Git Product home page Git Product logo

letsencrypt-zimbra's Introduction

letsencrypt-zimbra

Files to automate the deploy of letsencrypt certificates to Zimbra.

You will probably find these files usefull when you want to move your self-signed Zimbra certificate to the letsencrypt-signed one and automate the renewal of the certificate.

Start with Setup manual below and help message of the script letsencrypt-zimbra.sh -h`

Enjoy open-source and encryption!

Requirements

  • Working installation of Zimbra Collaboration Suite (version ≥ 8.7)
  • certbot utility (version ≥ 1.6)
  • openssl cli tool
  • sudo privilege to run certbot with zimbra user

What the scripts do

The script will perform following steps:

  1. Check installed Zimbra TLS certificate
    • The script exits if the cert is present and will not expire soon
    • See -d and -f options
  2. Generate new Zimbra private key if it is missing
  3. Generate signing request with given domain names
  4. Stop Zimbra web server
  5. Run certbot (in standalone mode) and use generated request
  6. Start Zimbra web server
  7. Check issued certificate and install it for Zimbra
  8. Restart zimbra services

See the help message of the script (-h), example config file (letsencrypt-zimbra.cfg.example) and the code itself for more details.

Setup manual

  1. Install the certbot

    • Please follow the official instructions for your distribution

    • For example on Ubuntu bionic:

      1. Install pip3

        apt install python3-pip
        
      2. Install certbot pip package

        pip3 install certbot cryptography~=3.3.0 pyOpenSSL~=19.1.0 zope.interface~=5.4
        
  2. Clone this repository

    git clone https://github.com/VojtechMyslivec/letsencrypt-zimbra.git /opt/letsencrypt-zimbra
    
  3. Create and edit config file

    • Copy the example file

      cp /opt/letsencrypt-zimbra/letsencrypt-zimbra.cfg{.example,}
      
    • Configure your e-mail and server common names in /opt/letsencrypt-zimbra/letsencrypt-zimbra.cfg

  4. Add sudo privileges to 'zimbra' user to run certbot

    • Copy prepared sudoers config:

      cp configs/sudoers.conf /etc/sudoers.d/zimbra_certbot
      
    • Test the sudo privilege for 'zimbra' user (no password should be needed)

      sudo -Hu zimbra sudo /usr/local/bin/certbot -h
      
  5. Run the script to obtain certificate

    sudo -Hiu zimbra /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh -v
    
    • Note: add the -t option to run a test (see below)
  6. Configure the cron job

    cp configs/cron.conf /etc/cron.d/letsencrypt-zimbra
    
    • Review the /etc/cron.d/letsencrypt-zimbra if it meets your system requirements

Update the list of domain names

If you need to edit the list of domain names in your already-deployed certificate:

  1. Update the list of domain names in common_name variable in letsencrypt-zimbra.cfg

  2. Run the script interactively with an extra -f (force renew) option:

    sudo -Hiu zimbra /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh -vf
    
    • Warning: keep in mind Let's Encrypt rate limits (see below) when force-renewing a certificate

Test the configuration and staging environment

Let's Encrypt authority provides rate limits. The best practice is to test the configuration and script on staging environment, where rate limits are much more benevolent. Certificates issued by this staging environment are signed with (STAGING) Pretend Pear X1 CA and so they are not trusted.

To use this environment, use -t option when running letsencrypt-zimbra.sh. Also a verbose option -v is recommended to see information messages what the script is doing.

When the script successfully deployed a staging cert, run the script again with -f to force renew the cert with Let's Encrypt trusted CA.

Some links

letsencrypt-zimbra's People

Contributors

123blin avatar j0s3f avatar jogerj avatar lightonflux avatar mvhconsult avatar vojtechmyslivec avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

letsencrypt-zimbra's Issues

Error when executing script

Hello, i have error when executing script, and my zimbra web do not start automactilly

root@mail:# sudo -Hu zimbra /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh -v -f
obtain-and-deploy-letsencrypt-cert.sh: info: Running in force mode, certificate will be renewed.
obtain-and-deploy-letsencrypt-cert.sh: info: create csr config '/tmp/tmp.oyKSFUTDX2/openssl.cnf'
obtain-and-deploy-letsencrypt-cert.sh: info: generate csr '/tmp/tmp.oyKSFUTDX2/request.pem'
obtain-and-deploy-letsencrypt-cert.sh: info: stop nginx
/opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh: ligne 347: certbot_extra_args[@] : variable sans liaison

How to fix ? It's bug ?

Thanks

Cron job seems not run

Dear,
I use Zimbra 8.8.15 on centos 7. Your software runs very well. However, I have a small issue with cron.
I copy cron file into /etc/cron.d/letsencrypt-zimbra as your guide but it does not run (cert is not renewed). I think you guide is for Ubuntu and I should change from:

42 0 * * * zimbra /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh -q

to:

42 0 * * * sudo -Hiu zimbra /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh -q

is that right?
Many thanks,
Minh.

zmcontrol restart stucked after renewing certificate

Hi:

First of all, thanks for the project.
We are using it for renewal Let's Encript certificates in Zimbra 8.8.12 with Ubuntu 16.04.6 LTS, since some months ago.

We are experiencing some kind of issue when renewing certificate (via cron) because, although cert renewal is done correctly, from that moment the mail server is not able to send or receive emails (and all messages are deferred in queue). We simply need to restart the zimbra services (zmcontrol restart), and everything works like a charm, and so the queue starts to work again.

Does it have sense to you ? Is this a necessary condition after renewing certificates ? As far I read, the script restarts the zimbra service.

Kind regards.
--C.

zmcertmgr verifycrt fails

It fails with notification like:
Unable to validate certificate chain: /tmp/tmp.W60adLUX4e/0000_cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1

If you remove the second certificate from this /tmp/.../0000_cert.pem, it will pass. Maybe we could add some fix into the script to remove this ISRG Root X1?

Move all user relevant variables in config file

At the moment you have to change the scripts directly and you need to write some variables several times ($email). It would be nice if there was a config file from which the scripts get the variables configured by the user.

To allow easy git pulling from origin it would be a good idea to use a config.example in git which the user copies and configures in config.

The script only need to be changed in two ways. Remove all user variables. Add source <filename> to scripts.

Multiple domains

Sorry, I really caught myself yesterday, maybe the long hours of work.

My question is, how can I configure for example two domains in the certificate, for example having xmail.domain.com and mail.domain.com, is it possible?

How do I put it in the configuration file? in the CN place separated by comma or in the end I put dns.2?

Help Please

As I do to renew 2 domain as I see the script is only for CN , such as adding a new domain at the time of renewal?

Too little output.

The script works fine but in the beginning I have no idea what's happening. So maybe it's better to have verbose message out, or just remove all the ">dev null" code? I found it very informative after removing them.

Logging feature

Something can go wrong during renewal process and mail server could not to be up so no e-mails from cron is delivered.

Implement logging options for the script (such as to syslog or to a file). It comes handy for debugging and overview of a renew process.

Relevant to #62

"Which" is needed in CentOS 7

The file /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh has a "for" that requires executing "which" command to get a path.
This should be considered as a dependency. Really easy to fix, maybe it could be specified in README.md file
As easy as: $ yum install which # in CentOS 7

Thank you,
Juan

Error Verification of the issued certificate failed.

Hello,
I have a new error when i try to renew using your script

obtain-and-deploy-letsencrypt-cert.sh: error: Verification of the issued certificate failed.

Full trace of script output:

zimbra@mail:/etc/cron.d$ /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Performing the following challenges:
tls-sni-01 challenge for mail.valentin-deville.eu
Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /tmp/tmp.SdLl5N9s5K/0000_cert.pem
Cert chain written to <fdopen>
Cert chain written to <fdopen>

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /tmp/tmp.SdLl5N9s5K/0001_chain.pem
   Your cert will expire on 2018-09-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

obtain-and-deploy-letsencrypt-cert.sh: error: Verification of the issued certificate failed.

Have you idea how to fix this ?
Thanks

string too long

CONFIG:

common_names=( " \
mail.domain1.com domain1.com \
mail.domain2.com webmail.idomain2.com \
mail.domain3.com webmail.domain3.com \
mail.domain4.com webmail.domain4.com\
mail.domain5.com webmail.domain5.com\
mail.domain.com6 webmail.domain6.com\
mail.domain7.com webmail.domain7.com\
mail.domain8.com webmail.domain8.com\
mail.domain.com-N webmail.domain-N.com \
" )

ERROR:

[root@mailserver letsencrypt-zimbra]# sudo -Hiu zimbra /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh -vf
letsencrypt-zimbra.sh: info: Running in force mode, certificate will be renewed.
letsencrypt-zimbra.sh: info: create csr config '/tmp/tmp.poRZdvyCL8/openssl.cnf'
letsencrypt-zimbra.sh: info: generate csr '/tmp/tmp.poRZdvyCL8/request.pem'
problems making Certificate Request
140419743651648:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:crypto/asn1/a_mbstr.c:107:maxsize=64
letsencrypt-zimbra.sh: error: Cannot create the certificate signing request.

Snapd volumes at 100% full

I installed lets encrypt as directed by the installer suggested is the following a concern ?

/dev/loop0 98M 98M 0 100% /var/lib/snapd/snap/core/10185
/dev/loop1 48M 48M 0 100% /var/lib/snapd/snap/certbot/652
/dev/loop2 61M 61M 0 100% /var/lib/snapd/snap/core20/634

Screenshot 2020-11-25 at 13 26 40

Zimbra 8.7 - Script doesn't work properly

Hello, it appears this script doesn't run properly due to 'zmcertmgr' being required to run as the zimbra user and not as root (it complains about this and the script exits), a change implemented with the release of Zimbra 8.7. I believe I was able to work around this problem by inserting 'sudo -u zimbra' at the front of the lines that run 'zmcertmgr' however I also learned during this process that since it runs as the zimbra user, you have to change the permissions for the temp directory the script creates to allow the zimbra user to read those files as well as read the 'commercial.key' file.

To combat this, I had the script chmod the temp directory and the commercial.key file to allow reads by other users other than the user/group (which is root).

Unfortunately, I hit the letsencrypt certificate request limit which apparently is 5 certs in 7 days so I wasn't able to confirm the script could fully execute with these modifications. :(

If you could resolve this issue, that would be fantastic!

ordering issue of chains

Dude below you have an ordering issue

create one CA chain file

cat "$intermediate_CA_file" "$root_CA_file" > "$chain_file"

should be

cat "$root_CA_file" "$intermediate_CA_file"  > "$chain_file"

Then it will work fine ;)

Why not use the official repo of certbot?

I've tested with the official repo of certbot (Ubuntu16), and after changing the locations of the certbot, it all works fine.
Any reason why you want the github repo instead? Seems a little bit more difficult/cumbersome to maintain over the long run.

not working on Zimbra 8.8.12

I have run this script today and no errors but when I go to zimbra webmail I still get message it is untrusted certificate. I see that certificate was created
How to fix this?

certificate created with wrong permissions

Had this issue.

after installing everything and executing the script the first time, I had problems with my zimbra that are not connected with this script

then I had to rerun the script with the -f option to retry the certificate deploying and had this issue:

Output:
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /tmp/tmp.66UyCu9zC9/0001_chain.pem

obtain-and-deploy-letsencrypt-cert.sh: error: The issued certificate file '/tmp/tmp.66UyCu9zC9/0000_cert.pem' isn't readable file. Maybe it was created with different name?

And when I go to the specified folder, the PEM files are not accessible to Zimbra user.

[root@zimbraserver tmp.66UyCu9zC9]# ls -laht
totale 28K
drwxrwxrwt. 14 root root 4,0K 8 dic 20:44 ..
drwx------ 2 zimbra zimbra 4,0K 8 dic 20:44 .
-rw-r----- 1 zimbra zimbra 0 8 dic 20:44 chain.pem
-rw-r----- 1 root root 2,2K 8 dic 20:43 0000_cert.pem
-rw-r----- 1 root root 1,7K 8 dic 20:43 0000_chain.pem
-rw-r----- 1 root root 3,8K 8 dic 20:43 0001_chain.pem
-rw-r----- 1 zimbra zimbra 1,2K 8 dic 20:43 request.pem
-rw-r----- 1 zimbra zimbra 273 8 dic 20:43 openssl.cnf

Script Hangs with newest Certbot/Letsencrypt-auto

Hi,

I've been trying to get the script to work, however it keeps hanging. Based on where it's stuck, it looks like letsencrypt-auto is waiting for user input for an email address.

It also is failing to stop Zimbra. I'm curious why you are not using the zmcontrol command to start and stop Zimbra.

A screenshot of HTOP showing the process stuck waiting for input:

screenshot from 2016-09-08 08-29-30

Certbot error

On updating to the most recent version of the script, I get this error when running the script manually.

certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1

I tried commenting the argument from the script, but then, instead, it returns

certbot: error: unrecognized arguments: 

Thanks for your work on this.
Please let me know what information you need to help find and fix the problem.

Hi I'm trying to run your script but always getting error

Hi I'm trying to run your script but always getting error

Failed authorization procedure.
  mail.expamplesecurities.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expamplesecurities.com/.well-known/acme-challenge/TIfjXFNoekEPpqQ7DtpIGRXN3lPKqLICmNOqQUL0rK8: Connection refused,
  mail.expamplesecurities.co.id (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expamplesecurities.co.id/.well-known/acme-challenge/3N484dTxz1JNPpyOeaEdj2hYGK9Q56IhYLpv0RPHqbQ: Connection refused,
  mail.expample.id (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expample.id/.well-known/acme-challenge/l1N_icAeNlNp0IRRUslv9GTOqq4ukoCe_LmOlUGCv88: Connection refused,
  mail.expamplesekuritas.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expamplesekuritas.com/.well-known/acme-challenge/d3RpFSAF4YnQjKixR4RHLo0Z-pD_PNlpA2ByIq-RsXY: Connection refused,
  mail.expample.co.id (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expample.co.id/.well-known/acme-challenge/YZWmwV5XkEZKNDxBQ5e9r5J8HiAGSk1sNuwEEQxX4Yg: Connection refused,
  mail.expamplesekuritas.co.id (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expamplesekuritas.co.id/.well-known/acme-challenge/srOkkjxBy4O9qboCOGhH1lqmyA6BgF4cEZZqbGjs6fk: Connection refused

i'm using zimbra 8.8.12 with ubuntu 14.04

Originally posted by @uckons in #58 (comment)

Strange restart problem on Zimbra 8.8.5/Ubuntu16

Hey,

I installed a fresh Zimbra 8.8.5 and this letsencrypt set. Using the git versions. Zimbra is working, and restart works fine.
Certificate is created, but the restart of zimbra does not work/finalise. Strangely enough, doing a manual zmcontrol restart right after the letsencrypt request, the restart is executed fine.

The error I am able to find is in zmwatch.out:

Can't locate Swatchdog/Actions.pm in @inc (you may need to install the Swatchdog::Actions module) (@inc contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base .) at /opt/zimbra/data/tmp/.swatchdog_script.16404 line 29.
BEGIN failed--compilation aborted at /opt/zimbra/data/tmp/.swatchdog_script.16404 line 29.

The first per module reported 'missing' (in another error message was Date::Parse which I could solve with installing it:

root@mailer3:~# cpan install Date::Parse
Loading internal null logger. Install Log::Log4perl for logging messages
Reading '/root/.cpan/Metadata'

...

Renew when certificate lifetime ends soon, not every month

Instead of running once a month, it makes more sense to run a script every day, that checks if the certificate is still valid in X days and renew then.
This way, if for example the Let's Encrypt servers are down during renewal, it will automatically be retried the next day(s).

The check using openssl is simple and quite fast.

openssl x509 -checkend 950400 -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt > /dev/null

if [ $? != 0 ]; then
    # certificate will be invalid in 11 days, renew it
fi

Renew vs continual obtain-and-deploy

Is there a better way to renew once you're all setup rather than running the whole process over again every 60 days (30 days prior to expiry)? In a normal LE setup, the renew just happens quickly, but it appears this will take Zimbra down, obtain a new cert, deploy it, and bring Zimbra back up every 60 days.

chdir(/root) failed: Permission denied

Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /tmp/tmp.lkReGk7950/0000_cert.pem
Cert chain written to 10
Cert chain written to 11

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /tmp/tmp.lkReGk7950/0001_chain.pem
    Your cert will expire on 2018-12-31. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

obtain-and-deploy-letsencrypt-cert.sh: info: start nginx
obtain-and-deploy-letsencrypt-cert.sh: info: assemble cert files
obtain-and-deploy-letsencrypt-cert.sh: info: test and deploy certificates
zmcertmgr: ERROR deploycrt(comm /tmp/tmp.lkReGk7950/0000_cert.pem /tmp/tmp.lkReGk7950/chain.pem) failed:
chdir(/root) failed: Permission denied
obtain-and-deploy-letsencrypt-cert.sh: error: Installation of the issued certificate failed.

port 80 or 443

Hi, Sorry to ask, but what port is used to obtain/verify the cert? Is it 443 or do I need to open port 80?

Issued certificate is not readable

EDIT: original title: tmp *cert.pm isn't readable

Hello,
I get this message at the end after the Congratuations message.

The issued certificate file '/tmp/tmp.YnBTsmDRQj/0000_cert.pem' isn't readable file. Maybe it was created with different name?

Here's what that temporary directory looks like:

root@mail3:~/letsencrypt-zimbra# ls /tmp/tmp.YnBTsmDRQj/ -lah
total 28K
drwx------  2 zimbra zimbra 4.0K May  1 14:06 .
drwxrwxrwt 40 root   root   4.0K May  1 14:10 ..
-rw-r-----  1 root   root   2.1K May  1 14:05 0000_cert.pem
-rw-r-----  1 root   root   1.7K May  1 14:05 0000_chain.pem
-rw-r-----  1 root   root   3.7K May  1 14:05 0001_chain.pem
-rw-r-----  1 zimbra zimbra    0 May  1 14:06 chain.pem
-rw-r-----  1 zimbra zimbra  430 May  1 14:02 openssl.cnf
-rw-r-----  1 zimbra zimbra  782 May  1 14:02 request.pem

Is there anyway to modify those files so they are readable by the zimbra user that the script is running as - or can the script drop it's su - zimbra early?

Support Zimbra v8.6

Script does not support Zimbra v8.6

@achilles03anil wrote some tips to run with v8.6 in #35

If there would be some 👍 on this issue, I will focus on it and implement support for v8.6 as well

Only one cert allowed in .conf

Hi,
I've found that I can only deploy 1 cert with a .conf file containing this line.

# common name in the certificate
CN="mail.server.com"

Is there any way to deploy more than one cert with a single .conf ?
Couldn't get that info

Thanks! 👍

expiration of the DST Root CA X3

Hi,
I am using the script on Centos 7 ( certbot version is 1.11.0 and openssl version is 1.0.2k-fips) and the script cannot renew the Zimbra certificate with the following error:

"obtain-and-deploy-letsencrypt-cert.sh error verification of the issued certification failed"

I presume this is because the Letsencrypt's "DST Root CA X3" expired in September 2021 and the script should be updated.

Thank you very much for your work.

root CA isn't readable file

Hi !

I just downloaded the master branch of your shell scripts and tried to obtain a certificate but I get the following error:
root@mail:~/letsencrypt-zimbra-master# ./obtain-and-deploy-letsencrypt-cert.sh
obtain-and-deploy-letsencrypt-cert.sh[err]: The root CA certificate '/root/letsencrypt-zimbra/DSTRootCAX3.pem' isn't readable file.

When I look at the file permissions it should be readable:

root@mail:~/letsencrypt-zimbra-master# ls -la
total 36
drwxr-xr-x 2 root root 4096 Aug 12 23:26 .
drwx------ 13 root root 4096 Aug 24 09:45 ..
-rw-r--r-- 1 root root 444 Aug 12 23:26 crontab
-rw-r--r-- 1 root root 1220 Aug 12 23:26 DSTRootCAX3.pem
-rwxr-xr-x 1 root root 8159 Aug 12 23:26 obtain-and-deploy-letsencrypt-cert.sh
-rw-r--r-- 1 root root 866 Aug 12 23:26 README.md
-rwxr-xr-x 1 root root 685 Aug 12 23:26 sendmail-notification.sh
-rwxr-xr-x 1 root root 480 Aug 12 23:26 sendmail-notification-successful.sh

do you know what could be wrong ?

nginx .well-known errors on single/multidomains

hi,
i trying to setup LE on a zimbra 8.8.6_GA_1906.FOSS with multiple domains but i have this error after configured [using the multi domains config array like your example]

Failed authorization procedure.
mx.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mx.domain.com/.well-known/acme-challenge/ObVmkGOBaUT2Og1R8hwdh5uy32MaFVbjeFsl-OdPSxQ: Timeout,
webmail.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://webmail.domain.com/.well-known/acme-challenge/BBDfrZRUkSpgJE-mPLqKTII1J5oKPdSb0zCg7dvJPUc: Timeout,
webmail.anotherdomain.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://webmail.anotherdomain.net/.well-known/acme-challenge/kvGtm5-UEE00PvvosIQQhR_exOiFb8DJQcm0HBbzohY: Timeout

And after that a recap about all this errors.
I have A record on dns, and configured my zimbra during installation to serve webmail on https
so nothing running on port 80

any hints? i'm doing something wrong or maybe incompatibilities due to different version?

ps: well... i try with one domain instead than multidomains and i have the same type of error.

thanks, regards

Certificate is not trusted by Kaspersky antivirus software

Dear,
Today (1-Oct-2021), our users report that Kaspersky antivirus software blocks them accessing the zimbra webmail because of "This certificate cannot be verified up to a trusted certification authority".
Our letsencrypt cert is issued by ISRG Root X1 / R3 and valid from 01-Oct-2021 to 30-Dec-2021

Best regards,
Minh.

Diff. errors with 8.7

OK, I did this:

  1. first I installed https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate on 8.7 with
    ./letsencrypt-auto certonly --standalone -d hostname.domain -d webmail.domain
    and it's working, although I'm not sure this is correct configuration per:
    zmcertmgr viewdeployedcrt

    subject= /CN=hostname.domain
    issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    SubjectAltName=hostname.domain, webmail.domain
    

    Here, actual mail addresses used are different from those 2, it's mail1.domain and mail2.domain.

  2. when I tried to use, with 8.7 dev branch:
    ./obtain-and-deploy-letsencrypt-cert.sh hostname.domain webmail.domain
    I got errors:

    Unable to start TLS: hostname verification failed when connecting to ldap master.
    obtain-and-deploy-letsencrypt-cert.sh[err]:  Restarting zimbra failed.
    

    I see it's some frequent error, I guess it's about those domain names.

  3. in order to test, I used --staging in script per #3 but since I have certificates it's of no use without --break-my-certs

  4. with --staging or with --standalone, when I commented --non-interactive --quiet --agree-tos \ to get feedback:

    1. I was again asked for domains, is it OK?

      Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel)
      

      if OK, maybe it should be explained - but I'm afraid those 2 domains are not used, although #12 confirms we can use them and I guess #2 is obsolete now.

    2. I got this, why? And why I wasn't asked for email?

      ./obtain-and-deploy-letsencrypt-cert.sh: line 258: --email: command not found
      

I see there are other issues, some of this may be duplicate, but it's more appropriate to write all here then to comment on other issues.

Renamed letsencrypt-zimbra script

Hi, I also installed snap 1.20 and the last script for getting the certificates, but I had to rename the script from obtain-and-deploy-letsencrypt-cert.sh to letsencrypt-zimbra.sh
I also symlinked the old name to the new one, but of course it didn't work.

Every night the certbot runs and fails like this:

obtain-and-deploy-letsencrypt-cert.sh: warning: You are using deprecated script name, change it to 'letsencrypt-zimbra.sh'

I have tried to find the cron that runs it, but somehow there is no cron line.
Any ideas?
Thanks!

Originally posted by @dhcmega in #74 (comment)

Make le-zimbra systemd ready

Service Unit:

    [Unit]
    Description=Obtain and deploy Letsencrypt certs for Zimbra
    
    [Service]
    Type=oneshot
    ExecStart=/root/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh 

Timer Unit:

    [Unit]
    Description=Timer for Letzencrypt Zimbra script
    
    [Timer]
    OnCalendar=*-*-1 3:00
    
    [Install]
    WantedBy=basic.target

1: On Ubuntu 16.04 using systemctl or service (which invokes systemctl for compatibility reasons) you will be asked for a password. Which does not work with an unattended script. And because zimbra does not support systemd at the moment there is no official service file. Afaik zmcontrol is the "official" method to use when starting and stopping zimbra.

These are suggestions i welcome improvements.

Can't force renewal

I have added more domains to my server (virtual hosts). It's a Zimbra email server community version. When I ran the script the other day it made a single cert that was good for both domains.

Example:
zimbra.domain1.com
zimbra.domain2.com

When I added my new domains I tried to run the script:

/usr/bin/certbot renew --pre-hook "/var/ftp/git/zimbra-auto-letsencrypt/certbot_zimbra.sh -p" --renew-hook "/var/ftp/git/zimbra-auto-letsencrypt/certbot_zimbra.sh -r"

...and it gives me this "error":

he following certs are not due for renewal yet:

/etc/letsencrypt/live/zimbra.domain1.com/fullchain.pem expires on 2019-03-02 (skipped)
No renewals were attempted.
No hooks were run.


How can I force it to renew so it will look; as it seemingly does, to include my additional domains even though it won't expire for another 3 months?

Oh, I also tried putting the "-f" in there but not sure where to put it nor does it seem to work, I get the same feedback about it not being ready for renewal.

Thanks!

letsencrypt stop ACME TLS-SNI-01 at on February 13th, 2019

Hi
letsencrypt stop ACME TLS-SNI-01 at on February 13th, 2019
how to change ACME challenge TLS-SNI-01 to HTTP-01, TLS-ALPN-01?
i try to add yours --standalone \ --preferred-challenges http
and still Failed authorization procedure. mail.domain.net (http-01)

Thank a lot
Best Regard

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.