Set Untangle certificate to an auto renewing LetsEncrypt certificate

untangle_letsencrypt.md

This uses acme.sh to generate a certificate which replaces the one shown in the certificate section in the Untangle UI.

It updates on each run and if the certificate is renewed it replaces the one used by untangle and restarts apache.

if the certificate isn’t renewed, it still checks if the certificate untangle is using is the one cached by acme.sh and it will replace it and restart apache if necessary.

The crontab entries allow it to do a certificate check at reboot and also at 4am every morning.

You’ll need to download acme.sh, but it requires no extra dependencies over what is supplied in untangle, you will need to edit the acme.sh configuration file to match how you update the cert.

(This sample script uses the cloudflare DNS acme.sh plugin, you will need to adapt it to your specfic needs)

/etc/crontab (add these lines to this file)

@reboot root /root/updatecert >/dev/null

0 4     * * *   root    /root/updatecert >/dev/null

/root/updatecert (create this file, ensure that it has execute permissions - chmod +x /root/updatecert)

#!/bin/bash

domainname="gateway.mydomain.com"

/root/.acme.sh/acme.sh --issue --dns dns_cf -d "$domainname" > /dev/null

updatestatus=$?

if [ $updatestatus -eq 0 ]; then
    cat "/root/.acme.sh/$domainname/$domainname.cer" > /tmp/apache.pem
    cat "/root/.acme.sh/$domainname/$domainname.key" >> /tmp/apache.pem

    cp /tmp/apache.pem /etc/apache2/ssl/apache.pem
    cp /tmp/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem

    service apache2 restart
elif [ $updatestatus -eq 2 ]; then
    cat "/root/.acme.sh/$domainname/$domainname.key" > /tmp/apache.pem
    cat "/root/.acme.sh/$domainname/$domainname.cer" >> /tmp/apache.pem

    diff /etc/apache2/ssl/apache.pem /tmp/apache.pem > /dev/null

    if [ $? -ne 0 ]; then
        cp /tmp/apache.pem /etc/apache2/ssl/apache.pem
        cp /tmp/apache.pem /usr/share/untangle/settings/untangle-certificates/apache.pem

        service apache2 restart
    fi
fi

Change the value of the domainname to match that of the dns name for your untangle server.

Typo near the end:

if [ $? -ne 0 ]; then
        cp /tmp/apache.pem /etc/apache2/ssl/apache.pen

The apache.pen should be apache.pem

Typo near the end:

if [ $? -ne 0 ]; then
        cp /tmp/apache.pem /etc/apache2/ssl/apache.pen

The apache.pen should be apache.pem

Cheers! Fixed.

This works, but it is not actually switching to the new certificate (based on the UI checkboxes), any ideas?

It worked no problem for me, unfortunately I no longer use untangle so I can’t really provide any info.

you did select this certificate as being the one used in the gui rather than the self signed one?

No, I just did your CLI commands, the cert is updated, works, still, the GUI shows the old cert as the one being active.

All I can suggest is checking that the certificate path that is showing in untangle is the same path that the script uses, if they’re different then change the one or the other paths until they match.

I haven’t used untangle for nearly 2 years now I think, so I can’t remember exactly what stuff looks like.