yvespires wrote:All good now, the problem was my ispconfig master/slave dns servers not working/reloading zone changes properly.
Awesome. Thanks for letting me know the proper fix.
yvespires wrote:All good now, the problem was my ispconfig master/slave dns servers not working/reloading zone changes properly.
acme.sh --issue --dns dns_ispconfig -d '*.yvespires.ml'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient1.com'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient2.com'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient1.com' -d '*.zimbraclient2.com'
min=60 #days for CERT expire before will load new certificate. Make large for testing (ie. 10000)
domain="mail.example.com"
user="/home/YourName" # ~user/.acme.sh --- owner that runs acme.sh
# verbose output
d=1 # change to 0 if run from cron
exit # comment this out after adjusting the top two values
yvespires wrote:But i have 3 questions
1- acme.sh script only handles cert issue and renew? i see it added crontab job 31 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null, so the cert will renew every 30 days, but i have to install manually, copy to zimbra folder and stop/start services?
yvespires wrote:2- i have wildcard cert installed(*.yvespires.ml), can i request/install multiples wildcard certs on the same server?
Say, i need to request more wildcard certs for my clients, what command should i run?
thisacme.sh --issue --dns dns_ispconfig -d '*.yvespires.ml'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient1.com'
acme.sh --issue --dns dns_ispconfig -d '*.zimbraclient2.com'
or thisacme.sh --issue --dns dns_ispconfig -d '*.zimbraclient1.com' -d '*.zimbraclient2.com'
Code: Select all
acme.sh --issue --dns dns_ispconfig -d mail.example.com -d '*.example.com' -d '*.example.net'
yvespires wrote:3 - kinda answering my first question, your script https://github.com/JimDunphy/deploy-zim ... encrypt.sh deal with it zimbra certs installation right? Does it work multiples wildcard certs?
editing the script domain variable only allow one domain?min=60 #days for CERT expire before will load new certificate. Make large for testing (ie. 10000)
domain="mail.example.com"
user="/home/YourName" # ~user/.acme.sh --- owner that runs acme.sh
# verbose output
d=1 # change to 0 if run from cron
exit # comment this out after adjusting the top two values
JDunphy wrote:yvespires wrote:You need that first -d mail.example.com because that is the directory for the cert and used in the file name of the certificate.
I tried that, got errorDomain name \"mx.yvespires.ml\" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.","status": 400}root@mx:~# acme.sh --issue --dns dns_ispconfig -d mx.yvespires.ml -d '*.yvespires.ml'
[Tue Aug 7 14:14:30 BRT 2018] Registering account
[Tue Aug 7 14:14:31 BRT 2018] Registered
[Tue Aug 7 14:14:31 BRT 2018] ACCOUNT_THUMBPRINT='oXM6Jz9yLbR-BkuBRiQ'
[Tue Aug 7 14:14:31 BRT 2018] Creating domain key
[Tue Aug 7 14:14:31 BRT 2018] The domain key is here: /root/.acme.sh/mx.yvespires.ml/mx.yvespires.ml.key
[Tue Aug 7 14:14:31 BRT 2018] Multi domain='DNS:mx.yvespires.ml,DNS:*.yvespires.ml'
[Tue Aug 7 14:14:31 BRT 2018] Getting domain auth token for each domain
[Tue Aug 7 14:14:32 BRT 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Error creating new order :: Domain name \"mx.yvespires.ml\" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.","status": 400}
[Tue Aug 7 14:14:32 BRT 2018] Please add '--debug' or '--log' to check more details.
[Tue Aug 7 14:14:32 BRT 2018] See: https://github.com/Neilpang/acme.sh/wik ... ug-acme.shworks fineacme.sh --issue --dns dns_ispconfig -d '*.yvespires.ml'Those extra -d domains are specified as alternative names in the certficate which is just one certificate so that script would work with your wild card certificate. That is why I believe you would need that -d mail.example.com when you specify the extra wildcards above. Wildcards are new to letsencrypt so I have limited experience with them. I would be curious to know also if that syntax above would handle multiple wildcards per certificate. From letsencrypt, they claim there can be up to 100 wildcards per certificate. https://community.letsencrypt.org/t/multiple-wildcard/58205
There is limited support in Zimbra if you want multiple domains but there are enough bugs against it with imaps/pops that I chose to do it with only one certificate. This is the wiki https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS to explain how that might work if that is what you want. BTW, if you wanted SNI, then you would issue multiple certificates and my script would not handle that.
Code: Select all
#!/bin/bash
######## Public functions #####################
#domain keyfile certfile cafile fullchain
zimbra_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
cp -f "$_ckey" /opt/zimbra/ssl/zimbra/commercial/commercial.key
cat "$_cca" "$(dirname "$_cca")/../root_ca.cer" > "${_cca}.real"
/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" || return 1
/opt/zimbra/bin/zmmailboxdctl restart
/opt/zimbra/bin/zmproxyctl restart
/opt/zimbra/bin/zmmtactl restart
return 0
}
Code: Select all
...
...
...
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_3.crt'
Stopping mailboxd...done.
Starting mailboxd...done.
Reloading proxy...done.
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system
[Thu Sep 6 19:28:34 PDT 2018] Success
Code: Select all
./acme.sh --issue --dns dns_cf --challenge-alias someCFdomain.com -d mail.example.com -d mail.example.net -d tmail.example.com
Code: Select all
% ./acme.sh --issue --deploy --deploy-hook zimbra --dns dns_cf --challenge-alias someCFdomain.com -d mail.example.com -d mail.example.net -d tmail.example.com
** Verifying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' against '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.key'
Certificate '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' and private key '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.key' match.
** Verifying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' against '/opt/zimbra/.acme.sh/mail.example.com/ca.cer.real'
Valid certificate chain: /opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer: OK
** Verifying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' against '/opt/zimbra/.acme.sh/mail.example.com/ca.cer.real'
Valid certificate chain: /opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer: OK
** Copying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/opt/zimbra/.acme.sh/mail.example.com/ca.cer.real' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/opt/zimbra/.acme.sh/mail.example.com/ca.cer.real' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.example.net...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.example.net...ok
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/f9724573.0
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/f85883ac.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'f9724573.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'f85883ac.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_3.crt'
Stopping mailboxd...done.
Starting mailboxd...done.
Reloading proxy...done.
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system
[Thu Sep 6 19:55:20 PDT 2018] Success
[zimbra@tmail .acme.sh]$
Code: Select all
#!/bin/bash
# Zimbra Assumptions:
# 1) acme.sh is installed as Zimbra
# 2) see: https://wiki.zimbra.com/wiki/index.php?curid=2441
######## Public functions #####################
#domain keyfile certfile cafile fullchain
zimbra_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
# Zimbra's javastore still needs DST Root CA X3 to verify on some versions
_IdentTrust="$(dirname "$_cca")/../IdentTrust.pem"
_debug _IdentTrust "$_IdentTrust"
# grab it if we don't have it
if [ ! -f "$_IdentTrust" ]; then
_debug No "$_IdentTrust"
wget -q "https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem" -O "$_IdentTrust" || return 1
fi
# append Intermediate
cat "$_cfullchain" "$(dirname "$_cca")/../IdentTrust.pem" > "${_cca}.real"
/opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1
#if it verifies we can deploy it
cp -f "$_ckey" /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" || return 1
/opt/zimbra/bin/zmmailboxdctl reload
/opt/zimbra/bin/zmproxyctl reload
/opt/zimbra/bin/zmmtactl reload
return 0
}
Users browsing this forum: No registered users and 6 guests