Here are my steps to use a letsencrypt cert for samba but there’s room for improvement and it’s just a first draft, so please test it before using it in production environments.
Some ideas for the future:
- Use letsencrypt DNS verification instead of HTTP to avoid the port forward to the DC that’s needed for renewal
- Automate the process
Check current Samba certificate:
openssl s_client -connect localhost:636
You should get an answer like that, use CTRL-C to exit the command.
Check the CN to get the FQDN of the DC, in my case it is dc1.ad.mrmarkuz.com
CONNECTED(00000003)
depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = DC1.ad.mrmarkuz.com
Get a letsenrypt certficate for the samba DC. In my case it worked by just port forwarding port 80 from my NethSecurity to the NS8. No additional DNS entries were needed.
Backup the current certificate:
My samba user/instance name is samba1, please adapt all following commands to use your right samba instance/user…
mv /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem.bkp
mv /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem.bkp
I used traefik-certs-dumper tool to extract the certs from traefik, see also Path to the certs? - #4 by mrmarkuz
Download and extract the tool:
wget https://github.com/ldez/traefik-certs-dumper/releases/download/v2.8.3/traefik-certs-dumper_v2.8.3_linux_386.tar.gz
tar -xzvf traefik-certs-dumper_v2.8.3_linux_386.tar.gz
Get the certificates out of traefik using the tool:
./traefik-certs-dumper file --source /home/traefik1/.local/share/containers/storage/volumes/traefik-acme/_data/acme.json --domain-subdir --crt-ext=.pem --key-ext=.pem --version v2
The cert files that we will use for samba should be located in dump/<yourdcname>/ (in my case dump/dc1.ad.mrmarkuz.com so please adapt the following commands accourdingly.
Copy the certificates to the samba volume:
cp dump/dc1.ad.mrmarkuz.com/certificate.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/cert.pem
cp dump/dc1.ad.mrmarkuz.com/privatekey.pem /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/key.pem
Set right owner:
chown samba1:samba1 /home/samba1/.local/share/containers/storage/volumes/data/_data/private/tls/*.pem
We got no CA file so we need to add following samba config to /home/samba1/.local/share/containers/storage/volumes/config/_data/include.conf else the service won’t start:
tls cafile =
If you created the file please check the file owner, it should be samba1:samba1
Restart the samba dc service:
runagent -m samba1 systemctl --user restart samba-dc
Check the samba cert again:
root@home:~# openssl s_client -connect localhost:636
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = dc1.ad.mrmarkuz.com
verify return:1
I didn’t test a samba client yet but as the cert is there it should work…