Hello, i have error when executing script, and my zimbra web do not start automactilly

root@mail:# sudo -Hu zimbra /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh -v -f
obtain-and-deploy-letsencrypt-cert.sh: info: Running in force mode, certificate will be renewed.
obtain-and-deploy-letsencrypt-cert.sh: info: create csr config '/tmp/tmp.oyKSFUTDX2/openssl.cnf'
obtain-and-deploy-letsencrypt-cert.sh: info: generate csr '/tmp/tmp.oyKSFUTDX2/request.pem'
obtain-and-deploy-letsencrypt-cert.sh: info: stop nginx
/opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh: ligne 347: certbot_extra_args[@] : variable sans liaison

How to fix ? It's bug ?

Thanks

Dear,
I use Zimbra 8.8.15 on centos 7. Your software runs very well. However, I have a small issue with cron.
I copy cron file into /etc/cron.d/letsencrypt-zimbra as your guide but it does not run (cert is not renewed). I think you guide is for Ubuntu and I should change from:

42 0 * * * zimbra /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh -q

to:

42 0 * * * sudo -Hiu zimbra /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh -q

is that right?
Many thanks,
Minh.

Hi:

First of all, thanks for the project.
We are using it for renewal Let's Encript certificates in Zimbra 8.8.12 with Ubuntu 16.04.6 LTS, since some months ago.

We are experiencing some kind of issue when renewing certificate (via cron) because, although cert renewal is done correctly, from that moment the mail server is not able to send or receive emails (and all messages are deferred in queue). We simply need to restart the zimbra services (zmcontrol restart), and everything works like a charm, and so the queue starts to work again.

Does it have sense to you ? Is this a necessary condition after renewing certificates ? As far I read, the script restarts the zimbra service.

Kind regards.
--C.

It fails with notification like:
Unable to validate certificate chain: /tmp/tmp.W60adLUX4e/0000_cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1

If you remove the second certificate from this /tmp/.../0000_cert.pem, it will pass. Maybe we could add some fix into the script to remove this ISRG Root X1?

At the moment you have to change the scripts directly and you need to write some variables several times ($email). It would be nice if there was a config file from which the scripts get the variables configured by the user.

To allow easy git pulling from origin it would be a good idea to use a config.example in git which the user copies and configures in config.

The script only need to be changed in two ways. Remove all user variables. Add source <filename> to scripts.

Sorry, I really caught myself yesterday, maybe the long hours of work.

My question is, how can I configure for example two domains in the certificate, for example having xmail.domain.com and mail.domain.com, is it possible?

How do I put it in the configuration file? in the CN place separated by comma or in the end I put dns.2?

As I do to renew 2 domain as I see the script is only for CN , such as adding a new domain at the time of renewal?

The script works fine but in the beginning I have no idea what's happening. So maybe it's better to have verbose message out, or just remove all the ">dev null" code? I found it very informative after removing them.

obtain-and-deploy-letsencrypt-cert.sh[err]: Letsencrypt tool '/root/letsencrypt/letsencrypt-auto' isn't executable file.

I don't even have this file..

Something can go wrong during renewal process and mail server could not to be up so no e-mails from cron is delivered.

Implement logging options for the script (such as to syslog or to a file). It comes handy for debugging and overview of a renew process.

Relevant to #62

The file /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh has a "for" that requires executing "which" command to get a path.
This should be considered as a dependency. Really easy to fix, maybe it could be specified in README.md file
As easy as: $ yum install which # in CentOS 7

Thank you,
Juan

Hello,
I have a new error when i try to renew using your script

obtain-and-deploy-letsencrypt-cert.sh: error: Verification of the issued certificate failed.

Full trace of script output:

zimbra@mail:/etc/cron.d$ /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Performing the following challenges:
tls-sni-01 challenge for mail.valentin-deville.eu
Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /tmp/tmp.SdLl5N9s5K/0000_cert.pem
Cert chain written to <fdopen>
Cert chain written to <fdopen>

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /tmp/tmp.SdLl5N9s5K/0001_chain.pem
   Your cert will expire on 2018-09-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

obtain-and-deploy-letsencrypt-cert.sh: error: Verification of the issued certificate failed.

Have you idea how to fix this ?
Thanks

CONFIG:

common_names=( " \
mail.domain1.com domain1.com \
mail.domain2.com webmail.idomain2.com \
mail.domain3.com webmail.domain3.com \
mail.domain4.com webmail.domain4.com\
mail.domain5.com webmail.domain5.com\
mail.domain.com6 webmail.domain6.com\
mail.domain7.com webmail.domain7.com\
mail.domain8.com webmail.domain8.com\
mail.domain.com-N webmail.domain-N.com \
" )

ERROR:

[root@mailserver letsencrypt-zimbra]# sudo -Hiu zimbra /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh -vf
letsencrypt-zimbra.sh: info: Running in force mode, certificate will be renewed.
letsencrypt-zimbra.sh: info: create csr config '/tmp/tmp.poRZdvyCL8/openssl.cnf'
letsencrypt-zimbra.sh: info: generate csr '/tmp/tmp.poRZdvyCL8/request.pem'
problems making Certificate Request
140419743651648:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:crypto/asn1/a_mbstr.c:107:maxsize=64
letsencrypt-zimbra.sh: error: Cannot create the certificate signing request.

I installed lets encrypt as directed by the installer suggested is the following a concern ?

/dev/loop0 98M 98M 0 100% /var/lib/snapd/snap/core/10185
/dev/loop1 48M 48M 0 100% /var/lib/snapd/snap/certbot/652
/dev/loop2 61M 61M 0 100% /var/lib/snapd/snap/core20/634

Hello, it appears this script doesn't run properly due to 'zmcertmgr' being required to run as the zimbra user and not as root (it complains about this and the script exits), a change implemented with the release of Zimbra 8.7. I believe I was able to work around this problem by inserting 'sudo -u zimbra' at the front of the lines that run 'zmcertmgr' however I also learned during this process that since it runs as the zimbra user, you have to change the permissions for the temp directory the script creates to allow the zimbra user to read those files as well as read the 'commercial.key' file.

To combat this, I had the script chmod the temp directory and the commercial.key file to allow reads by other users other than the user/group (which is root).

Unfortunately, I hit the letsencrypt certificate request limit which apparently is 5 certs in 7 days so I wasn't able to confirm the script could fully execute with these modifications. :(

If you could resolve this issue, that would be fantastic!

Dude below you have an ordering issue

create one CA chain file

cat "$intermediate_CA_file" "$root_CA_file" > "$chain_file"

should be

cat "$root_CA_file" "$intermediate_CA_file"  > "$chain_file"

Then it will work fine ;)

I've tested with the official repo of certbot (Ubuntu16), and after changing the locations of the certbot, it all works fine.
Any reason why you want the github repo instead? Seems a little bit more difficult/cumbersome to maintain over the long run.

I have run this script today and no errors but when I go to zimbra webmail I still get message it is untrusted certificate. I see that certificate was created
How to fix this?

Where do i put other subdomains i want to get from letsencrypt within the same cert? Like www.zimbra.example.tld?

Had this issue.

after installing everything and executing the script the first time, I had problems with my zimbra that are not connected with this script

then I had to rerun the script with the -f option to retry the certificate deploying and had this issue:

Output:
IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /tmp/tmp.66UyCu9zC9/0001_chain.pem

obtain-and-deploy-letsencrypt-cert.sh: error: The issued certificate file '/tmp/tmp.66UyCu9zC9/0000_cert.pem' isn't readable file. Maybe it was created with different name?

And when I go to the specified folder, the PEM files are not accessible to Zimbra user.

[root@zimbraserver tmp.66UyCu9zC9]# ls -laht
totale 28K
drwxrwxrwt. 14 root root 4,0K 8 dic 20:44 ..
drwx------ 2 zimbra zimbra 4,0K 8 dic 20:44 .
-rw-r----- 1 zimbra zimbra 0 8 dic 20:44 chain.pem
-rw-r----- 1 root root 2,2K 8 dic 20:43 0000_cert.pem
-rw-r----- 1 root root 1,7K 8 dic 20:43 0000_chain.pem
-rw-r----- 1 root root 3,8K 8 dic 20:43 0001_chain.pem
-rw-r----- 1 zimbra zimbra 1,2K 8 dic 20:43 request.pem
-rw-r----- 1 zimbra zimbra 273 8 dic 20:43 openssl.cnf

Hi,

I've been trying to get the script to work, however it keeps hanging. Based on where it's stuck, it looks like letsencrypt-auto is waiting for user input for an email address.

It also is failing to stop Zimbra. I'm curious why you are not using the zmcontrol command to start and stop Zimbra.

A screenshot of HTOP showing the process stuck waiting for input:

On updating to the most recent version of the script, I get this error when running the script manually.

certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1

I tried commenting the argument from the script, but then, instead, it returns

certbot: error: unrecognized arguments: 

Thanks for your work on this.
Please let me know what information you need to help find and fix the problem.

Hi I'm trying to run your script but always getting error

Failed authorization procedure.
  mail.expamplesecurities.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expamplesecurities.com/.well-known/acme-challenge/TIfjXFNoekEPpqQ7DtpIGRXN3lPKqLICmNOqQUL0rK8: Connection refused,
  mail.expamplesecurities.co.id (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expamplesecurities.co.id/.well-known/acme-challenge/3N484dTxz1JNPpyOeaEdj2hYGK9Q56IhYLpv0RPHqbQ: Connection refused,
  mail.expample.id (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expample.id/.well-known/acme-challenge/l1N_icAeNlNp0IRRUslv9GTOqq4ukoCe_LmOlUGCv88: Connection refused,
  mail.expamplesekuritas.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expamplesekuritas.com/.well-known/acme-challenge/d3RpFSAF4YnQjKixR4RHLo0Z-pD_PNlpA2ByIq-RsXY: Connection refused,
  mail.expample.co.id (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expample.co.id/.well-known/acme-challenge/YZWmwV5XkEZKNDxBQ5e9r5J8HiAGSk1sNuwEEQxX4Yg: Connection refused,
  mail.expamplesekuritas.co.id (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.expamplesekuritas.co.id/.well-known/acme-challenge/srOkkjxBy4O9qboCOGhH1lqmyA6BgF4cEZZqbGjs6fk: Connection refused

i'm using zimbra 8.8.12 with ubuntu 14.04

Originally posted by @uckons in #58 (comment)

Hey,

I installed a fresh Zimbra 8.8.5 and this letsencrypt set. Using the git versions. Zimbra is working, and restart works fine.
Certificate is created, but the restart of zimbra does not work/finalise. Strangely enough, doing a manual zmcontrol restart right after the letsencrypt request, the restart is executed fine.

The error I am able to find is in zmwatch.out:

Can't locate Swatchdog/Actions.pm in @inc (you may need to install the Swatchdog::Actions module) (@inc contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base .) at /opt/zimbra/data/tmp/.swatchdog_script.16404 line 29.
BEGIN failed--compilation aborted at /opt/zimbra/data/tmp/.swatchdog_script.16404 line 29.

The first per module reported 'missing' (in another error message was Date::Parse which I could solve with installing it:

root@mailer3:~# cpan install Date::Parse
Loading internal null logger. Install Log::Log4perl for logging messages
Reading '/root/.cpan/Metadata'

...

Instead of running once a month, it makes more sense to run a script every day, that checks if the certificate is still valid in X days and renew then.
This way, if for example the Let's Encrypt servers are down during renewal, it will automatically be retried the next day(s).

The check using openssl is simple and quite fast.

openssl x509 -checkend 950400 -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt > /dev/null

if [ $? != 0 ]; then
    # certificate will be invalid in 11 days, renew it
fi

Is there a better way to renew once you're all setup rather than running the whole process over again every 60 days (30 days prior to expiry)? In a normal LE setup, the renew just happens quickly, but it appears this will take Zimbra down, obtain a new cert, deploy it, and bring Zimbra back up every 60 days.

Dear Brother,
I tried to the acordingly codes as my (zimbra 8.8.15 - Ubuntu 18.04.05) server but I got the error

code :

cp configs/sudoers.conf /etc/sudoers.d/zimbra_certbot

error:

cp: cannot stat 'configs/sudoers.conf': No such file or directory

Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /tmp/tmp.lkReGk7950/0000_cert.pem
Cert chain written to 10
Cert chain written to 11

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /tmp/tmp.lkReGk7950/0001_chain.pem
  Your cert will expire on 2018-12-31. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

obtain-and-deploy-letsencrypt-cert.sh: info: start nginx
obtain-and-deploy-letsencrypt-cert.sh: info: assemble cert files
obtain-and-deploy-letsencrypt-cert.sh: info: test and deploy certificates
zmcertmgr: ERROR deploycrt(comm /tmp/tmp.lkReGk7950/0000_cert.pem /tmp/tmp.lkReGk7950/chain.pem) failed:
chdir(/root) failed: Permission denied
obtain-and-deploy-letsencrypt-cert.sh: error: Installation of the issued certificate failed.

How to get version 1.6 of certbot? Snap lists 1.32 as latest.

Hi everyone,

letsencrypt announce expiration of DST Root CA X3 for September 2021.

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

I guess ISRG Root X1 could replace it because it is valid until 2035, and I guess widely supported because it was emitted in 2015.

Keep the good job going on,
cheers.

Hi, Sorry to ask, but what port is used to obtain/verify the cert? Is it 443 or do I need to open port 80?

EDIT: original title: tmp *cert.pm isn't readable

Hello,
I get this message at the end after the Congratuations message.

The issued certificate file '/tmp/tmp.YnBTsmDRQj/0000_cert.pem' isn't readable file. Maybe it was created with different name?

Here's what that temporary directory looks like:

root@mail3:~/letsencrypt-zimbra# ls /tmp/tmp.YnBTsmDRQj/ -lah
total 28K
drwx------  2 zimbra zimbra 4.0K May  1 14:06 .
drwxrwxrwt 40 root   root   4.0K May  1 14:10 ..
-rw-r-----  1 root   root   2.1K May  1 14:05 0000_cert.pem
-rw-r-----  1 root   root   1.7K May  1 14:05 0000_chain.pem
-rw-r-----  1 root   root   3.7K May  1 14:05 0001_chain.pem
-rw-r-----  1 zimbra zimbra    0 May  1 14:06 chain.pem
-rw-r-----  1 zimbra zimbra  430 May  1 14:02 openssl.cnf
-rw-r-----  1 zimbra zimbra  782 May  1 14:02 request.pem

Is there anyway to modify those files so they are readable by the zimbra user that the script is running as - or can the script drop it's su - zimbra early?

Script does not support Zimbra v8.6

@achilles03anil wrote some tips to run with v8.6 in #35

If there would be some 👍 on this issue, I will focus on it and implement support for v8.6 as well

LetsEncrypt V2 API is now support Wildcard certificates.
https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Certbot >= 0.22.0 add support ACME V2.
https://letsencrypt.org/docs/client-options/#acme-v2-compatible-clients

As says in release "Orders that contain both a base domain and its wildcard equivalent (e.g. *.example.com and example.com) are valid".

Hi,
I've found that I can only deploy 1 cert with a .conf file containing this line.

# common name in the certificate
CN="mail.server.com"

Is there any way to deploy more than one cert with a single .conf ?
Couldn't get that info

Thanks! 👍

Hi,
I am using the script on Centos 7 ( certbot version is 1.11.0 and openssl version is 1.0.2k-fips) and the script cannot renew the Zimbra certificate with the following error:

"obtain-and-deploy-letsencrypt-cert.sh error verification of the issued certification failed"

I presume this is because the Letsencrypt's "DST Root CA X3" expired in September 2021 and the script should be updated.

Thank you very much for your work.

Hi !

I just downloaded the master branch of your shell scripts and tried to obtain a certificate but I get the following error:
root@mail:~/letsencrypt-zimbra-master# ./obtain-and-deploy-letsencrypt-cert.sh
obtain-and-deploy-letsencrypt-cert.sh[err]: The root CA certificate '/root/letsencrypt-zimbra/DSTRootCAX3.pem' isn't readable file.

When I look at the file permissions it should be readable:

root@mail:~/letsencrypt-zimbra-master# ls -la
total 36
drwxr-xr-x 2 root root 4096 Aug 12 23:26 .
drwx------ 13 root root 4096 Aug 24 09:45 ..
-rw-r--r-- 1 root root 444 Aug 12 23:26 crontab
-rw-r--r-- 1 root root 1220 Aug 12 23:26 DSTRootCAX3.pem
-rwxr-xr-x 1 root root 8159 Aug 12 23:26 obtain-and-deploy-letsencrypt-cert.sh
-rw-r--r-- 1 root root 866 Aug 12 23:26 README.md
-rwxr-xr-x 1 root root 685 Aug 12 23:26 sendmail-notification.sh
-rwxr-xr-x 1 root root 480 Aug 12 23:26 sendmail-notification-successful.sh

do you know what could be wrong ?

hi,
i trying to setup LE on a zimbra 8.8.6_GA_1906.FOSS with multiple domains but i have this error after configured [using the multi domains config array like your example]

Failed authorization procedure.
mx.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mx.domain.com/.well-known/acme-challenge/ObVmkGOBaUT2Og1R8hwdh5uy32MaFVbjeFsl-OdPSxQ: Timeout,
webmail.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://webmail.domain.com/.well-known/acme-challenge/BBDfrZRUkSpgJE-mPLqKTII1J5oKPdSb0zCg7dvJPUc: Timeout,
webmail.anotherdomain.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://webmail.anotherdomain.net/.well-known/acme-challenge/kvGtm5-UEE00PvvosIQQhR_exOiFb8DJQcm0HBbzohY: Timeout

And after that a recap about all this errors.
I have A record on dns, and configured my zimbra during installation to serve webmail on https
so nothing running on port 80

any hints? i'm doing something wrong or maybe incompatibilities due to different version?

ps: well... i try with one domain instead than multidomains and i have the same type of error.

thanks, regards

Dear,
Today (1-Oct-2021), our users report that Kaspersky antivirus software blocks them accessing the zimbra webmail because of "This certificate cannot be verified up to a trusted certification authority".
Our letsencrypt cert is issued by ISRG Root X1 / R3 and valid from 01-Oct-2021 to 30-Dec-2021

Best regards,
Minh.

OK, I did this:

1. first I installed https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate on 8.7 with
   ./letsencrypt-auto certonly --standalone -d hostname.domain -d webmail.domain
   and it's working, although I'm not sure this is correct configuration per:
   zmcertmgr viewdeployedcrt

   subject= /CN=hostname.domain
   issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   SubjectAltName=hostname.domain, webmail.domain
   

   Here, actual mail addresses used are different from those 2, it's mail1.domain and mail2.domain.

2. when I tried to use, with 8.7 dev branch:
   ./obtain-and-deploy-letsencrypt-cert.sh hostname.domain webmail.domain
   I got errors:

   Unable to start TLS: hostname verification failed when connecting to ldap master.
   obtain-and-deploy-letsencrypt-cert.sh[err]:  Restarting zimbra failed.
   

   I see it's some frequent error, I guess it's about those domain names.

3. in order to test, I used --staging in script per #3 but since I have certificates it's of no use without --break-my-certs

4. with --staging or with --standalone, when I commented --non-interactive --quiet --agree-tos \ to get feedback:

   1. I was again asked for domains, is it OK?

      Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel)
      

      if OK, maybe it should be explained - but I'm afraid those 2 domains are not used, although #12 confirms we can use them and I guess #2 is obsolete now.

   2. I got this, why? And why I wasn't asked for email?

      ./obtain-and-deploy-letsencrypt-cert.sh: line 258: --email: command not found
      

I see there are other issues, some of this may be duplicate, but it's more appropriate to write all here then to comment on other issues.

Hi, I also installed snap 1.20 and the last script for getting the certificates, but I had to rename the script from obtain-and-deploy-letsencrypt-cert.sh to letsencrypt-zimbra.sh
I also symlinked the old name to the new one, but of course it didn't work.

Every night the certbot runs and fails like this:

obtain-and-deploy-letsencrypt-cert.sh: warning: You are using deprecated script name, change it to 'letsencrypt-zimbra.sh'

I have tried to find the cron that runs it, but somehow there is no cron line.
Any ideas?
Thanks!

Originally posted by @dhcmega in #74 (comment)

• Ship service unit
• Ship timer unit
• Don't use service zimbra start but su -c "'zmcontrol start zimbra'" - "$zimbra_user"¹
• Change cron to letsencrypt-zimbra script (via PR)

Service Unit:

    [Unit]
    Description=Obtain and deploy Letsencrypt certs for Zimbra
    
    [Service]
    Type=oneshot
    ExecStart=/root/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh 

Timer Unit:

    [Unit]
    Description=Timer for Letzencrypt Zimbra script
    
    [Timer]
    OnCalendar=*-*-1 3:00
    
    [Install]
    WantedBy=basic.target

1: On Ubuntu 16.04 using systemctl or service (which invokes systemctl for compatibility reasons) you will be asked for a password. Which does not work with an unattended script. And because zimbra does not support systemd at the moment there is no official service file. Afaik zmcontrol is the "official" method to use when starting and stopping zimbra.

These are suggestions i welcome improvements.

I have added more domains to my server (virtual hosts). It's a Zimbra email server community version. When I ran the script the other day it made a single cert that was good for both domains.

Example:
zimbra.domain1.com
zimbra.domain2.com

When I added my new domains I tried to run the script:

/usr/bin/certbot renew --pre-hook "/var/ftp/git/zimbra-auto-letsencrypt/certbot_zimbra.sh -p" --renew-hook "/var/ftp/git/zimbra-auto-letsencrypt/certbot_zimbra.sh -r"

...and it gives me this "error":

he following certs are not due for renewal yet:

/etc/letsencrypt/live/zimbra.domain1.com/fullchain.pem expires on 2019-03-02 (skipped)
No renewals were attempted.
No hooks were run.

How can I force it to renew so it will look; as it seemingly does, to include my additional domains even though it won't expire for another 3 months?

Oh, I also tried putting the "-f" in there but not sure where to put it nor does it seem to work, I get the same feedback about it not being ready for renewal.

Thanks!

Hi
letsencrypt stop ACME TLS-SNI-01 at on February 13th, 2019
how to change ACME challenge TLS-SNI-01 to HTTP-01, TLS-ALPN-01?
i try to add yours --standalone \ --preferred-challenges http
and still Failed authorization procedure. mail.domain.net (http-01)

Thank a lot
Best Regard

For multiple domain still having problems with multiple certificate

Not /opt/zimbra/postfix/sbin/sendmail but /opt/zimbra/common/sbin/sendmail.

line, second occurrence.