On January 27th, this site will be read-only as we migrate to Oracle Forums for an improved community experience. You will not be able to initiate activity until January 30th, when you will be able to use this site as normal.

    Forum Stats

  • 3,889,532 Users
  • 2,269,755 Discussions
  • 7,916,774 Comments

Discussions

Is it possible to utulise letsencrypt with SGD ?

YTC1
YTC1 Member Posts: 56
edited Oct 18, 2018 3:57AM in Secure Global Desktop

I've started to use letsencrypt for a few services now, https://letsencrypt.org/  , but was wondering about using it with SGD.

SGD validates cert issuers with /opt/tarantella/etc/data/cacerts.txt

Before I start playing with it, and adding letsencrypt info, has anyone already tried it out ?

Answers

  • Jan-Oracle
    Jan-Oracle Senior Product Manager USMember Posts: 122 Employee
    edited Oct 16, 2018 2:48PM

    SGD works fine with LetsEncrypt, if your DNS provider allows it in the CAA record. Feel free to check it out at https://sgd.secureaccess.network.

    Letsencrypt uses port 80/443 on your server to generate the certificate. You need to stop your SGD gateway or server while running certbot. After certbot has generated/renewed your certificate you can use it with the SGD gateway like follows

    # export FQDN="<your fully qualified domain name>"

    # export EMAIL="<your email address>"

    # certbot certonly --standalone --agree-tos -n -m ${EMAIL} -d ${FQDN}

    # [ -f /etc/letsencrypt/live/${FQDN}/cert.pem ] || echo "/etc/letsencrypt/live/${FQDN}/cert.pem does not exist" && /opt/SUNWsgdg/bin/gateway sslkey import \

            --keyfile /etc/letsencrypt/live/${FQDN}/privkey.pem \

            --keyalg RSA \

            --certfile /etc/letsencrypt/live/${FQDN}/cert.pem \

            --cacertfile /etc/letsencrypt/live/${FQDN}/chain.pem \

            --alwaysoverwrite

    #

  • YTC1
    YTC1 Member Posts: 56
    edited Oct 17, 2018 3:43AM

    Thanks, I'll give that a try out.

  • YTC1
    YTC1 Member Posts: 56
    edited Oct 17, 2018 10:23AM

    As i am running Solaris 11, I am using the acme.sh script (it was getting way to hard to add all the guff needed for the certbot to run).

    I have successfully installed a cert in nextcloud.

    But I am struggling with an error on my SGD zone.

    As I understand it letsencrypt uses port 80 with curl to to validate the URL. Normally I don't allow 80 through on my router, for nextcloud I allowed it and directed it to that zone.

    WIth SGD it is failing, and I presume SGD is picking up the incoming message 1st

    When I run with 80 directed to the SGD zone, it fails to verify. (Without a clear clue :-( )

    Is there anything I need to do with SGD to allow the verification ?

  • Jan-Oracle
    Jan-Oracle Senior Product Manager USMember Posts: 122 Employee
    edited Oct 17, 2018 12:29PM

    SGD (or the gateway, which ever component responds on 80/443 to the FQDN) must not be running during the letsencrypt verification.

  • YTC1
    YTC1 Member Posts: 56
    edited Oct 17, 2018 2:55PM

    It was running and working, on both 80 and 443. Ok, I'll have to dig deeper, thanks

  • YTC1
    YTC1 Member Posts: 56
    edited Oct 18, 2018 3:57AM

    Ok, that was my bad. It is a bad idea to be doing SGD with the left hand while installing/upgrading Opscenter with the right. I had mistyped the Docroot :-(

    Now it works fine with the staging server option, but fails with the live. So will need to ask questions at letsencrypt now. I can see this will be a long exercise