XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    trying to enable Let's Encrypt on XO-CE

    Scheduled Pinned Locked Moved Management
    7 Posts 4 Posters 1.1k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      Octive
      last edited by

      Hello all, I'm new to xen orchestra and xcp-ng. setting up my first lab, attempting to replace vmware. Any pointers on this would be appreciated.

      I've built an ubuntu XO Community edition server, everything seems to be working however when attempting to follow the directions found here: https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/mixins/docs/SslCertificate.md?ref=xen-orchestra.com

      I don't seem to get a lets encrypt certificate.

      here are the relevant config file settings:
      redirectToHttps = true
      port = 443
      autoCert = true
      acmeCa = 'zerossl/production'
      acmeDomain = 'xo-ce.mydomain.com'
      acmeEmail = 'myemail@mydomain.com'
      cert = '/etc/ssl/certs/certificate.pem'
      key = '/etc/ssl/private/key.pem'

      note, do I create empty .pem files? inorder for this to work?

      1 Reply Last reply Reply Quote 0
      • O Offline
        Octive
        last edited by

        Happy new year,

        I was able to, figure out the issue, I created two empty .pem files and needed to open port 80 on UFW firewall per the directions above.

        /etc/ssl/certs/xo.cert.pem
        /etc/ssl/private/xo.key.pem

        after restarting services I was able to receive a let's encrypt certificate. However, the certificate appears untrusted, what is the expected outcome, should this certificate be trusted automatically? or do I need to install a certificate chain on my systems?

        Apologies for the stupid questions it's my first time working with these technologies.

        letsencryptcert.png

        gskgerG 2 Replies Last reply Reply Quote 0
        • DanpD Offline
          Danp Pro Support Team
          last edited by

          I would expect a certificate from Let's Encrypt to automatically be trusted, so it sounds like you ended up with a self signed certificate instead of one from LE.

          P.S. Happy New Year! 🎆

          1 Reply Last reply Reply Quote 0
          • gskgerG Offline
            gskger Top contributor @Octive
            last edited by gskger

            @Octive Did you also restart xo-server?

            1 Reply Last reply Reply Quote 0
            • gskgerG Offline
              gskger Top contributor @Octive
              last edited by gskger

              @Octive I get Let's Encrypt certificates through the acme plugin of my pfSense Firewall and automatically copy them to XO. I get this cert files when renewing

              xo.myplaylab.net.all.pem
xo.myplaylab.net.ca
xo.myplaylab.net.crt
xo.myplaylab.net.fullchain
xo.myplaylab.net.key

              and use xo.myplaylab.net.crt (cert) and xo.myplaylab.net.key (key).

              1 Reply Last reply Reply Quote 0
              • O Offline
                Octive
                last edited by

                Thanks for the input, I'm going to disable this integration and deploy a similar solution.

                julien-fJ 1 Reply Last reply Reply Quote 0
                • julien-fJ Offline
                  julien-f Vates 🪐 Co-Founder XO Team @Octive
                  last edited by

                  @Octive Make sure you follow the doc at https://github.com/vatesfr/xen-orchestra/blob/master/%40xen-orchestra/mixins/docs/SslCertificate.md

                  To be able to get a Let's Encrypt certificate, your XOA must be publicly reachable on both HTTP and HTTPS.

                  You do not need to manually create the file nor do you need to restart xo-server. Also, if your web browser trust Let's Encrypt CA (most of them do), your certificate should be recognized automatically.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post