I can't change the clients! Also it would preclude you from using IP addresses. Web Sites work that way. In general mail apps just require a certificate - any certificate - so they can encrypt the data. Often mail apps don't care about the FQDN or validity but some, such as outlook and, to an extent, Thunderbird do.. I can't speak for FTP apps or other apps.

Nick, OK i thought you were afraid of the system getting compromised, due to this change.
But you are afraid of other parts stop working because these certificates are getting renew frequently. and shared by other services.
- Then these services of cause needs to be included in the update scripts as well.

But ... using system.lan.... at all ... Systems and clients should avoid, and block non matching CN`s --- just my 10c

The problem is that, if another program snapshots the bootstrap key on installation (I think postfix does, as an example), it will grab a copy of the LE cert which will expire very soon and will not get updated.

Nick,
What exactly is you afraid of ?
This change does not make any of the (key)files more accesible from the client side.
/Claus

Just to say this is a bit dangerous as the bootstrap certificate can be copied and used in other apps on their installation, but you may get away with it. There does not seem to be a safe way of achieving what you want. The conf file is generated by /usr/clearos/apps/flexshare/libraries/Flexshare.php, but any update to the Flexshare app will override anything you change in this file.

I did a little further work on this:
Not fully tested but seems to work
All at your own risk.

I strongly reccomend reading ALL this.
https://documentation.clearos.com/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail

/Claus

If i missed something - tell me


ClearOS FTPS and LetsEncrypt Certificates

This is NOT fully tested but seems to work.
All at your OWN RISK
Like me someone in the community asked for FTP certificates.
https://www.clearos.com/clearfoundation/social/community/lets-encrypt-on-ftp-s-and-webconfig

As an answer on the Q, Nick Howitt gives a lot of useful information.
I did some further Reverse engineering, and found that
What did I do?

I had completed the mail setup described here:
https://documentation.clearos.com/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail
You need to do at least this from that last document linked above.
• Background
• Requirements and
• Configuration and Common Let’s encrypt setup

Somehow I figured out that two files used by FTP are located here:
Run this [root@home lets_encrypt]# ls -al /etc/proftpd.d
total 20
drwxr-xr-x 2 root root 47 Feb 7 12:08 .
drwxr-xr-x. 112 root root 8192 Feb 7 11:37 ..
-rw-r--r-- 1 root root 2184 Feb 7 12:08 flex-21.conf
-rw-r--r-- 1 root root 2200 Feb 7 12:08 flex-990.conf
[root@home lets_encrypt]#

The flex-990 file has an area:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/tls.log
TLSOptions NoCertRequest UseImplicitSSL
TLSRequired off
TLSRSACertificateFile /etc/pki/CA/bootstrap.crt
TLSRSACertificateKeyFile /etc/pki/CA/bootstrap.key
TLSVerifyClient off
</IfModule>

It looks like these bootstrap files are created during installation.

I did a readout of the bootstrap certificates using:
https://www.sslshopper.com/certificate-decoder.html

Certificate Information:
Common Name: system.lan
Organization: ClearOS
Organization Unit: ClearOS
Locality: Toronto
Country: CA
Valid From: February 5, 2022
Valid To: April 24, 2030
Issuer: system.lan, ClearOS
Serial Number: 1644072441 (0x61fe8df9)

Make a backup of these files:
Run cd /etc/pki/CA

[root@home CA]# pwd
/etc/pki/CA

cp /etc/pki/CA/bootstrap.crt /etc/pki/CA/bootstrap.crt-Backup
cp /etc/pki/CA/bootstrap.key /etc/pki/CA/bootstrap.key-Backup

Your certificates are found here:

[root@home CA]# ls /etc/letsencrypt/live/
README Your_Domain_Name

your certificate files are here:
[root@home CA]# ls -al /etc/letsencrypt/live/Your_Domain_Name/
total 4
drwxr-xr-x 2 root root 93 Feb 6 16:22 .
drwxr-x--- 4 root ssl-cert 61 Feb 6 16:22 ..
lrwxrwxrwx 1 root root 34 Feb 6 16:22 cert.pem -> ../../archive/Your_Domain_Name/cert1.pem
lrwxrwxrwx 1 root root 35 Feb 6 16:22 chain.pem -> ../../archive/Your_Domain_Name/chain1.pem
lrwxrwxrwx 1 root root 39 Feb 6 16:22 fullchain.pem -> ../../archive/Your_Domain_Name/fullchain1.pem
lrwxrwxrwx 1 root root 37 Feb 6 16:22 privkey.pem -> ../../archive/Your_Domain_Name/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 6 16:22 README
[root@home CA]#

Find the FTP user

[root@home CA]# cat /etc/passwd | grep ftp
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
[root@home CA]#

Add the ftp user to the ssl-cert group:

usermod -a -G ssl-cert ftp


Now copy and overwrite the bootstrap certificates with yours.
… DID YOU make the copy above?
\cp /etc/letsencrypt/live/Your_Domain_Name/cert.pem /etc/pki/CA/bootstrap.crt
\cp /etc/letsencrypt/live/Your_Domain_Name/privkey.pem /etc/pki/CA/bootstrap.key

Check ! ls -al
And restart service
systemctl restart proftpd
You should now be able to do a test using the new certificates FTPS on port 990

But - when the certificate updates ...
You need some automation.

cd /var/clearos/events/lets_encrypt/
[root@home lets_encrypt]#

Create a file here:
Run:
nano proftp
And enter: -
#!/bin/sh
if [ "$(basename $RENEWED_LINEAGE )" = "Your_Domain_Name" ]; then
sleep 10
\cp /etc/letsencrypt/live/Your_Domain_Name/cert.pem /etc/pki/CA/bootstrap.crt
\cp /etc/letsencrypt/live/Your_Domain_Name/privkey.pem /etc/pki/CA/bootstrap.key
systemctl restart proftpd
fi

Save and exit.

Make the file executable:
[root@home lets_encrypt]# chmod 0755 proftp
CHECK !!
[root@home lets_encrypt]# ls -al
total 20
drwxr-xr-x 2 root root 74 Feb 7 13:54 .
drwxr-xr-x. 21 root root 4096 Feb 5 19:11 ..
-rwxr-xr-x 1 root root 126 Feb 6 18:53 cyrus-imapd
-rwxr-xr-x 1 root root 111 Nov 16 15:17 lets_encrypt
-rwxr-xr-x 1 root root 122 Feb 6 18:49 postfix
-rwxr-xr-x 1 root root 49 Feb 7 13:54 proftp
[root@home lets_encrypt]#


Restart service
systemctl restart proftpd

and Check !

Do final reboot ?

Site certificates only work with FQDN's (DNS) not IP addresses. You need to access your webconfig by an FQDN covered by the certificate. If you need to, put the FQDN into your DNS server and map it to the ClearOS LAN IP.

Hello Nick,

Thanks for your quick reply. I already have a static IP address, so do I also need to install the Dynamic DNS? And LetsEncrypt looks for a public DNS record when requesting for an certificate, I think, so what's the need for adding a local DNS record?

In the settings I used an existing certificate of a locally hosted website. But still I get the error message of a wrong SSL certificate, because I connect to my server using a local address. Would that be the reason? Or does the entry of a local address to the DNS solve this problem?

Joop

You have a ????.poweredbyclear.com DNS record if you activate the ClearOS DDNS (it is free). You can change the ???? to something more meaningful than the default if you can pick an available name. For the webconfig, you'd probably want then to add this record to your DNS server for your LAN IP as well. You can get a Let's Encrypt certifivate for this FQDN. You then asign it through System > Settings > General Settings.

It seems like you have Let's Encrypt certificates for your websites. You could use one of them, but similarly would have to add the website to your DNS for it to work on your LAN.

FTP is more problematic and I'd say virtually impossible. Certificates seem to be in /etc/proftpd.d/flex-990.conf and /etc/proftpd.d/flex-21.conf but these files are created on-the-fly when the flexshare app is updated so changes there will get overwritten. You could patch the underlying code but it would be specifically for you and may also get overwritten if there is an app update.