Univention App Highlights: SSL Certificates for Univention Corporate Server with Let’s Encrypt

Welcome to the sixth edition of our UCS App Series! Today, it’s all about Let’s Encrypt, the top provider of free SSL/TLS certificates. With the Let’s Encrypt app in the Univention App Center, you can easily and automatically secure your UCS services like Apache, Postfix, and Dovecot.

Before we dive into how the app can help you effortlessly secure UCS services like Apache, Postfix, and Dovecot, let’s cover some basics. Why are HTTP and other plain-text protocols so risky? What exactly is SSL/TLS, and why is a Certificate Authority (CA) a good idea? No tech jargon, no headaches—just simple explanations and a few clicks to keep your digital communications safe from prying eyes.

Imagine you’re sending a postcard from your vacation in Sweden. Anyone who gets their hands on it along the way can read the message. That’s exactly how it works with plain-text protocols like HTTP (Hypertext Transfer Protocol), SMTP (Simple Mail Transfer Protocol), IMAP (Internet Message Access Protocol), and POP3 (Post Office Protocol). Data sent over these protocols is not particularly secure. An intruder could, just like a curious postman, intercept and read your data as it travels.

It gets even worse: Not only can attackers eavesdrop, but they could also alter the message before it reaches the recipient. Instead of a friendly greeting from Gothenburg, your plant-sitting neighbor might receive a rude message—and neither of you would be any the wiser. The result? Friendship in ruins.

This is where encrypted communication comes to the rescue. By using HTTPS (Hypertext Transfer Protocol Secure) and other secure protocols like SMTPS (Simple Mail Transfer Protocol Secure), IMAPS (IMAP over SSL), or POP3S (SSL/TLS extension for POP3), you can protect your data from prying eyes and tampering. Only the intended services with the right decryption key can read the messages, keeping your digital correspondence safe and sound.

SSL/TLS is like a sealed envelope for your digital messages. When communication passes through this encrypted transport layer, an “s” is added to the protocol name: HTTP becomes HTTPS, SMTP turns into SMTPS, and so on. You can also secure other protocols with SSL, such as FTPS (File Transfer Protocol Secure) and LDAPS (Lightweight Directory Access Protocol Secure). This encryption ensures that the data exchanged remains secure and private. Even if someone intercepts the message along the way, they wouldn’t be able to read it.

But SSL/TLS doesn’t stop there. The protocol also verifies that you’re actually communicating with the intended website or email sender—much like an official seal on an envelope confirms the sender’s authenticity. This is done using SSL/TLS certificates, which act like digital IDs, ensuring that a website or communication partner is genuine and trustworthy. This way, you can be confident that your data is not only encrypted but also sent to the right recipient.

SSL (Secure Sockets Layer), developed in the early 1990s, was the dominant encryption protocol for secure communications on the Internet for many years. However, it was eventually replaced by TLS (Transport Layer Security), which addressed several vulnerabilities found in SSL. Today, TLS is the standard for secure Internet connections. Introduced in 1999 as the direct successor to SSL 3.0, TLS is not only more secure but also more flexible and efficient. TLS 1.3, released in 2018, is currently the most widely used version for encrypting data streams between clients and servers.

Interestingly, despite TLS being the modern standard, the term “SSL” remains more commonly recognized and frequently used. As a result, many applications still refer to SSL or use the combined term SSL/TLS, though they typically mean the latest version of TLS, specifically TLS 1.3.

SSL certificates function much like a seal that verifies the authenticity and integrity of a letter. Originally designed to secure the transmission of sensitive data, such as credit card numbers or passwords, these digital documents confirm the identity of a website or mail server. Beyond just confirming identity, SSL certificates ensure that data is transmitted in an encrypted form, safeguarding it from unauthorized access.

Each SSL certificate contains several key pieces of information:

• Public Key: This key is used to encrypt data before it is sent.
• CA Information: This specifies which Certificate Authority (CA) issued the certificate.
• Details About the Website or Mail Server: This includes the domain name, the issuing organization, and the certificate’s validity period.

The corresponding private key remains on the server (whether it’s a web server, mail server, etc.) and is used to decrypt the data once it has been received.

With the right tools, anyone can generate SSL certificates; for example, on Linux and macOS, the OpenSSL toolkit is often used for this purpose. However, these self-signed certificates are not officially recognized. To mark these certificates as secure for public use on websites and applications, a Certificate Authority (CA) is required. Much like a trusted agency that verifies the authenticity and trustworthiness of seals on letters, a CA guarantees the authenticity of the information stored within an SSL certificate.

The primary responsibilities of a CA include:

• Identity Verification: Before issuing an SSL certificate, the CA verifies the identity of the applicant.
• Issuing Certificates: After successful verification, the CA issues the certificate and digitally signs it, making it recognizable as trustworthy by others.
• Management and Revocation: The CA manages the issued certificates and can revoke them if necessary, such as when a certificate has been compromised or is no longer trustworthy.

Not all certificate authorities are created equal: there are countless CAs on the Internet, organized in a hierarchical structure that forms a trust chain. At the top of this hierarchy is the Root CA, which acts as the trust anchor. Certificates from all subordinate CAs are signed by the Root CA, meaning the Root CA has verified the identity and trustworthiness of the subordinate CAs.

For example, when you open a website in your browser, the browser checks the website’s certificate and traces it back through the chain of certificates up to the Root CA. The Root CA is considered trustworthy, and most operating systems and browsers recognize it as such. The browser follows this chain of trust from the end certificate through all subordinate CAs to the Root CA. The entire chain must be intact for the certificate to be considered trustworthy.

Most web browsers display a warning message for self-signed certificates and allow users to add exceptions. For websites that are publicly accessible from the Internet, this isn’t just bad for reputation—it’s a significant security risk.

Univention Corporate Server (UCS) also uses certificates to secure and encrypt network communication—both between UCS systems and between UCS servers and client devices. All services provided by UCS that support SSL/TLS can use these certificates to ensure secure communication, including the directory service, mail server, notifier/listener services, web server, and more.

Each UCS Primary Node is automatically set up as a CA (Certificate Authority) for the domain. If additional UCS systems are added to the domain, the CA automatically issues new certificates for them. This setup is typically sufficient for internal communication. However, if services need to be accessible from the outside, it’s recommended to replace the self-signed certificate with one issued by a public certificate authority.

Enter Let’s Encrypt, a nonprofit certificate authority that provides free SSL/TLS certificates with the goal of making the entire Internet safer by promoting widespread and accessible web encryption.

What sets Let’s Encrypt apart is its emphasis on automation and ease of use. Utilizing the ACME protocol (Automatic Certificate Management Environment), which is based on JSON and HTTPS, Let’s Encrypt enables certificates to be automatically created, validated, installed, and renewed. Administrators don’t have to worry about expiring SSL certificates—Let’s Encrypt handles everything behind the scenes.

The Let’s Encrypt app available in the Univention App Center seamlessly integrates the Let’s Encrypt client into UCS, providing free SSL certificates for securing services like the Apache web server, Postfix (SMTP) mail server, and Dovecot (IMAP) mail server. The installation process is straightforward and involves just a few steps:

1. 1. Search for the Let’s Encrypt app in the Univention App Center and install it on your UCS system.
   2. In the app settings, enter the domains for which you need certificates.
   3. Select the services you want to secure: Apache, Dovecot, and Postfix.

A convenient feature of the app is that it sets up a cron job to automatically renew the certificates every 30 days, ensuring that a valid certificate is always in place without any manual intervention required.

After clicking on Install, select a computer from your domain where you want to install Let’s Encrypt. Keep in mind that the machine on which the Let’s Encrypt app is installed must be accessible via HTTP from the Internet to ensure that the certificates can be successfully issued and renewed.

Clicking on Continue installs the univention-letsencrypt package. After that, the App Center will display a brief help page with setup tips. Once you’ve confirmed that your UCS system is accessible from the Internet via the desired domain, open the app settings to proceed with the configuration.

Configure the desired domain(s), separating multiple entries with commas. Click the checkboxes to enable the services you wish to secure, then click Apply Changes. After about 10 seconds, the configuration dialog will display the status, indicating whether the certificate was successfully configured.

Enable the Use Let’s Encrypt staging environment checkbox to test certificate retrieval and domain verification without altering the configuration of your services. After clicking Apply Changes, the app will contact Let’s Encrypt’s staging endpoint.

If successful, you will see a message indicating that the retrieved certificate is invalid for production use. Important: Do not activate any additional services that are not explicitly configured for use with Let’s Encrypt. Enabling unsupported services may cause them to fail to start or function incorrectly. This limitation is in place to protect system stability and ensure proper implementation of Let’s Encrypt certificates. Once testing is complete, you can disable the test option and click Apply Changes again to switch to the production endpoint and obtain a valid certificate.

During the initial setup (not for later certificate renewals), you will need to restart the relevant services. To do this, open the System services module in the Univention Management Console and search for apache2, postfix, and dovecot. Check the box next to each service name and click on RESTART.

To ensure that all programs installed in the UCS environment recognize the new certificate as valid, you need to run a command in the terminal once. Open a terminal and, as the root user, enter the following command:

update-ca-certificates

You can configure the web server to redirect all incoming HTTP connections to secure HTTPS connections. To do this, open the System module in the Univention Management Console (UMC) and navigate to the Univention Configuration Registry. Set the variable apache2/force_https to yes. Do not modify any UCR variables that begin with

apache2/force_https/exclude*.

These exclusions define conditions under which secure connections are not enforced for the local machine and the portal. Also, ensure that port 80 remains open so that Let’s Encrypt can renew the certificate regularly.

For your reference, the Let’s Encrypt log file can be found at /var/log/univention/letsencrypt.log, where the app records all actions.

The importance of encryption on the Internet can’t be emphasized enough. Protecting your data—and that of others—from prying eyes and tampering is crucial! With the Let’s Encrypt app in the Univention App Center, this process is incredibly straightforward. The installation and setup are user-friendly, allowing administrators to ensure that services like Apache, Postfix, and Dovecot are always protected with valid SSL certificates in no time.

Do you have any questions or comments? Leave us a message and share your experiences and ideas—right here on the blog or in the Forum Univention Help!

Image source: Icon created by nangicon from flaticon.com