Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Well I thought I was good to go but now when I manually try to renew (5 days early) I get the error: Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: response does not complete challenge","status": 404}. Any idea what I should do to resolve this? How can I try your (new) script without wrecking my existing Zimbra install?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

Looks like the acme.sh DNS method wants you to re-verify.

My new script that is in github is decoupled from the certificate process...meaning you run acme.sh until you get your certs. There are a few ways to run the acme.sh script without taking down zimbra while you learn and/or verify you got your new certs. Running acme.sh will not mess with your zimbra installation. It will get a new certification but needs to verify you have authority first. DNS was one method... otherwise, it can run as a web server to handle the verification process.

For example, on one of my machines because I don't run zimbra (ie. nginx) on port 80 and just 443, I experimented with this standalone verification method instead of DNS that I initially used without taking down zimbra.

So if you have nothing running on port 80 with your zimbra install

Code: Select all

netstat -na |grep 80
... then you don't need to do anything with zimbra and can issue the acme.sh syntax below... but if you do have nginx running, you could stop it really quickly... see this link:
https://github.com/JimDunphy/deploy-zim ... ngleServer

Or continue to do the DNS method with acme.sh to get your new certs.

Continuing... Here is what I did for the port 80 case where nginx was not listening on port 80. Remember to run acme.sh as root since needs to bind to port 80 for the letsencrypt verification process.

Code: Select all

su -
acme.sh --force --issue --standalone -d mail.example.com -d mail.example.net
then if the certs looked good... I verified the permissions and used my new script from: https://github.com/JimDunphy/deploy-zim ... encrypt.sh which then copies the CERTS to a new location which is really just to verify the permissions. :-)

By default the script prompts/stops at each stage to allow you to verify its going as planned... So I just look and hit enter on my keyboard to move to the next step. If the script can't copy any files because of permissions, you will see the errors so don't hit return. ;-) Fix the permissions and start the deploy script again... :-) PS. You will probably need to modify $min if the zimbra verification doesn't think its time to renew... just make it large like min=90 and it should work.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Thanks for the quick reply Jim. So should I just re-install acme using your 'deploy-zimbra-letsencrypt.sh' method and re-create new certificates? I originally created everything using the original blog post before you had created your script. Also, your deploy-zimbra-letsencrypt.sh won't run at all. when I execute it it returns nothing.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

myriad wrote: So should I just re-install acme using your 'deploy-zimbra-letsencrypt.sh' method and re-create new certificates? I originally created everything using the original blog post before you had created your script.
You should already have acme.sh installed. Look inside ~/.acme.sh to see your files... My original script or that original post invoked acme.sh after you installed it.

You can run the acme.sh script from the user you installed it with originally. The only exception is if you use one of the other verification methods that needs to run as root because of the privilege port < 1024 issue in unix (ie. standalone)

My new script will look for that ~/.acme.sh/$domain location your certs were installed in and copy the certs before trying to deploy it. This new script initially requires you change 1-2 variables which is documented in the github page and in the script... ie. need to change the user so it can figure out the home directory and locate the .acme.sh directory. You also need to set the 'domain variable'.

Note: it doesn't matter that you used the DNS method the first time and now want to use the standalone method, etc.

PS. You could also follow the original instructions after you get a working cert verified.. meaning start at this part in the original post.

Code: Select all

acme.sh --issue --dns -d mail.example.com -d mail.example.net -d mail.example.org -d tmail.example.com
T new script requires you to invoke acme.sh manually. The entire zimbra install process for both old/new methods once you have a valid CERT is:

Code: Select all

/opt/zimbra/bin/zmcertmgr verifycrt comm $domain.key $domain.cer fullchain.cer
cp $domain.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm $domain.cer fullchain.cer
zmcontrol restart
where $domain=mail.example.com and fullchain.cer contains the IdentTrust.pem

So I hope I am not making this more confusing.

Jim
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

myriad wrote: Also, your deploy-zimbra-letsencrypt.sh won't run at all. when I execute it it returns nothing.
Thought I would answer part 2 of your question. Full link and instructions are here:
https://github.com/JimDunphy/deploy-zim ... encrypt.sh
That new script needs you to set a few variables before it will run.

Look for this inside the script:

Code: Select all

domain="mail.example.com"
user="/home/YourName" # ~user/.acme.sh --- owner that runs acme.sh
# verbose output
d=1  # change to 0 if run from cron
exit # comment this out after adjusting the top two values
You need to comment out the exit.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Right. The 'exit'! Missed that. So my last question is does the script not do the certificate install or do I have to do it manually per the 2nd to last post?

OK. Got it going with a few errors:

Code: Select all

/bin/cp: cannot create directory './.acme.sh': Permission denied
 /opt/letsencrypt/deploy-zimbra-letsencrypt.sh: line 108: fullchain.cer: Permission denied
** Verifying 'zmail.myriad.ca.cer' against 'zmail.myriad.ca.key'
Certificate 'zmail.myriad.ca.cer' and private key 'zmail.myriad.ca.key' match.
** Verifying 'zmail.myriad.ca.cer' against 'fullchain.cer'
ERROR: Unable to validate certificate chain: zmail.myriad.ca.cer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate cert did not verify  
Last edited by myriad on Thu Apr 27, 2017 7:06 pm, edited 1 time in total.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

OK. Got it going with a few errors:
* /bin/cp: cannot create directory './.acme.sh': Permission denied
* /opt/letsencrypt/deploy-zimbra-letsencrypt.sh: line 108: fullchain.cer: Permission denied
Looks like you are going off script a bit...

Make sure that the following conditions are met.
1) run deploy-zimbra-letsencrypt.sh as the zimbra user for 8.7+
2) zimbra user has read permission for all files in ~/.acme.sh
3) you are running deploy-zimbra-letsencrypt.sh in a different directory than ~/.acme.sh because it wants to copy the files and work on them.

It kind of looks like you ran deploy-zimbra-letsencrypt.sh from a directory that zimbra doesn't have write permission.

line 108 needs to do this with its copy of the fullchain.cer as the zimbra user.
# append IdentTrust CA
cat << EOF >> fullchain.cer-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
...
-----END CERTIFICATE-----
EOF
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

I am using 8.7.0. The .acme.sh directory inside the /opt/letsencrypt directory is owned by root but has 755 permissions.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

myriad wrote:I am using 8.7.0. The .acme.sh directory inside the /opt/letsencrypt directory is owned by root but has 755 permissions.
Needs to be owned by zimbra so it can write. You are close.

Reference:https://github.com/JimDunphy/deploy-zim ... encrypt.sh

As zimbra user:

su - zimbra
git clone https://github.com/JimDunphy/deploy-zim ... ypt.sh.git /tmp/letsencrypt

As root:

su -
mv /tmp/letsencrypt /opt/
chown zimbra /opt/letscencrypt
exit

Like most things, it's pretty simple once you know how and have done it a few times. :-)
Last edited by JDunphy on Wed Apr 26, 2017 11:44 pm, edited 1 time in total.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

I can taste it! Works verifies OK and returns: Valid certificate chain: zmail.myriad.ca.cer: OK..Observe ... did it verify - Hit Enter to Continue? But at the top there is an error: '/bin/cp: cannot create directory './.acme.sh': Permission denied
Check permissions: CERT cp failed for /home/rick/.acme.sh', so I am afraid to press OK. My line in the script is: user="/home/rick" # ~user/.acme.sh --- owner that runs acme.sh (my user name is rick).

Also, in your script you wrote: "Renewal: Decide how you want to repeat step above. Can be scp/cp or see extra script I use via cron." Where is that script?
Post Reply