Wanting to upgrade old Ubuntu 16.04 to latest on 22.04

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Wanting to upgrade old Ubuntu 16.04 to latest on 22.04

Post by JDunphy »

realsparticle wrote: We are still reading on the best way to implement certbot on the new server so we have minimal downtime once we switch over the hostname etc. on the new server to match the old one and the IP addresses and MACS are swapped. We don't think we can get the letsencrypt certs beforehand so need a treid an tested methodology to implement it from scratch on the new server.
A few options for letsencrypt and clients using the acme protocol like certbot does it in 2 steps (issue the certificate and install the certificate):

[1] Add the new host names to the existing cert and then install in other locations (string the new names with -d to the other names you are using)
[2] Use DNS validation on the new server vs port 80/443 which requires an outage for certificate issues/renewals since you have to take down nginx
Extra credit: use CNAME trick for DNS validation and using an acme client that breaks issues/rewnewals and installs into 2 parts
If you use DNS validations, you can issue new certs on an offsite computer or any computer and even in RFC1918 space with CNAME trick and then tar up the folder if the acme client is fairly simple to your destinations and then install the certificate. Some methods separate the installation from that steps.

An example with acme.sh which is another acme client like certbot.

Code: Select all

% acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org 
% acme.sh --deploy --deploy-hook zimbra --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
The certs are in the folder mail.example.com so one can tar that up and copy it to any machine or if you haven't installed acme.sh yet then the entire /opt/zimbra/.acme.sh folder and move that over there with the new or existing certs. Then you just run the --deploy option with the hook on the new machine. As an added bonus renewals are handled automatically every 60 days if you followed the installation directions as the zimbra user. Note: if you added additional names to your certificate than the process to remove them is don't specify them the next time you issue your certificate. One caveat with acme.sh client is that the first name is what the directory is called so use that new hostname first when you initially create your new certificate on the new machine. Then all you do is issue the certificate again but leave out the other -d names for the older hostnames that you don't want.

Ref: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt

The official zimbra documenation that Barry de Graaff from Zimbra has taken ownership on in using letsencrypt with certbot is here:

Ref: https://wiki.zimbra.com/wiki/Installing ... ertificate

Bottom line is that you CAN have that certification working in advance with the DNS method of validation and use certbot or switch to another acme client if you are looking for other methods. All acme clients behave the same way with zimbra. The acme.sh script looks simple because we have a hook in the deploy directory in the acme.sh folder called zimbra.sh that does all the zmcertmgr and copy magic.

HTH,

Jim
Post Reply