Hi Bill,
I am making it worse the more I add to that wiki article. Yikes!
The first part of the wiki explains installing as a "non root" user and to give the administrator some knowledge of the steps involved and how to use one of the verification methods such as automated DNS with CloudFlare... At the end is the continuation of the learned concepts but now using the zimbra user and a deploy hook. So the simple example you mentioned with only 2 command lines is done as the zimbra user and not "any user" as was the use case in the first part. The reason is that .acme.sh is invoked as the zimbra user and calls the hook which does the install of the certificate and restarts zimbra. The other reason is that doing anything with the zimbra user should cause an admin to pause and it felt safer to teach install of acme.sh and issue/renew of certs as a normal user at the beginning to build some trust with the process and follow a more manual process.
The trade off with the hook install method is that everything needs to be setup for .acme.sh for the zimbra user but once it is done, you can renew or issue and install to zimbra with only 2 commands going forward. I am open to suggestions how to update that wiki to make more sense because it just gets longer everything I change it and not clearer.
I run 8.7.11 and my /opt/zimbra is owned by root but I thought I did that so it appears to be standard given your comments.
A few options... I like /opt/zimbra being owned by root myself so a few options to keep it that way should others wonder about this.
I would do this as root.
Code: Select all
% su -
# cd /opt/zimbra/
# mkdir .acme.sh
# chown zimbra:zimbra .acme.sh
# su - zimbra
% wget -O - https://get.acme.sh | sh
That wget command is going to install in the users home directory that is running that command. Should that directory already exist, it will upgrade the contents of that directory but it will not remove any files that were there previously.
The other way is to move or copy .acme.sh directory from where it is currently installed to /opt/zimbra/.acm e.sh... for example, say I have it installed in /home/jad/.acme.sh because I was using another user previously.
Code: Select all
% su -
# mv /home/jad/.acme.sh /opt/zimbra/.acme.sh
# chown -R zimbra:zimbra /opt/zimbra/.acme.sh
# su - zimbra
% cd /opt/zimbra/.acme.sh
% ./acme.sh --upgrade
Doing the upgrade isn't really necessary but I show it for completeness. Similarly, backing up your cert creation environment is nothing more than this since we are contained in a single directory. You can take it from machine to machine.
Code: Select all
# su - zimbra
% cd /opt/zimbra
% tar cvf /tmp/acme.sh.tar ./acme.sh
Given it is so simple to install acme.sh and create certs, I no longer backup the .acme.sh directory and just contain some documentation with the commands I need for that particular instance with the correct domains since remembering all the domains is easy to forget. Perhaps backing up account.conf or documenting that if you are using the DNS method since it has your account information for the providers API.