the way I found this to push my certificate to opnsense. Lacking knowledge may I ask a question here. If I try to re-run the script and the certificate is already there, it does not overwrite it. So my question is, what is likely to happen when letsencrypt certificate is nearly expiring thus being renewed. Will the script copy it as its a renewed one? If not, may someone of you help me with a modification, lets say a force option to be able to overwrite the existing and soon expiring one?

Thanks in advance for sharing your knowledge with me :slight_smile:

1 Like

Yes, it should do the job: the certificate changes only when renewed.

You can obtain the same behavior by adding a script inside the certificate-update event, which is fired every time the certificate changes.
Example: /etc/e-smith/events/certificate-update/S80push2router


scp /etc/letsencrypt/live/<fqdn>/{fullchain.pem,privkey.pem} root@router:/etc/<your_file>/

Thanks Giacomo, it works after creating the file in mentioned path and making it executable :slight_smile:

I also tried by adding a subdomain in my letsencryptcertificate, and it copied the new certificate over. The old certificate rests in place though, thats certainly just a minor inconvenience. A cool option on the php script would be to add an option to overwrite the existing certificate. Would that be easy to implement?

In anycase I want to thank you for the quick and very valuable support. I feel happy and welcome here, in this very supportive and competent community. Keep up the great work :ok_hand:

1 Like

Hi @giacomo ,

I have a follow up question. I now have setup the domain inhouse without letsencrypt certificate. Then on a hosted environment I have the “external” nethserver which has emailserver and nextcloud installed, and this one does get letsencrypt certificates. It is attached to the internal network via vpn and is member of the domain created on internal nethserver. I created a ldapquery user, and configured it on the external nethserver. So far so good. Now for enabling the rooter to do ldap queries, what needs to be configured? From point of view of the router, who is the ldapserver (hostname), the external nethserver, the internal one, or the container? The router can only ping / reach the external nethserver, so I guess it has to be that one.

But what does this mean. What name do I configure on the router? And which certificate is relevant for these ldap queries? I need a bit of help understanding ldap queries on the attached nethserver.

I didn’t really get the question :frowning:

But I can say that LDAP server uses the certificate marked as default in the Server Manager.
If you need to do queries on it, you can use the always this dn: dc=directory,dc=nh
No matter what is the server name.

Good morning Giacomo and thanks for your reply.

On first try I had the router queriying successfully directly on the nsdc container. For that, I had to assure that the certificate with the hostname of the domaincontroller used for the ldapquery is present on the router, that the hostname ad.ourdomain.com was resolvable on the router (did a dns entry for that).

Then I used the following settings to successfully query ldap:
Protocol Version: 3
Hostname: ad.ourdomain.com
User DN: cn=ldapservice,ou=User,dc=ad,dc=ourdomain,dc=com
Bind Credentials: cn=ldapservice,ou=User,dc=ad,dc=ourdomain,dc=com
Base-DN: dc=ad,dc=ourdomain,dc=com

Now I want to configure the router to query the other server, which is attached to the primary domain controller. For that I created a user on the domain (ldapquery, and configured it in User settings of the remote nethserver. And what certificate will need to be installed on the router as it only accepts encrypted queries, the selfsigned certificate on the nsdc container or the letsencrypt which is the default certificate on the remote attached nethserver?

So for the router point of view instead of contacting ad.ourdomain.com (the nsdc container on the pdc), it now will query against the hostname of the second nethserver?

That means the certificate for this domain query must contain ad.ourdomain.com (as the hostname of the nsdc container) or bdc.ourdomain.com (as the remote nethserver attached to this domain on which the query will be answered), or both? And on Bind Credentials, Base-DN and User-DN: will it be cn=ldapservice,ou=User,dc=ad or bdc,dc=ourdomain,dc=com?

I am not sure how these ldapqueries are answered from the remote nethserver. Is there a way to easily test this with queries on commandline the get an idea?

This is quite complex, the fast, but insecure, fix is to disable certificate verification, see this.
Otherwise you need a way to correctly distribute certs among all machines.

Unfortunatelly this is not an option as the router refuses to do unencrypted ldap queries. I think, I just need to copy the correct certificate to the router so it can make encrypted query against the remote attached nethserver. The question is, which certificate is necessary then - the letsencrypt one on the remote neth or the selfsigned one used in the nsdc container? And whichever it is, the second question, from point of view of the router does he need to query against the hostname bdc.ourdomain.com or against ad.ourdomain.com. Because this hostname must be in the certificate.

If I could know which Bind Credentials, Base-DN and User-DN cn=ldapservice,ou=User,dc= ad or bdc ,dc=ourdomain,dc=com: will it be used for queries against remote nethserver, I might be able to test with ldapqueries from console, and then test both certificates to see where it gets?

I mean how does lets say nextcloud query ldap on the remote attached nethserver?

For using SSL you need the letsencrypt one as it needs to be a valid cert in most cases.
You may disable strong auth on the remote Nethserver to use it without SSL, see the wiki

You can get a letsencrypt cert for both bdc.ourdomain.com and ad.ourdomain.com.

Yes, thats true, I can add them in letsencrypt cert. What about the query to the backupdomain controller. So you think that the needed certificate will be the one on which is installed on the bdc as the query will be against bdc this time?

As for the query directly on ad.domain.com I had successfully configured the following:

Hostname: ad.ourdomain.com
User DN: cn=ldapservice,ou=User,dc=ad,dc=ourdomain,dc=com
Bind Credentials: cn=ldapservice,ou=User,dc=ad,dc=ourdomain,dc=com
Base-DN: dc=ad,dc=ourdomain,dc=com

Now needing to configure query to the remote neth bdc, what do you think, I have to change for doing the same query but this time to the bdc.ourdomain.com? Just the hostname and the user? Or will also the dc have to change?

How did you realize this?

Yes, I think you need to point to the other DC, it’s not enough to point to the domain.

With backupdomain controller I mean, that I have setup a remote nethserver and joined it to the domain of the initial one holding the nsdc container. The router cannot reach nsdc container, thus it has to do queries on the bdc. For bdc I created a user ldapquery in ad and configured it in its user settings. Now I have to change the router that it queries ldap against bdc.ourdomain.com and not anymore directly against the nsdc container.

So that means I would have to:

Hostname: bdc.ourdomain.com
User DN: cn=ldapquery,ou=User,dc=ad,dc=ourdomain,dc=com
Bind Credentials: cn=ldapservice,ou=User,dc=ad or bdc,dc=ourdomain,dc=com
Base-DN: dc=ad,dc=ourdomain,dc=com ?

Where I am not sure are the dc, but I think they stay the same, right?

Sorry, that’s not possible this way.
For having a another DC answering to queries see the wiki.

Just tried. opnsense: LDAP bind error: Can’t contact LDAP server :frowning:

I thought, that this server will answer queries, but it does not ? For what did I have to create the ldapquery user? I thought reading in the documentation that it is used for ex. for nextcloud, which is installed on bdc and works fine with ad users btw. Well I’ll read the wiki then and see if there is a solution. Or I will have to set static routes, so that the query can go to the nsdc through ipsec site2site vpn.

Mhm, as it is an experimental thing described on the wiki, and we will soon go in production, I guess it is a nogo. As you explained to me, bdc will not answer to dns queries, so my only way is to establish the correct routes so that the router will be able to reach the nsdc container to query for? And that also means, that I will need the selfsigned certificate on the router that nsdc runs, right?

bdc is kind of a misleading term.
With Nethserver you have a DC providing the container answering LDAP queries. The remote NethServer (the one joined to the AD) may need credentials to connect to specific apps. Nextcloud works as it uses the local or remote join to get the users.

The device doing the join (remote Nethserver) needs to reach the nsdc container.

No, you need either valid certs like letsencrypt or disable strong auth.

The remote nethserver does reach the nsdc container, thats no problem, but the router which shall be able to query for users does not yet. Thats what I meant why I will have to establish connectivity for the router too, so it will be able to reach nsdc then.

The router refuses to do other than strong auth. But if I install the selfsigned certificate from nsdc on the router, would that not be enough? I really hope that can work, as else I will have other trouble, because only the remote nethserver which serves nextcloud and mailserver has letsencrypt certificiate. That would add complexity as I would have to distribute certs from remote neth to the local one and nsdc…

So if the remote neth is not really a bdc (as I had planned), may I ask - do you know, if there are plans developping, that a second nethserver can be acting officially as backup domain controller with replication and everything? I am asking, as I dont want that one day we cannot access our network anymore because the pdc role nethserver could have gone down? DC is such an crucial service, that I would like to have a backup domain controller. I initially thought, that a second nethserver joined will be able to act as read only dc, but apparentley this is not the case?

I think the router idea is not good as it’s not really a backup. The router is just joined to the Neth AD so if the Neth AD fails the router is no real backup.

You may use Hotsync to get a slave AD server.

As regards planning, for Neth 8 the discussion is open.

I remember that the second DC approach worked recently but I can’t find the thread… :upside_down_face:

Right, it’s not the case as the remote Nethserver is no DC.

No,no. The router does need to query for something else. It will act as VPN server with 2fa. So it will need to query users against AD, as I dont wont to manage users twice.

Thanks for the links and explanations which I’ll study carefully. I also will have a look @hotsync as intermediate solution, still hoping that one day there will be the possibility to create a real backup domain controller. :slight_smile:

Last question on the certificate I asked above. If I copy the selfsigned certificate used by nsdc on to the router why should that not work? Are you sure, that it will need to be an letsencrypt one?

It needs to be a valid one. And letsencrypt is an easy way to get one. Maybe you can allow the Neth cert on your router but easiest way is to get letsencrypt and copy it to the NSDC.
Another way may be to create a CA on the router, and create a cert for Neth.

Did you try this?

What is valid? If it contains the domain, hostname and so on, and its installed on the router isnt it valid then? I will think about the three possibilities, as you mentioned the routers CA is there, so I could go this way. But you are probably right about letsencrypt, I admit that. I will just have to find out how to copy it to nsdc but that should be possible, as I already have found a way to copy it automatically to opnsense router once it is renewed.

But before all that I will have to fix my routing issues so that the router can reach nsdc and then I’ll decide what certificate I will use. Thanks to you and also to giacomo for your replies, which helped me understand the situation. :smiley: