Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 258
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64_201
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Mon Aug 06, 2018 9:13 pm

yvespires wrote:All good now, the problem was my ispconfig master/slave dns servers not working/reloading zone changes properly.

Awesome. Thanks for letting me know the proper fix.


yvespires
Posts: 8
Joined: Tue Jan 03, 2017 1:15 pm

Re: Another Letsencrypt method

Postby yvespires » Tue Aug 07, 2018 6:24 pm

Ok, so i have my zimbra lab server Ubuntu 16.04.1 with zimbra 8.8.9.GA.2055.UBUNTU16.64 UBUNTU16_64 FOSS edition running, requested a wildcard cert with acme.sh script using dns api automatic challenge, followed this wiki https://wiki.zimbra.com/wiki/index.php?curid=2441, not a single error, very smooth. :D

But i have 3 questions

1- acme.sh script only handles cert issue and renew? i see it added crontab job 31 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null, so the cert will renew every 30 days, but i have to install manually, copy to zimbra folder and stop/start services?

2- i have wildcard cert installed(*.yvespires.ml), can i request/install multiples wildcard certs on the same server?

Say, i need to request more wildcard certs for my clients, what command should i run?

this

acme.sh --issue --dns dns_ispconfig -d '*.yvespires.ml'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient1.com'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient2.com'


or this

acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient1.com' -d '*.zimbraclient2.com'


3 - kinda answering my first question, your script https://github.com/JimDunphy/deploy-zim ... encrypt.sh deal with it zimbra certs installation right? Does it work multiples wildcard certs?

editing the script domain variable only allow one domain?

min=60 #days for CERT expire before will load new certificate. Make large for testing (ie. 10000)
domain="mail.example.com"
user="/home/YourName" # ~user/.acme.sh --- owner that runs acme.sh
# verbose output
d=1 # change to 0 if run from cron
exit # comment this out after adjusting the top two values
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 258
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64_201
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Tue Aug 07, 2018 7:40 pm

yvespires wrote:But i have 3 questions

1- acme.sh script only handles cert issue and renew? i see it added crontab job 31 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null, so the cert will renew every 30 days, but i have to install manually, copy to zimbra folder and stop/start services?

It won't because the renewal is 60 days I believe before acme.sh would ask for a renewal. It just checks if it would be time unless you specify --force. It should use the same method you initially did. I tend to have my 1-liner added myself so I have never used that --cron --home entry. ... so that entry is running every day to check if its time and if it isn't time will exit.
yvespires wrote:2- i have wildcard cert installed(*.yvespires.ml), can i request/install multiples wildcard certs on the same server?

Say, i need to request more wildcard certs for my clients, what command should i run?

this

acme.sh --issue --dns dns_ispconfig -d '*.yvespires.ml'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient1.com'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient2.com'


or this

acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient1.com' -d '*.zimbraclient2.com'


I am not sure how that syntax would work. This would be my guess.

Code: Select all

acme.sh --issue --dns dns_ispconfig -d mail.example.com -d '*.example.com' -d '*.example.net'

You need that first -d mail.example.com because that is the directory for the cert and used in the file name of the certificate.

yvespires wrote:3 - kinda answering my first question, your script https://github.com/JimDunphy/deploy-zim ... encrypt.sh deal with it zimbra certs installation right? Does it work multiples wildcard certs?

editing the script domain variable only allow one domain?

min=60 #days for CERT expire before will load new certificate. Make large for testing (ie. 10000)
domain="mail.example.com"
user="/home/YourName" # ~user/.acme.sh --- owner that runs acme.sh
# verbose output
d=1 # change to 0 if run from cron
exit # comment this out after adjusting the top two values

Those extra -d domains are specified as alternative names in the certficate which is just one certificate so that script would work with your wild card certificate. That is why I believe you would need that -d mail.example.com when you specify the extra wildcards above. Wildcards are new to letsencrypt so I have limited experience with them. I would be curious to know also if that syntax above would handle multiple wildcards per certificate. From letsencrypt, they claim there can be up to 100 wildcards per certificate. https://community.letsencrypt.org/t/multiple-wildcard/58205
There is limited support in Zimbra if you want multiple domains but there are enough bugs against it with imaps/pops that I chose to do it with only one certificate. This is the wiki https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS to explain how that might work if that is what you want. BTW, if you wanted SNI, then you would issue multiple certificates and my script would not handle that.
yvespires
Posts: 8
Joined: Tue Jan 03, 2017 1:15 pm

Re: Another Letsencrypt method

Postby yvespires » Tue Aug 07, 2018 7:58 pm

JDunphy wrote:
yvespires wrote:
You need that first -d mail.example.com because that is the directory for the cert and used in the file name of the certificate.


I tried that, got error

Domain name \"mx.yvespires.ml\" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.","status": 400}


root@mx:~# acme.sh --issue --dns dns_ispconfig -d mx.yvespires.ml -d '*.yvespires.ml'
[Tue Aug 7 14:14:30 BRT 2018] Registering account
[Tue Aug 7 14:14:31 BRT 2018] Registered
[Tue Aug 7 14:14:31 BRT 2018] ACCOUNT_THUMBPRINT='oXM6Jz9yLbR-BkuBRiQ'
[Tue Aug 7 14:14:31 BRT 2018] Creating domain key
[Tue Aug 7 14:14:31 BRT 2018] The domain key is here: /root/.acme.sh/mx.yvespires.ml/mx.yvespires.ml.key
[Tue Aug 7 14:14:31 BRT 2018] Multi domain='DNS:mx.yvespires.ml,DNS:*.yvespires.ml'
[Tue Aug 7 14:14:31 BRT 2018] Getting domain auth token for each domain
[Tue Aug 7 14:14:32 BRT 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Error creating new order :: Domain name \"mx.yvespires.ml\" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.","status": 400}
[Tue Aug 7 14:14:32 BRT 2018] Please add '--debug' or '--log' to check more details.
[Tue Aug 7 14:14:32 BRT 2018] See: https://github.com/Neilpang/acme.sh/wik ... ug-acme.sh


acme.sh --issue --dns dns_ispconfig -d '*.yvespires.ml'
works fine


Those extra -d domains are specified as alternative names in the certficate which is just one certificate so that script would work with your wild card certificate. That is why I believe you would need that -d mail.example.com when you specify the extra wildcards above. Wildcards are new to letsencrypt so I have limited experience with them. I would be curious to know also if that syntax above would handle multiple wildcards per certificate. From letsencrypt, they claim there can be up to 100 wildcards per certificate. https://community.letsencrypt.org/t/multiple-wildcard/58205
There is limited support in Zimbra if you want multiple domains but there are enough bugs against it with imaps/pops that I chose to do it with only one certificate. This is the wiki https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS to explain how that might work if that is what you want. BTW, if you wanted SNI, then you would issue multiple certificates and my script would not handle that.


that clears up, one certificate to rule them all.

something like this: acme.sh --issue --dns dns_ispconfig -d '*.yvespires.ml' -d '*.zimbraclient1.com' -d '*.zimbraclient2.com' -d '*.zimbraclient3.com' -d '*.zimbraclient4.com' -d '*.zimbraclient5.com' -d '*.zimbraclient4.com' ... -d '*.zimbraclient40.com' -d '*.zimbraclient60.com' ...


should work?

ill runs some test and report back

Thanks.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 30 guests