certbot-zimbra v0.2

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

certbot-zimbra v0.2

Post by maxxer »

Hi
An update for the users of this script: I've partially rewritten it so that now it patches nginx's template file instead of production ones. It should now better behave in different conditions.
I've also embedded the patches inside the script, so there's less crap around to handle.

If you're using it testing is welcome.

Thanks
https://github.com/YetOpen/certbot-zimbra
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: certbot-zimbra v0.2

Post by jorgedlcruz »

I've sticky-ed it for couple of weeks.
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: certbot-zimbra v0.2

Post by liverpoolfcfan »

Hi Maxxer,

I have used the beta4 version of the script, and it works great to get and deploy a new certificate. All I needed to do was temporarily open port 80 on the firewall.

However, if I run the command

Code: Select all

/path-to/certbot-zimbra-0.4.0-beta/certbot_zimbra.sh -n
a second time, I get a menu - presumably from Let's Encrypt certbot that states

Code: Select all

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/my.domain.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 
If I answer 1 to keep the existing certificate the script goes ahead and redeploys the certificate again - restarting zimbra in the process.

Questions
(a) is there a flag I can pass to the script so that it will not prompt with that menu (and will assume answer 1)?
(b) if there a flag I can pass to the script that will tell it to skip redeploying the script if it wasn't renewed?

Thanks
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: certbot-zimbra v0.2

Post by maxxer »

Why are you running -n again? That should be executed just the first time for the request.

When the certificate has been renewed you should call the script with -r, which deploys the renewed cert. See the cron configuration in the readme.
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: certbot-zimbra v0.2

Post by liverpoolfcfan »

Works great. Have auto-renewed twice now. Thank you.
onzyg
Posts: 3
Joined: Fri Aug 02, 2019 1:52 pm
Contact:

Re: certbot-zimbra v0.2

Post by onzyg »

Thanks was able to install it and I followed the section "Renewal using crontab" to auto renew.
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: certbot-zimbra v0.2

Post by liverpoolfcfan »

If anyone is interested, I have now combined Maxxer's script with a DNS hook to auto-renew certificates without patching the nginx files, and thus without opening the web server to unwanted probes. I started to look into this when letsencrypt started to do multi-source validation for http challenges, as I could no longer rely on identifying the letsencrypt servers to whitelist them.

The LetsEncrypt community maintains a list of the major providers who have built-in hooks for DNS validation. https://community.letsencrypt.org/t/dns ... tion/86438 In my case, our ISP is not on that list but uses cPanel for DNS management, so I used this script - https://github.com/letsdebug/certbot-cp ... -auth-hook - there are lots of others out there.

Once the correct URL and credentials are added to the cPanel script, it is as simple as re-issuing your certificate so that the new validation method and hooks are recorded for renewal purposes.

Code: Select all

/usr/bin/certbot certonly  --renew-hook "/opt/certbot-zimbra/certbot_zimbra.sh -d "  --manual --manual-auth-hook "/root/cpanel-dns.py create" --manual-cleanup-hook "/root/cpanel-dns.py delete" -d "<Your mail server>" --preferred-challenges dns-01
For the crontab renewal you need to add a flag to auto-acknowledge the logging of your IP Address for the manual mode renewal.

Code: Select all

/usr/bin/certbot renew --manual-public-ip-logging-ok --renew-hook "/opt/certbot-zimbra/certbot_zimbra.sh -d "
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: certbot-zimbra v0.2

Post by JDunphy »

liverpoolfcfan wrote: The LetsEncrypt community maintains a list of the major providers who have built-in hooks for DNS validation. https://community.letsencrypt.org/t/dns ... tion/86438 In my case, our ISP is not on that list but uses cPanel for DNS management, so I used this script - https://github.com/letsdebug/certbot-cp ... -auth-hook - there are lots of others out there.

Once the correct URL and credentials are added to the cPanel script, it is as simple as re-issuing your certificate so that the new validation method and hooks are recorded for renewal purposes.
That is pretty neat and another way to do DNS verification for letsencrypt cert!

One thing you can do with the DNS method when your provider doesn't support DNS management for your zimbra domains via a supported API or is supported via dns scripts with the letsencryhpt tool is to statically add a CNAME to another domain that you have some DNS provider/registrar support with the script you are using. For example, if mail.example.com is my zimbra site then you would add the following static entry one time with Cpanel - see CNAME entry below. That would point to another domain that you keep perhaps only to do letsencrypt validation because it does creation/deletion of the txt records... For example, cloudflare has wholesale prices for their domains so .com's are a little under $9.00/year as I write this. If I had a domain say... 123jad.com with them that is supported with my letsencrypt tools, than I could use this CNAME technique for the case where I want example.com and mail.example.com to have certs ... When you have lots of domains with different DNS providers, you only need a single CNAME for each domain with each domain that look like this and because they are static - you create them with whatever method the provider supports (admin interfaces, cpanel, zone files, etc). Back to this example for the zone file for the domain example.com where we wants certs for both mail.example.com and example.com

Code: Select all

_acme-challenge.mail.example.com.      IN CNAME _acme-challenge.123jad.com.
_acme-challenge.example.com.              IN CNAME _acme-challenge.123jad.com.
The effect of this is that no letsencrypt script can modify example.com directly should the api keys used in your scripts be compromised or the host compromised that you do your certificate renewal but we can validate and create new certifcates for mail.example.com and example.com. Another odd use case with this method is that you can now have letsencrypt valid certificates for hosts that are in rfc1918 (private) space and other methods would normally not work for validation... including authoritative but non delegated domains that you operate within the resolver space for your corporate or home network. The requirement is that 123jad.com must be a real domain and be something that you are both authoritative and delegated. ie. the normal use case for DNS validation.

While I don't know the syntax for the letsencrypt scripts you are using, the one I use has a command line flag: --challenge-alias which in this example would point to 123jad.com ... The other flags are as expected where you specify the names you wants certificates for and the scripts/logic you want invoked for your DNS provider api auth to add/del TXT entries used in the letsencrypt challenge. If you have lots of hosts that all need certificates like zimbra, web servers, telegrafd, plex, etc... it's all the same... Create a few CNAME entries for certs you want in every domain that needs certs and point them to your challenge alias. Scripts are then copy and paste or with some methods just command line arguments and no wrapper scripts required to do letsencrypt certificate creation and renewals.

HTH,

Jim

PS. Another thing to do now that you are using DNS validation is to sign up for transparent logging which more and more CA's now support. Letsencrypt will log any certificate creation and I have cloudflare email me when new certs are created ore renewed. Finally, you can add CAA 128 issue "letsencrypt.org" for your domains that only letsencrypt certs should be issued.

CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain
Ref: https://support.dnsimple.com/articles/caa-record
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: certbot-zimbra v0.2

Post by barrydegraaff »

Another Let's Encrypt step-by-step guide at https://wiki.zimbra.com/wiki/Installing ... ertificate
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Post Reply