A few options for letsencrypt and clients using the acme protocol like certbot does it in 2 steps (issue the certificate and install the certificate):realsparticle wrote: We are still reading on the best way to implement certbot on the new server so we have minimal downtime once we switch over the hostname etc. on the new server to match the old one and the IP addresses and MACS are swapped. We don't think we can get the letsencrypt certs beforehand so need a treid an tested methodology to implement it from scratch on the new server.
[1] Add the new host names to the existing cert and then install in other locations (string the new names with -d to the other names you are using)
[2] Use DNS validation on the new server vs port 80/443 which requires an outage for certificate issues/renewals since you have to take down nginx
Extra credit: use CNAME trick for DNS validation and using an acme client that breaks issues/rewnewals and installs into 2 parts
If you use DNS validations, you can issue new certs on an offsite computer or any computer and even in RFC1918 space with CNAME trick and then tar up the folder if the acme client is fairly simple to your destinations and then install the certificate. Some methods separate the installation from that steps.
An example with acme.sh which is another acme client like certbot.
Code: Select all
% acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
% acme.sh --deploy --deploy-hook zimbra --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
Ref: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
The official zimbra documenation that Barry de Graaff from Zimbra has taken ownership on in using letsencrypt with certbot is here:
Ref: https://wiki.zimbra.com/wiki/Installing ... ertificate
Bottom line is that you CAN have that certification working in advance with the DNS method of validation and use certbot or switch to another acme client if you are looking for other methods. All acme clients behave the same way with zimbra. The acme.sh script looks simple because we have a hook in the deploy directory in the acme.sh folder called zimbra.sh that does all the zmcertmgr and copy magic.
HTH,
Jim