Apache servername, plus install new SSL cert via Certbot

justinz 2024-01-18 15:40:39 UTC #1

Hi All,
I apologize if this is a newbie mistake…

I think either I have an expired SSL cert, or ServerName isn’t setup in Apache reverse proxy, or both. Symptom: Firefox error: SEC_ERROR_UNKNOWN_ISSUER".

I’m running what I think is a typical docker deployment, installed ~1-2 years ago, on Fedora. I just updated to latest via ‘docker-compose pull; docker-compose up -d’ … egroupware-docker (23.1.20231220) hardy; urgency=low. All is fine there.

So if indeed this is stale SSL, then it seems the favorite way to update is via certbot… (more in my follow-up).

Thank you.

StefanU 2024-01-18 21:04:07 UTC #2

Nginx ist actual the standard (installation).
In the article you can find a hint to the old documentation with apache. Try it… but with backup of the system.

However, if you already have a Lets Encrypt certificate, you just need to renew it.
This normally happens automatically. Perhaps this no longer works for you for some reason.

But this is nothing specific to EGroupware. You should find a lot of documentation on SSL for reverse proxy in the www.

Stefan

justinz 2024-01-19 01:36:16 UTC #3

Stefan, Thank you.

Yes, it’s as you say – nothing to do with eGroupware. Rather, it turns out to be that I had been relying on the cert originally installed by Fedora when the OS was installed/upgraded. And that expired.

By the way, I hoped that ‘certbot --apache’ would have updated, but on my network port 80 isn’t accessible to letsencrypt, and I found I’d have to tear down some of apache’s reverse-proxy config, disable forcing http–>https, etc, to temporarily allow certbox to install new certs. And even then new certs would only be good for 90-days! I know there are some tricks to get around the port 80 restriction, but I just obtained a 2-year cert and manually installed it. Success!

Thank you again for confirming this wasn’t related to eGroupware itself.

Cheers–