Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 355
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P10
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Sun Nov 04, 2018 1:55 pm

I was able to test this a little more and while the script works perfectly for installation it fails to reload the ldap certificate and gives a false sense that everything worked perfectly. As a result - some point in the future that running ldap process will have an expired certificate. That causes a lot of side effects with stop/restarts/status etc. If you restart zimbra or reboot your hosts before the expiration then one might not notice this because the updated cert would have been reloaded. I have updated the wiki to reflect this code change. Too bad because restarting/reloading did shave a little time off the outage to update the certificate.

Note: Given how badly an expired ldap certificate behaves in this failure mode, I am going with the full restart vs finessing the addition of an ldap restart/reload to those other 3 restart/reloads myself.


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 355
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P10
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jan 31, 2019 3:50 pm

FYI - reminder if anyone is doing TLS-SNI-01 validation instead of the others methods such as DNS, HTTP, etc that it is deprecated. Here is the official wording:

Let’s Encrypt soon will disable support for the TLS-SNI-01 domain validation method in the ACME protocol. In January of last year, a vulnerability in TLS-SNI-01 was discovered by Frans Rosén from Detectify. The deprecation will likely cause problems for users of some stable Linux distributions.

TLS-SNI-01 requires a user to temporarily serve a certificate with a special, invalid domain name via the TLS SNI extension. However, under many cloud provider’s settings, it’s possible for users to exploit this scenario and get positive validation for domains hosted by other users at the same cloud provider. This affected Heroku and Amazon CloudFront, for example.

Let’s Encrypt decided that this inherent vulnerability of the TLS-SNI-01 method is too much of a risk and therefore to deprecate it fully. But until now, there was still an exception in place for some providers and for certificate renewals.

The final deadline for TLS-SNI-01 is February 13, 2019, after which all current setups using this method will stop working. Let’s Encrypt certificates have a relatively short lifetime of ninety days, and it heavily relies on automated renewal. Let’s Encrypt sent out warning emails in recent weeks to those who still use TLS-SNI-01, but not all users will get them because providing an email address isn’t mandatory to use Let’s Encrypt.

If you do anything odd with your firewall rules like blocking port 80, your automatic renewal could fail if you are expecting TLS/443 access with certbot.

Note: If you are using acme.sh with DNS validation it will continue to work. Another great use of this validation method - it works for servers even on RFC1918 address space such as home zimbra instances and plex media servers. So give it a try if you are tired of getting those untrusted cert errors. :-)
phoenix
Ambassador
Ambassador
Posts: 25881
Joined: Fri Sep 12, 2014 9:56 pm

Re: Another Letsencrypt method

Postby phoenix » Sat Mar 23, 2019 8:29 pm

I seem to be having a problem with the install of the acme script as the zimbra user, if I run the command as that user I get the following permission error (the curl method also fails with the same error)::

Code: Select all

[zimbra@mail01 ~]$ wget -O -  https://get.acme.sh | sh
--2019-03-23 21:20:28--  https://get.acme.sh/
Resolving get.acme.sh (get.acme.sh)... 2607:5300:201:3100::5663, 144.217.161.63
Connecting to get.acme.sh (get.acme.sh)|2607:5300:201:3100::5663|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 705 [text/plain]
Saving to: 'STDOUT'

100%[======================================>] 705         --.-K/s   in 0s     

2019-03-23 21:20:28 (147 MB/s) - written to stdout [705/705]

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  174k  100  174k    0     0   516k      0 --:--:-- --:--:-- --:--:--  627k
[Sat Mar 23 21:20:28 CET 2019] Installing from online archive.
[Sat Mar 23 21:20:28 CET 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
sh: line 5827: master.tar.gz: Permission denied
[Sat Mar 23 21:20:28 CET 2019] Download error.
Am I missing something blindingly obvious here?
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 355
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P10
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Sat Mar 23, 2019 10:51 pm

Hi Bill,

My guess is that /opt/zimbra is owned by root. That automatic method they like for install is problematic sometimes.

Here is the output from my own directory. Notice that it installs it in the users home directory (~/.acme.sh) and not the directory you are in.

Code: Select all

tmail:~:42> mkdir k
tmail:~:43> cd k
tmail:~/k:44> wget -O -  https://get.acme.sh | sh
--2019-03-23 15:43:54--  https://get.acme.sh/
Resolving get.acme.sh... 2607:5300:201:3100::5663, 144.217.161.63
Connecting to get.acme.sh|2607:5300:201:3100::5663|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 705 [text/plain]
Saving to: “STDOUT”

100%[=====================================================================================================================================================>] 705         --.-K/s   in 0s     

2019-03-23 15:43:54 (110 MB/s) - written to stdout [705/705]

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  174k  100  174k    0     0   469k      0 --:--:-- --:--:-- --:--:-- 1077k
[Sat Mar 23 15:43:55 PDT 2019] Installing from online archive.
[Sat Mar 23 15:43:55 PDT 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Mar 23 15:43:55 PDT 2019] Extracting master.tar.gz
[Sat Mar 23 15:43:55 PDT 2019] Installing to /home/jad/.acme.sh
[Sat Mar 23 15:43:55 PDT 2019] Installed to /home/jad/.acme.sh/acme.sh
[Sat Mar 23 15:43:55 PDT 2019] Installing alias to '/home/jad/.bashrc'
[Sat Mar 23 15:43:55 PDT 2019] OK, Close and reopen your terminal to start using acme.sh
[Sat Mar 23 15:43:55 PDT 2019] Installing alias to '/home/jad/.cshrc'
[Sat Mar 23 15:43:56 PDT 2019] Installing cron job
[Sat Mar 23 15:43:56 PDT 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Mar 23 15:43:56 PDT 2019] OK
[Sat Mar 23 15:43:56 PDT 2019] Install success!

The nice thing is after it is installed you just do this to upgrade it.

Code: Select all

% acme.sh --upgrade
https://github.com/Neilpang/acme.sh
v2.8.1
[Sat Mar 23 15:50:02 PDT 2019] Installing from online archive.
[Sat Mar 23 15:50:02 PDT 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Sat Mar 23 15:50:03 PDT 2019] Extracting master.tar.gz
[Sat Mar 23 15:50:03 PDT 2019] Installing to /home/jad/.acme.sh
[Sat Mar 23 15:50:03 PDT 2019] Installed to /home/jad/.acme.sh/acme.sh
[Sat Mar 23 15:50:03 PDT 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Mar 23 15:50:04 PDT 2019] OK
[Sat Mar 23 15:50:04 PDT 2019] Install success!
[Sat Mar 23 15:50:04 PDT 2019] Upgrade success!
% ./acme.sh --version
https://github.com/Neilpang/acme.sh
v2.8.1

He just sped it up so that is really nice when you have 3 or 4 dozen certs to renew... that 120 seconds was killer per cert :-)
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 355
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64.P10
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Sat Mar 23, 2019 11:09 pm

I forgot to mention that I did a grafana.sh deploy method since I use that for zimbra.

Code: Select all

#!/bin/bash

#Here is a script to deploy cert to grafana server.

#returns 0 means success, otherwise error.

########  Public functions #####################

#domain keyfile certfile cafile fullchain
grafana_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  cp -f "$_ckey" /etc/grafana/certs/certkey.key
  cp -f "$_ccert" /etc/grafana/certs/fullchain.cer

  return 0

}

Not terribly sophisticated but it gets the job done. Note: This shows a certificate issue/install when example.com doesn't have a DNS API but you still want to use the automatic DNS method nonetheless. It works because example.com has CNAME's for graphana and relay11 pointing to _acme-challenge.domainInCloudflare.com ... Where domainInCloudflare.com is managed by Cloudflare. There are now over 70 api's for automatic DNS insertion. See: dnsapi directory.

Code: Select all

#!/bin/sh

PATH=/bin:/usr/bin:/usr/sbin:/home/jad/bin export PATH

cd /home/jad/.acme.sh

# renewal and install
./acme.sh --force --issue --dns dns_cf --challenge-alias domainInCloudflare.com -d grafana.example.com -d relay11.example.com
# install now
./acme.sh --issue --deploy --deploy-hook grafana --dns dns_cf --challenge-alias domainInCloudflare.com -d grafana.example.com -d relay11.example.com
if [ $? == 1 ]; then
   echo "cert did not verify"
   exit 1
fi

#
/etc/init.d/grafana-server restart

exit 0

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 8 guests