Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

You are moments away. :-) And yes you want to stop until the permissions are fixed.

What is your working directory? ie. pwd? This is how I use it.

Code: Select all

su - zimbra
cd /opt/letsencrypt
./deploy-zimbra-letsencrypt.sh
Provided that /opt/letsencrypt is owned by zimbra and there are no directories inside that are not owned by root, etc.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

/opt/letsencrypt is owned by zimbra 755. I am su - to zimbra from root 'cause I can't su from rick as it asks for a PW.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

there is an error: '/bin/cp: cannot create directory './.acme.sh': Permission denied
My guess is you have .acme.sh owned by root in /opt/letsencrypt

Here is what mine looks like:

Code: Select all

cd /opt/letsencrypt
% ls -al
total 28
drwxr-xr-x 3 zimbra root   4096 Apr  2 18:15 .
drwxr-xr-x 6 root   root   4096 Feb 17 18:40 ..
drwxr-x--- 7 zimbra zimbra 4096 Apr  2 18:06 .acme.sh
-rwxr-x--- 1 zimbra zimbra 5260 Feb 17 18:43 deploy-zimbra-letsencrypt.sh
If you ran as root even one time, then

Code: Select all

chown -R zimbra /opt/letsencrypt


should fix the problem and get rid of that error.

This is because the script does this.

Code: Select all

/bin/cp -rf $user/.acme.sh .
if [ $? == 1 ]; then
   say "Check permissions: CERT cp failed for $user/.acme.sh"
fi
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

I have:

Code: Select all

root@zmail:/opt# pwd
/opt

Code: Select all

root@zmail:~# cd /opt/letsencrypt
root@zmail:/opt/letsencrypt# ls -al
total 40
drwxr-x--- 5 zimbra zimbra 4096 Apr 26 18:18 .
drwxr-xr-x 5 root   root   4096 Apr 26 16:34 ..
drwxr-xr-x 8 zimbra zimbra 4096 Apr 26 18:18 .acme.sh
-rwxr-x--x 1 zimbra zimbra 5308 Apr 26 18:13 deploy-zimbra-letsencrypt.sh
drwxr-x--- 8 zimbra zimbra 4096 Apr 26 16:33 .git
-rwxr-xr-x 1 zimbra zimbra   23 Apr 26 16:50 hello.sh
-rw-r----- 1 zimbra zimbra 6259 Apr 26 16:33 README.MD
drwxr-x--- 3 zimbra zimbra 4096 Apr 26 16:33 Recipies


UPDATE: It works!!! I think it was this:

Code: Select all

su - zimbra
cd /opt/letsencrypt
./deploy-zimbra-letsencrypt.sh
I was calling the script like this:

Code: Select all

/opt/letsencrypt/deploy-zimbra-letsencrypt.sh
Now I just have to put all this together so that I can automate it through various cron jobs. One last question (I promise), if I have multiple domains on the same server do I need multiple 'deploy' scripts for each domain?
Thank you again - you are one patient guy for putting up with me!
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

Strange. Script is trying to copy your .acme.sh files so it needs read permission and it needs write permission in /opt/letsencrypt for zimbra.

So if you can't do this, it won't work well.

Code: Select all

su - zimbra
cd /opt/letsencrypt
/bin/cp -rf $user/.acme.sh .
I would look at $user/.acme.sh and /opt/letsencrypt/.acme.sh to verify

Hint:

Code: Select all

su - zimbra
find /home/rick/.acme.sh ! -readable
and
find /opt/letsencrypt ! -writable
The problem is that zmcertmgr can fail if you don't have all your permissions correct even though the cert validated because of this issue: [bug]107454[/bug] ... That is why I went with a cp -rf to brute force the permission problem in the hopes of avoiding that condition given various umask settings.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Well my primary domain works but my other domains show up as:

Code: Select all

zmail.watermarkpromo.com uses an invalid security certificate. The certificate is only valid for zmail.myriad.ca Error code: SSL_ERROR_BAD_CERT_DOMAIN
I don't know why that is. I generated certs with the -d for all the other domains?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

Now I just have to put all this together so that I can automate it through various cron jobs. One last question (I promise), if I have multiple domains on the same server do I need multiple 'deploy' scripts for each domain?
I missed your posting where you appear to have it working and were asking for multiple domain names. You do the multiple domains like this:

Code: Select all

acme.sh --issue --standalone  -d domain1 -d domain2 -d domain3 ...
or
acme.sh --issue --dns -d mail.example.com -d  mail.example.net -d ...
or
...
Look inside ~/.acme.sh to see the domain directory. That was the first -d domain so use that as the first argument to -d. It generally is your zmhostname.

Now to answer your question. Just the one deploy script does it all. acme.sh doesn't really work with multiple domain directories inside .acme.sh which is why we do the -d domain -d domain -d domain

Note: This behavior can be a problem If you have a staging server that represents multiple zimbra/client servers... you need to move that domain directory outside of .acme.sh or have multiple .acme.sh directories on that staging server representing those different customers cases. I have a use case where I create all the certs on one staging server and then push the .acme.sh directory to the remote servers. The deploy script fires off every night and if its time, it will install the new cert... If its still $min days before expiration, it just exits. That is why this is in the script.

Code: Select all

#Step 0 - verify if its time
/opt/zimbra/bin/zmcertmgr checkcrtexpiration -days $min > /dev/null
if [ $? == 0 ]; then
    say "not time yet to renew"
    exit 0
fi
acme.sh can also be run nightly and will only update when its time... otherwise you need to use the --force option. Until you trust this stuff, I would automate the acme.sh in cron and then do a few manual installations with the deploy script walking through the process to verify it works and installs.... At some point, when you trust the deploy script, you change the variable d=0 and add it to cron. That d=0 turns off the debugging/verbose mode that requires a c/r at each stage.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Well. I did generate the certs correctly (using the -d option) as it worked before when I did the manual install. But now all the other domains show up as untrusted with the message: 'The certificate is only valid for zmail.myriad.ca'. In my .acme.sh directory I notice there are folders for all the other domains (3 domains), but they don't seem to be installing correctly. Though I notice that the other domains are missing a .cer file as I get the message:

Code: Select all

** Verifying 'zmail.watermarkpromo.com.cer' against 'zmail.watermarkpromo.com.key'
ERROR: Can't read file 'zmail.watermarkpromo.com.cer'
cert did not verify


Plus, reading your how-to, I think I have too many domain directories in my .acme.sh file:

Code: Select all

root@zmail:/home/rick/.acme.sh# ls
account.conf  acme.sh.env  deploy  http.header      zmail.stephenleacock.ca
acme.sh       ca           dnsapi  zmail.myriad.ca  zmail.watermarkpromo.com
Shouldn't all the certs be in the one FQDN folder (zmail.myriad.ca)?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

myriad wrote: Plus, reading your how-to, I think I have too many domain directories in my .acme.sh file:

Code: Select all

root@zmail:/home/rick/.acme.sh# ls
account.conf  acme.sh.env  deploy  http.header      zmail.stephenleacock.ca
acme.sh       ca           dnsapi  zmail.myriad.ca  zmail.watermarkpromo.com
Shouldn't all the certs be in the one FQDN folder (zmail.myriad.ca)?
Interesting.

Yes I only have 1 domain name in the .acme.sh folder. I used the -d option with the different domains because the same certificate can contain several different names using the Subject Alternative Name (SAN) mechanism which is what we are doing with the -d option

That means if I was going to generate your certs, I would do it this way assuming zmail.myriad.ca is my zmhostname.

Code: Select all

acme.sh --issue --dns -d zmail.myriad.ca -d zmail.stephenleacock.ca -d mail.watermarkpromo.com -d mail.example.com -d ...
The problem with my method is that it wants a domain name directory to install from. More specifically, in both the original post and the newer post I do this:

Code: Select all

cd /opt/letsencrypt/.acme.sh/$domain/
cp $domain.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
If it worked before, what was that commercial.key? It would be the last domain directory you installed from so probably not what you wanted. The Subject Alternative Name (SAN) mechanism will work fine for multiple domain names. There is really no difference between the new script and the old method other than the acme.sh part being removed and automating the IdentTrust.pem stuff. If you are invoking the acme.sh the same way each time... the first -d will create the domain name in .acme.sh ... If you are doing this:

Code: Select all

acme.sh --issue --dns -d zmail.stephenleacock.ca -d stephenleacock.ca
acme.sh --issue --dns -d zmail.myriad.ca -d myriad.ca
acme.sh --issue --dns -d mail.watermarkpromo.com -d watermarkpromo.com -d ...
That would generate 3 directories inside .acme.sh directory. Similarly, specifying all the domains with one invocation of acme.sh but using a different first -d domain over time could create that environment... the problem is the last domain key will be installed as the commercial.key when you finally go to install it. If that worked before, running the deploy script 3 times changing the domain each time would give you the same results which doesn't seem like it really is what you want.

If you really do need multiple domains, perhaps this link might help. https://wiki.zimbra.com/wiki/Multiple_S ... _for_HTTPS first introduced in 8.7. I haven't used this as referencing my zimbra instances with different name and domains works fine with the other way.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Ok, thanks for the helpful info. I think I will try deleting those folders and generating the certificates again from scratch so that I have 1 folder per server. Will I be allowed to replace the certs before expiry?
Post Reply