issue with SSL

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
killmasta93
Posts: 47
Joined: Tue Oct 04, 2016 9:54 pm

issue with SSL

Post by killmasta93 »

Hi i was wondering if someone has had this issue before currently trying to update the SSL

Code: Select all

 Testing with zmcertmgr.
 ** Verifying '/run/certbot-zimbra/certs-SIN9fqQ8/cert.pem' against '/run/certbot-zimbra/certs-SIN9fqQ8/privkey.pem'
 ERROR: Certificate '/run/certbot-zimbra/certs-SIN9fqQ8/cert.pem' and private key '/run/certbot-zimbra/certs-SIN9fqQ8/privkey.pem' do not match.
which i normally run this

Code: Select all

certbot --force-renewal --preferred-chain "ISRG Root X1" renew

Code: Select all

Hook 'pre-hook' ran with output:
certbot-zimbra v0.7.12 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU18_64
Using zmhostname to detect domain.
Using domain mail.domain.com (as certificate DN)
Checking zimbra-proxy is running and enabled
Detecting port from zimbraMailProxyPort
Checking if process is listening on port 80 with name "nginx" user "zimbra"
Nginx templates already patched.
Nginx includes already patched, skipping zmproxy restart.
Renewing an existing certificate for mail.domain.com
Hook 'deploy-hook' reported error code 1
Hook 'deploy-hook' ran with output:
certbot-zimbra v0.7.12 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU18_64
Using zmhostname to detect domain.
Using domain mail.domain.com (as certificate DN)
Detected --deploy-hook and matching domain found
Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-Nuv6fNbp/cert.pem' against '/run/certbot-zimbra/certs-Nuv6fNbp/privkey.pem'
ERROR: Certificate '/run/certbot-zimbra/certs-Nuv6fNbp/cert.pem' and private key '/run/certbot-zimbra/certs-Nuv6fNbp/privkey.pem' do not match.

An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.
Hook 'deploy-hook' ran with error output:
139788523174656:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:p_lib.c:287:
lytledd
Outstanding Member
Outstanding Member
Posts: 536
Joined: Sat Sep 13, 2014 12:54 am
ZCS/ZD Version: Release 9.0.0.ZEXTRAS.20221203 FOSS

Re: issue with SSL

Post by lytledd »

I got a message from a friend of mine that stated that LetsEncrypt are now using ECC Certificates instead of RSA and Zimbra would refuse to work with them.

He had to revert to RSA by adding the below command line (NOTE: This is using the acme.sh script)

Code: Select all

--keylength 2048
I'm glad he told me, since my certs renew tomorrow morning

Doug
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: issue with SSL

Post by phoenix »

It always helps to have the source for a feature like this, here's a blog post on the change: https://blog.dnsimple.com/2022/12/ecc-s ... tificates/
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: issue with SSL

Post by barrydegraaff »

See https://wiki.zimbra.com/wiki/Installing ... ertificate

you will need these switches:
--preferred-chain "ISRG Root X1" --key-type rsa
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: issue with SSL

Post by JDunphy »

lytledd wrote:I got a message from a friend of mine that stated that LetsEncrypt are now using ECC Certificates instead of RSA and Zimbra would refuse to work with them.

He had to revert to RSA by adding the below command line (NOTE: This is using the acme.sh script)

Code: Select all

--keylength 2048
I'm glad he told me, since my certs renew tomorrow morning

Doug
Thanks for the heads up.

This was posted a while back for those wanting to run ECC Certificates with zimbra: viewtopic.php?f=15&t=69645
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: issue with SSL

Post by ghen »

lytledd wrote:I got a message from a friend of mine that stated that LetsEncrypt are now using ECC Certificates instead of RSA and Zimbra would refuse to work with them.
LetsEncrypt (the CA) did not change anything, only certbot and acme.sh (popular clients) switched to ECC certificates by default for new certificates, but this will not affect renewal of existing RSA certificates.

That said, Zimbra itself works just fine with ECC certificates (we've been using ECC certs with Zimbra for years), it's only zmcertmgr that makes certain assumptions on RSA and breaks on other key types.
We have this pull request open to fix that: https://github.com/Zimbra/zm-core-utils/pull/96, but more work is required for full support.
Post Reply