Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

myriad wrote:I think I've found the problem. I have a restartzimbra.sh script that runs after your deploy code but it was not running and that's why the certificate isn't updated.
Understood. Your script looks good to me which is what I was recommending above. Might be a good idea to force a renewal sooner if possible and get to root cause. You can verify the certs deployed by looking at the dates of the copied files to know if a restart was not executed.

Code: Select all

 % ls -lt /opt/zimbra/conf/slapd.*
-rw-r----- 1 zimbra zimbra 7213 Aug  4 10:46 slapd.crt
-rw-r----- 1 zimbra zimbra 1679 Aug  4 10:46 slapd.key
% ls -lt /opt/zimbra/ssl/zimbra/commercial
-rw-r----- 1 zimbra zimbra 5030 Aug  4 10:46 commercial_ca.crt
-rw-r----- 1 zimbra zimbra 7213 Aug  4 10:46 commercial.crt
-rw-r----- 1 zimbra zimbra 1679 Aug  4 10:46 commercial.key
% ls -lt /opt/zimbra/conf/nginx.???
-rw-r----- 1 zimbra zimbra 7213 Aug  4 10:46 /opt/zimbra/conf/nginx.crt
-rw-r----- 1 zimbra zimbra 1679 Aug  4 10:46 /opt/zimbra/conf/nginx.key
%  -l /opt/zimbra/conf/smtpd.???
-rw-r----- 1 zimbra zimbra 7213 Aug  4 10:46 /opt/zimbra/conf/smtpd.crt
-rw-r----- 1 zimbra zimbra 1679 Aug  4 10:46 /opt/zimbra/conf/smtpd.key
% ls -l /opt/zimbra/mailboxd/etc/keystore
-rw-r----- 1 zimbra zimbra 4965 Aug  4 10:46 /opt/zimbra/mailboxd/etc/keystore
% ls -l /opt/zimbra/ssl/zimbra/jetty.pkcs12
-rw-r----- 1 zimbra zimbra 6952 Aug  4 10:46 /opt/zimbra/ssl/zimbra/jetty.pkcs12
Ref: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt

I see that you responded while I was writing this...The cron time didn't register with me that acme.sh was executing. You are correct. Bad advice on my part. It would restart every hour and then eventually stop after you couldn't issue any more certs. If you want to test sooner, Add an hour and min field.

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Hey Jim:

The test works perfectly! I'll let you know in August if I have any issues. Have a good summer.

Richard
User avatar
BruceW
Posts: 5
Joined: Tue Jan 09, 2018 6:27 pm

Re: Another Letsencrypt method

Post by BruceW »

Hey, Jim, I am getting this error when installing 'certbot' using your preferred 'snap' method on Ubuntu 16.04. Is it safe to use the classic version? Please advise.

Code: Select all

@zimbra2:~# snap install certbot
error: This revision of snap "certbot" was published using classic confinement and thus may perform
       arbitrary system changes outside of the security sandbox that snaps are usually confined to,
       which may put your system at risk.

       If you understand and want to proceed repeat the command including --classic.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

BruceW wrote:Hey, Jim, I am getting this error when installing 'certbot' using your preferred 'snap' method on Ubuntu 16.04. Is it safe to use the classic version? Please advise.

Code: Select all

@zimbra2:~# snap install certbot
error: This revision of snap "certbot" was published using classic confinement and thus may perform
       arbitrary system changes outside of the security sandbox that snaps are usually confined to,
       which may put your system at risk.

       If you understand and want to proceed repeat the command including --classic.
Sorry I don't use certbot. There are 100's of acme clients for the acme protocol to automate issue/verification of a certificate with certbot being one of them.This thread discusses another acme client called acme.sh (a bash script).
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Another Letsencrypt method

Post by barrydegraaff »

Another Let's Encrypt step-by-step guide at https://wiki.zimbra.com/wiki/Installing ... ertificate
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

FYI,

acme.sh version v3.0.6 and above has switched the default certificate type to ec-256 from rsa certificates. zmcertmgr will have a problem with installing ec-256 certificates without a patch as I write this with 8.8.15P36 and 9.0.0.P28 being the latest versions.

Background Ref: viewtopic.php?f=13&t=71611

What does this mean?

1) If you are using v3.0.5 or below, it will work the same for new certificates and renewals
2) if you are using v3.0.6 and above, it will work the same for renewals
3) if you are using v3.0.6 and above, it will fail for new certificates

There are 2 solutions to the above problem when running version v3.0.6 and above with zimbra

1) Add --keylength 2048 to use RSA (previous default)
2) use the ec-256 certificate but patch zmcertmgr

Ref: https://github.com/acmesh-official/acme.sh/issues/2350

Extra:

Code: Select all

# su - zimbra
% cd /opt/zimbra/.acme.sh 
% ./acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.6

AND

% grep DEFAULT_ACCOUNT_KEY_LENGTH acme.sh | head -1
DEFAULT_ACCOUNT_KEY_LENGTH=ec-256
For acme.sh v3.0.5 and below:

Code: Select all

% acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.5

AND

% grep DEFAULT_ACCOUNT_KEY_LENGTH acme.sh | head -1
DEFAULT_ACCOUNT_KEY_LENGTH=2048
Patch to change default: https://github.com/acmesh-official/acme ... ba17c775e6
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Another Letsencrypt method

Post by ghen »

FWIW this patch makes zmcertmgr able to verify and install 3rd party ECC certificates: https://github.com/Zimbra/zm-core-utils/pull/96

I have patches to make it generate ECC keys & certificates as well, but this needs more work to make it fully configurable (allowing choice between RSA and ECC).
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: Another Letsencrypt method

Post by zim_mike »

How can I remove acme and the le cert?

viewtopic.php?t=72305
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

zim_mike wrote: Fri Oct 13, 2023 1:14 am How can I remove acme and the le cert?

viewtopic.php?t=72305
Easy....

acme.sh ... it's a directory (it also added a cron entry and a .cshrc or .bashrc alias for the user that installed it) Do this:

Code: Select all

% cd .acme.sh
% ./acme.sh --uninstall
% cd .. ; /bin/rm -rf .acme.sh
It's gone.

Now for the LE cert... install a self-signed or other cert and it is gone. That will overwrite it.

Jim
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: Another Letsencrypt method

Post by zim_mike »

Hi,

Thanks for that.

I seem to recall that I had to restart some services too after adding/updating certs?
I still could use LE, I just need it to be a manual reminder. In this case, if something goes wrong I would not know about it which is what caused a lot of grief over the past week or so.
Post Reply