Letsencrypt - Need assistance with http and nginx

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
cyber7
Advanced member
Advanced member
Posts: 192
Joined: Sat Sep 13, 2014 1:14 am
Location: Cape Town
ZCS/ZD Version: Release 9.0.0_GA_3924.RHEL7_64_2020
Contact:

Letsencrypt - Need assistance with http and nginx

Post by cyber7 »

Hi Guys and Girls
As per the subject, I need some assistance, please.

I have tried all the "auto-scripts" there is, and all of them gets me stuck at opening my http nginx site.
I run: Centos 7 and Zimbra 9 with all the latest patches.

The script I have settled on is the https://github.com/acmesh-official/acme.sh acme script.

Now, when I run the script:

Code: Select all

./.acme.sh/acme.sh --issue --standalone -d mymail.DOMAIN.COM
I get the following output error:

Code: Select all

[root@mymail ~]# ./.acme.sh/acme.sh --issue --standalone -d mymail.DOMAIN.COM
[Wed Jun  3 10:02:30 SAST 2020] Standalone mode.
[Wed Jun  3 10:02:30 SAST 2020] Single domain='mymail.DOMAIN.COM'
[Wed Jun  3 10:02:30 SAST 2020] Getting domain auth token for each domain
[Wed Jun  3 10:02:34 SAST 2020] Getting webroot for domain='mymail.DOMAIN.COM'
[Wed Jun  3 10:02:35 SAST 2020] Verifying: mymail.DOMAIN.COM
[Wed Jun  3 10:02:35 SAST 2020] Standalone mode server
[Wed Jun  3 10:02:40 SAST 2020] mymail.DOMAIN.COM:Verify error:Fetching http://mymail.DOMAIN.COM/.well-known/acme-challenge/pijP5H4EcHYsjesjwLoszhxAy0KjhxiFoccVTxrL--s: Connection refused
[Wed Jun  3 10:02:40 SAST 2020] Please check log file for more details: /root/.acme.sh/acme.sh.log
[root@mymail ~]# 
and I do get the CERT files:

Code: Select all

[root@mymail ~]# ls -al .acme.sh/mymail.DOMAIN.COM/
total 16
drwxr-xr-x 2 root root  160 Jun  2 00:54 .
drwx------ 8 root root  226 Jun  2 13:27 ..
-rw-r--r-- 1 root root  217 Jun  3 10:02 mymail.DOMAIN.COM.conf
-rw-r--r-- 1 root root 1005 Jun  3 10:02 mymail.DOMAIN.COM.csr
-rw-r--r-- 1 root root  220 Jun  3 10:02 mymail.DOMAIN.COM.csr.conf
-rw-r--r-- 1 root root 1679 Jun  2 00:54 mymail.DOMAIN.COM.key
[root@mymail ~]# 
So, basically I am stuck in getting http enabled, or nginx to bypass the zimbra-proxy server.
Please could someone assist me in getting over this last hurdle getting letsencrypt to work?

kind regards and I hope you are all staying safe!
cyber7 (aka Aubrey Kloppers, Cape Town, South Africa)
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Letsencrypt - Need assistance with http and nginx

Post by phoenix »

Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
cyber7
Advanced member
Advanced member
Posts: 192
Joined: Sat Sep 13, 2014 1:14 am
Location: Cape Town
ZCS/ZD Version: Release 9.0.0_GA_3924.RHEL7_64_2020
Contact:

Re: Letsencrypt - Need assistance with http and nginx

Post by cyber7 »

Hi Bill. Nice hearing from you!
Yes I did try all of the "solutions" and they all fail when trying to connect to my server's http (port 80) port...
User avatar
cyber7
Advanced member
Advanced member
Posts: 192
Joined: Sat Sep 13, 2014 1:14 am
Location: Cape Town
ZCS/ZD Version: Release 9.0.0_GA_3924.RHEL7_64_2020
Contact:

Re: Letsencrypt - Need assistance with http and nginx

Post by cyber7 »

and this is my output:

Code: Select all

[zimbra@mymail .acme.sh]$ ./acme.sh  --issue --standalone -d mymail.DOMAIN.COM
[Wed Jun  3 10:31:46 SAST 2020] Standalone mode.
[Wed Jun  3 10:31:47 SAST 2020] Create account key ok.
[Wed Jun  3 10:31:47 SAST 2020] Registering account
[Wed Jun  3 10:31:49 SAST 2020] Registered
[Wed Jun  3 10:31:49 SAST 2020] ACCOUNT_THUMBPRINT='87iwv1ATlNsSwvSajwgTR5Qvn9QX_59NMSSe9tOLZ14'
[Wed Jun  3 10:31:49 SAST 2020] Creating domain key
[Wed Jun  3 10:31:49 SAST 2020] The domain key is here: /opt/zimbra/.acme.sh/mymail.DOMAIN.COM/DOMAIN.COM.key
[Wed Jun  3 10:31:49 SAST 2020] Single domain='DOMAIN.COM'
[Wed Jun  3 10:31:49 SAST 2020] Getting domain auth token for each domain
[Wed Jun  3 10:31:52 SAST 2020] Getting webroot for domain='DOMAIN.COM'
[Wed Jun  3 10:31:52 SAST 2020] Verifying: DOMAIN.COM
[Wed Jun  3 10:31:52 SAST 2020] Standalone mode server
2020/06/03 10:31:52 socat[5705] E bind(5, {AF=2 0.0.0.0:80}, 16): Permission denied
[Wed Jun  3 10:31:59 SAST 2020] DOMAIN.COM:Verify error:Fetching http://DOMAIN.COM/.well-known/acme-challenge/-lRiDj0UhmscvSSCRKWH9PF2Qh_ytO9bcln2uN6Mm5Q: Connection refused
./acme.sh: line 2271: kill: (5705) - No such process
[Wed Jun  3 10:31:59 SAST 2020] Please add '--debug' or '--log' to check more details.
[Wed Jun  3 10:31:59 SAST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[zimbra@mymail .acme.sh]$ 
So, as you can see, the bind port 80 is not available...
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Letsencrypt - Need assistance with http and nginx

Post by zimico »

Hi, Do you open http service/port both on Zimbra and your firewall?
For example, on zimbra proxy server I use: web proxy mode: redirect, proxy http port: 80, proxy https port: 443
Firewall is open for port 80/443.
I am currently use https://github.com/VojtechMyslivec/lets ... zimbra.git /opt/letsencrypt-zimbra and it works very well.

Best regards,
Minh.
User avatar
cyber7
Advanced member
Advanced member
Posts: 192
Joined: Sat Sep 13, 2014 1:14 am
Location: Cape Town
ZCS/ZD Version: Release 9.0.0_GA_3924.RHEL7_64_2020
Contact:

Re: Letsencrypt - Need assistance with http and nginx

Post by cyber7 »

zimico wrote:Hi, Do you open http service/port both on Zimbra and your firewall?
For example, on zimbra proxy server I use: web proxy mode: redirect, proxy http port: 80, proxy https port: 443
Firewall is open for port 80/443.
I am currently use https://github.com/VojtechMyslivec/lets ... zimbra.git /opt/letsencrypt-zimbra and it works very well.

Best regards,
Minh.
Nope, this does not work.

I did the following:

Code: Select all

zmprov ms mymail.biblesociety.co.za zimbraReverseProxyMailMode redirect
zmproxyctl restart
and then I get:

Code: Select all

[zimbra@mymail .acme.sh]$ ./acme.sh  --issue --standalone -d mymail.DOMAIN.COM
[Wed Jun  3 14:04:49 SAST 2020] Standalone mode.
[Wed Jun  3 14:04:49 SAST 2020] Single domain='mymail.DOMAIN.COM'
[Wed Jun  3 14:04:49 SAST 2020] Getting domain auth token for each domain
[Wed Jun  3 14:04:52 SAST 2020] Getting webroot for domain='mymail.DOMAIN.COM'
[Wed Jun  3 14:04:53 SAST 2020] Verifying: mymail.DOMAIN.COM
[Wed Jun  3 14:04:53 SAST 2020] Standalone mode server
2020/06/03 14:04:53 socat[12943] E bind(5, {AF=2 0.0.0.0:80}, 16): Permission denied
[Wed Jun  3 14:04:58 SAST 2020] mymail.DOMAIN.COM:Verify error:Fetching http://mymail.DOMAIN.COM/.well-known/acme-challenge/8P3NAWD8X9BaFJ9arKfFWErq92oobGpm5K76SUZxYIs: Connection refused
./acme.sh: line 2271: kill: (12943) - No such process
[Wed Jun  3 14:04:58 SAST 2020] Please add '--debug' or '--log' to check more details.
[Wed Jun  3 14:04:58 SAST 2020] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[zimbra@mymail .acme.sh]$ 
As you can see, the port 80 is still closed...
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Letsencrypt - Need assistance with http and nginx

Post by JDunphy »

Just a guess but port 80 is below 1024 so you would need to run this as root to listen on port 80. It appears that you are attempting to run acme.sh as zimbra. I use the dns method of validation so I don't need to be root.

Once you get the certs validated, you can still use the deploy method we came up with on our acme.sh thread. I'll take another look at what you are doing but that is my best guess at the moment.
HTH,

Jim
User avatar
cyber7
Advanced member
Advanced member
Posts: 192
Joined: Sat Sep 13, 2014 1:14 am
Location: Cape Town
ZCS/ZD Version: Release 9.0.0_GA_3924.RHEL7_64_2020
Contact:

Re: Letsencrypt - Need assistance with http and nginx

Post by cyber7 »

JDunphy wrote:Just a guess but port 80 is below 1024 so you would need to run this as root to listen on port 80. It appears that you are attempting to run acme.sh as zimbra. I use the dns method of validation so I don't need to be root.

Once you get the certs validated, you can still use the deploy method we came up with on our acme.sh thread. I'll take another look at what you are doing but that is my best guess at the moment.
HTH,

Jim
Hi Jim
No, this is not the case. My PROXY is running on PORT 80. I am not sure what to set to change access to it. I have tried both ZIMBRA and ROOT and get the same results...
What I do have in place is PORT 8080 that gets forwarded from port 80 on my firewall...
Last edited by cyber7 on Wed Jun 03, 2020 2:12 pm, edited 1 time in total.
User avatar
cyber7
Advanced member
Advanced member
Posts: 192
Joined: Sat Sep 13, 2014 1:14 am
Location: Cape Town
ZCS/ZD Version: Release 9.0.0_GA_3924.RHEL7_64_2020
Contact:

Re: Letsencrypt - Need assistance with http and nginx

Post by cyber7 »

Hi Jim
something else is that I do not have a Cloudflare account, so the dns option is not going to work for me, am I right?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Letsencrypt - Need assistance with http and nginx

Post by JDunphy »

A few things... if you want acme.sh to run in standalone you need to stop zimbra's nginx and then run the acme.sh as root which will take about 45 seconds to create and validate that certificate which is not something I like to do. That is why I said, "take an outage" while you are trying to get a certificate.. It's bad enough we have to restart so many daemons to reload the certificate. :-) Most of the letsencrypt scripts I saw would do this automatically for you when running in standalone method. That is why I said, "take an outage" while you are trying to get a certificate.

Your second question... DNS doesn't require cloudflare, there are a lot of supported DNS providers. These scripts will use your DNS api and do the TXT insert and removal automatically.

Code: Select all

mail:~/.acme.sh:53> ls dnsapi/
dns_1984hosting.sh  dns_cn.sh	       dns_dpi.sh	     dns_gcloud.sh	dns_kinghost.sh   dns_mydevil.sh    dns_nw.sh		 dns_selectel.sh
dns_acmedns.sh	    dns_conoha.sh      dns_dp.sh	     dns_gdnsdk.sh	dns_knot.sh	  dns_mydnsjp.sh    dns_one.sh		 dns_servercow.sh
dns_acmeproxy.sh    dns_constellix.sh  dns_dreamhost.sh      dns_gd.sh		dns_leaseweb.sh   dns_namecheap.sh  dns_online.sh	 dns_tele3.sh
dns_active24.sh     dns_cx.sh	       dns_duckdns.sh	     dns_he.sh		dns_lexicon.sh	  dns_namecom.sh    dns_openprovider.sh  dns_ultra.sh
dns_ad.sh	    dns_cyon.sh        dns_durabledns.sh     dns_hexonet.sh	dns_linode.sh	  dns_namesilo.sh   dns_opnsense.sh	 dns_unoeuro.sh
dns_ali.sh	    dns_da.sh	       dns_dyn.sh	     dns_hostingde.sh	dns_linode_v4.sh  dns_nederhost.sh  dns_ovh.sh		 dns_variomedia.sh
dns_arvan.sh	    dns_ddnss.sh       dns_dynu.sh	     dns_infoblox.sh	dns_loopia.sh	  dns_neodigit.sh   dns_pdns.sh		 dns_vscale.sh
dns_autodns.sh	    dns_desec.sh       dns_dynv6.sh	     dns_internetbs.sh	dns_lua.sh	  dns_netcup.sh     dns_pleskxml.sh	 dns_vultr.sh
dns_aws.sh	    dns_dgon.sh        dns_easydns.sh	     dns_inwx.sh	dns_maradns.sh	  dns_nic.sh	    dns_pointhq.sh	 dns_yandex.sh
dns_azure.sh	    dns_dnsimple.sh    dns_euserv.sh	     dns_ispconfig.sh	dns_me.sh	  dns_nm.sh	    dns_rackspace.sh	 dns_zilore.sh
dns_cf.sh	    dns_doapi.sh       dns_exoscale.sh	     dns_jd.sh		dns_miab.sh	  dns_nsd.sh	    dns_rcode0.sh	 dns_zone.sh
dns_clouddns.sh     dns_domeneshop.sh  dns_freedns.sh	     dns_joker.sh	dns_misaka.sh	  dns_nsone.sh	    dns_regru.sh	 dns_zonomi.sh
dns_cloudns.sh	    dns_do.sh	       dns_gandi_livedns.sh  dns_kas.sh		dns_myapi.sh	  dns_nsupdate.sh   dns_schlundtech.sh	 README.md
I'll give you another post on this as I was writing a response on how I do it.. look for that next.

Jim
Post Reply