Certificate update error 8.8.15
Certificate update error 8.8.15
I ask for help.
Today, once again updated Zimbra (8.8.15_ga) through Certbot for this manual:
certbot certonly --standalone --force-renewal --preferred-chain "ISRG Root X1"
mail.domen.com
# mkdir /opt/zimbra/ssl/letsencrypt/
# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
# cp /etc/letsencrypt/live/mail.seebet.com.ua/* /opt/zimbra/ssl/letsencrypt
# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
# wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
# cat /tmp/ISRG-X1.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem
su zimbra
zmcontrol stop
# cd ~
# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem
# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem
And after the last line he writes:
Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.domen.com...failed (rc=1)
There was no such thing before. Dancing with a tambourine near the rights to catalogs with certificates (/OPT/Zimbra/SSL) did not lead to anything.
Tell me who has come across
Today, once again updated Zimbra (8.8.15_ga) through Certbot for this manual:
certbot certonly --standalone --force-renewal --preferred-chain "ISRG Root X1"
mail.domen.com
# mkdir /opt/zimbra/ssl/letsencrypt/
# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
# cp /etc/letsencrypt/live/mail.seebet.com.ua/* /opt/zimbra/ssl/letsencrypt
# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
# wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
# cat /tmp/ISRG-X1.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem
su zimbra
zmcontrol stop
# cd ~
# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem
# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem
And after the last line he writes:
Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.domen.com...failed (rc=1)
There was no such thing before. Dancing with a tambourine near the rights to catalogs with certificates (/OPT/Zimbra/SSL) did not lead to anything.
Tell me who has come across
-
- Ambassador
- Posts: 2761
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: Certificate update error 8.8.15
I don't know about certbot specifically (not using it with Zimbra) but I'm sure it should be not .
This way you get all the environment for the user.
Code: Select all
su - zimbra
Code: Select all
su zimbra
This way you get all the environment for the user.
Re: Certificate update error 8.8.15
In all instructions, the team looks exactly like: su zimbraKlug wrote:I don't know about certbot specifically (not using it with Zimbra) but I'm sure it should benotCode: Select all
su - zimbra
.Code: Select all
su zimbra
This way you get all the environment for the user.
And before it was always introduced that way.
-
- Ambassador
- Posts: 2761
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: Certificate update error 8.8.15
Then instructions are wrong, you're missing the whole zimbra user env (that's also why you have to manually change directory to /opt/zimbra).
Re: Certificate update error 8.8.15
That is, I need to use instead of the team: "su zimbra" "su - zimbra"?Klug wrote:Then instructions are wrong, you're missing the whole zimbra's user env (that's also why you have to manually change directory to /opt/zimbra).
-
- Ambassador
- Posts: 2761
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: Certificate update error 8.8.15
Anytime you have to change to zimbra user, you have to do it with
I don't know if it will fix your issue. But this is the way to change user.
Code: Select all
su - zimbra
Re: Certificate update error 8.8.15
The previous advice did not help, the rights to the directories with certificates are correct. It seems to me that it's not about rights, but what I can't completeKlug wrote:Anytime you have to change to zimbra user, you have to do it withI don't know if it will fix your issue. But this is the way to change user.Code: Select all
su - zimbra
The error looks like this:
And is there currently a way to update certificates not through certbot?
- Attachments
-
- photo_2022-12-12_22-37-51.jpg (211.28 KiB) Viewed 4024 times
- JDunphy
- Outstanding Member
- Posts: 897
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Certificate update error 8.8.15
You still have ldap running correct? Generally if you want to run standalone mode, you bring down the proxy so you don't have a listen port conflict before running certbot unless its with the DNS option. zmcertmgr wants to connect to the ldap server and provide the content of the key if I am reading line 1370 correctly in zmcertmgr which is a big perl script. The other idea is add -debug 1 at the end of your zmcertmgr deploy invocation to see if you get more information on that failure.
If ldap isn't running, it could be as simple as this.
Start it up and then run your zmcertmgr deploy again.
HTH,
Jim
If ldap isn't running, it could be as simple as this.
Code: Select all
# su - zimbra
% ldap status
% ldap start
% ldap [status|start|restart|stop]
HTH,
Jim
Re: Certificate update error 8.8.15
JDunphy wrote:You still have ldap running correct? Generally if you want to run standalone mode, you bring down the proxy so you don't have a listen port conflict before running certbot unless its with the DNS option. zmcertmgr wants to connect to the ldap server and provide the content of the key if I am reading line 1370 correctly in zmcertmgr which is a big perl script. The other idea is add -debug 1 at the end of your zmcertmgr deploy invocation to see if you get more information on that failure.
If ldap isn't running, it could be as simple as this.Start it up and then run your zmcertmgr deploy again.Code: Select all
# su - zimbra % ldap status % ldap start % ldap [status|start|restart|stop]
HTH,
Jim
LDAP works
[root@mail ~]# su zimbra
[zimbra@mail root]$ ldap status
slapd running pid: 6849
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: Certificate update error 8.8.15
I think the manual puts the - everywhere as so: sudo su zimbra -
https://wiki.zimbra.com/wiki/Installing ... ertificate
You are renewing, so you should be good. But if you create a new certificate during your debugging, don't forget to add `--key-type rsa` as well. To get the initial cert the line becomes:
https://wiki.zimbra.com/wiki/Installing ... ertificate
You are renewing, so you should be good. But if you create a new certificate during your debugging, don't forget to add `--key-type rsa` as well. To get the initial cert the line becomes:
Code: Select all
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --preferred-chain "ISRG Root X1" --agree-tos --register-unsafely-without-email --key-type rsa
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/