SSL certificates for Samba AD (NSDC host)

activedirectory

(Jeroen Visser) #1

Would I be requesting something silly when I would request (the proper way) the renewed certificate from LetsEncrypt on the Nethserver host to add the CN for the AD container to the requested certificate, and copy it over the AD container’s Samba certificate?


NethServer-SavaPage module
Samba AD certificates
(Davide Principi) #2

Yes, I think it would be useful. I’d extend the support to the whole Server certificates page (upload, LE, autogenerated cases).

Let’s listen to other opinions!


(Rob Bosch) #3

Letsencrypt does come with a ‘catch all’ option: you can use wildcards for subdomains. Can this be an option to automagicaly renew the cert for NSDC containter too?
I know I have voiced my concerns about this option, but it might come in handy in this situation.


(Jeroen Visser) #4

It’s not a subdomain, and shouldn’t be. It’s a different host on the same domain. So the Nethserver’s record should only need an extra host (nsdc-[servername].domain.tld) added to it’s certificate, and copy it over the certs in the container for this to be no longer an issue.


(Jeroen Visser) #5

So, basically, all I need for this to work like I already expect it to work, would be for the letsencrypt routine to

a) add the nsdc-hostname.domainname.tld to the list of requested CN’s, or ‘Domains’ as they are called in the Gui
b) Next step is to simply copy the created certificate and key to the expected locations. Defaults are:

cp /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem (could probably be skipped)
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem (could probably be skipped)

Is there a way for me to “extend” that routine, or is this something that is within the range of possibilities to be added to the letsencrypt routine of AD account provider type installs ?

(Reason being: java and other services depend on a valid certificate, self-signed is a no-go. My hack is easy to forget (as @davidep remarked when I voiced my solution :smiley: ) and quite nescessary for proper AD functioning.)


(Markus Neuberger) #6

You may integrate it in /usr/libexec/nethserver/letsencrypt-certs (maybe just add a line to execute your custom script) or you could setup a cronjob (no need for changing internal scripts)


(Davide Principi) #7

Just out of curiosity, what kind of LE challenge did you set up? DNS? HTTP?


(Giacomo Sanchietti) #8

When a certificate is renewed (including LE one) the event certificate-update is called.
You can add a script inside it /etc/e-smith/events/certificate-update


Change favorite certificate CLI
(Jeroen Visser) #9

Just HTTP, it still requires me to open a port in the firewall, but that is very workable.

@giacomo , thanks, that’s what I was looking for :slight_smile:


(Jeroen Visser) #10

@giacomo If I drop the following content in a file in /etc/e-smith/events/certificate-update/ and chmod+x it, would that be enough ?

#!/bin/bash
cp -f /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp -f /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem

…or is there something else I need to be aware of with these events/actions ? (it seems to work, just not sure if this will survive updates and stuff)


Howto install guacamole
(Giacomo Sanchietti) #11

Yes, it’s enough and it will survive updates :wink:
You should also add the file path to the custom backup config configuration!


(Hitmoky Hitter) #12

Perhaps this is a totally different matter but in my eyes it is related to this feature. I am trying to add Nextcloud as an external server to keep traffic more seperated from Nethserver but for that I need working SSL on Samba. I tried this method but I am still getting the Samba autogenerated host and ca certificates if I check on port 636.


(Davide Principi) #13

I’m thinking about how to put this feature in the next nethserver-dc release in a backward-compatible manner.

I came to the following conclusion: the update must not alter existing systems configuration.

  • Already existing DCs must keep on using the old Samba self-signed certificate.
  • Newly provisioned DCs will use the default NethServer system certificate.

I guess we must also push the NSDC host name in the certificate generation routines, both self-signed and LE ones.


(Hitmoky Hitter) #14

Could be very handy yes. Glad you described a possible solution. ^^


(Jeroen Visser) #15

Not sure about the first bullet. I dont see any harm in replacing the old Samba self-signed certificate with default Nethserver system certificate. It would keep people on the depricated system and cause confusion in about half a year or so :stuck_out_tongue:

In cases of self-signed, it is irrelevant which self-signed one is used, and when the LE one gets pushed, that means an improvement. Am I mistaken ?