Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Another Letsencrypt method

Post by zimico »

Dear JDunphy,

Thank for your kind help. Unfortunately, I got the following error:

Code: Select all

[administrator@mail acme.sh]$ ./acme.sh --renew -d mail.zimilab.com
[Thu Mar 29 23:35:19 +07 2018] Renew: 'mail.zimilab.com'
[Thu Mar 29 23:35:21 +07 2018] Multi domain='DNS:zimilab.com'
[Thu Mar 29 23:35:21 +07 2018] Getting domain auth token for each domain
[Thu Mar 29 23:35:21 +07 2018] Getting webroot for domain='mail.zimilab.com'
[Thu Mar 29 23:35:21 +07 2018] Getting new-authz for domain='mail.zimilab.com'
[Thu Mar 29 23:35:24 +07 2018] The new-authz request is ok.
[Thu Mar 29 23:35:24 +07 2018] Getting webroot for domain='zimilab.com'
[Thu Mar 29 23:35:24 +07 2018] Getting new-authz for domain='zimilab.com'
[Thu Mar 29 23:35:25 +07 2018] The new-authz request is ok.
[Thu Mar 29 23:35:25 +07 2018] mail.zimilab.com is already verified, skip dns-01.
[Thu Mar 29 23:35:25 +07 2018] zimilab.com is already verified, skip dns-01.
[Thu Mar 29 23:35:25 +07 2018] Verify finished, start to sign.
[Thu Mar 29 23:35:28 +07 2018] Cert success.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
[Thu Mar 29 23:35:28 +07 2018] Your cert is in  /home/administrator/.acme.sh/mail.zimilab.com/mail.zimilab.com.cer
[Thu Mar 29 23:35:28 +07 2018] Your cert key is in  /home/administrator/.acme.sh/mail.zimilab.com/mail.zimilab.com.key
[Thu Mar 29 23:35:29 +07 2018] The intermediate CA cert is in  /home/administrator/.acme.sh/mail.zimilab.com/ca.cer
[Thu Mar 29 23:35:29 +07 2018] And the full chain certs is there:  /home/administrator/.acme.sh/mail.zimilab.com/fullchain.cer
[Thu Mar 29 23:35:29 +07 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Thu Mar 29 23:35:29 +07 2018] Call hook error.
I tried to continue with deploying cert to see what happen:

Code: Select all

[zimbra@mail letsencrypt]$ ./deploy-zimbra-letsencrypt.sh
zimbra/
zimbra/server/
zimbra/server/server.crt
zimbra/server/server.key
zimbra/server/server.csr
zimbra/ca/
zimbra/ca/ca.key
zimbra/ca/index.txt.attr
zimbra/ca/index.txt
zimbra/ca/ca.srl
zimbra/ca/ca.srl.old
zimbra/ca/zmssl.cnf
zimbra/ca/index.txt.old
zimbra/ca/newcerts/
zimbra/ca/newcerts/1514395920.pem
zimbra/ca/newcerts/1514395914.pem
zimbra/ca/newcerts/1514395905.pem
zimbra/ca/newcerts/1514395909.pem
zimbra/ca/ca.pem
zimbra/commercial/
zimbra/commercial/commercial_ca.crt
zimbra/commercial/commercial.key
zimbra/commercial/commercial.crt
zimbra/jetty.pkcs12
** Verifying 'mail.zimilab.com.cer' against 'mail.zimilab.com.key'
Certificate 'mail.zimilab.com.cer' and private key 'mail.zimilab.com.key' match.
** Verifying 'mail.zimilab.com.cer' against 'fullchain.cer'
ERROR: Unable to validate certificate chain: mail.zimilab.com.cer: CN = mail.zimilab.com
error 10 at 0 depth lookup:certificate has expired
OK
In https://github.com/Neilpang/acme.sh/wik ... anual-mode . I see:
Please add the TXT record to your DNS records. This step is required every time you renew your certificate. With DNS api mode, this step can be automated.
So I understand that I always have to update the TXT record manually even I do renew before 6o days?

Best regards,
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

Sure looks like it from what you are showing.... Try this work around.
First lets get a valid cert. You don't show these exact steps. Did you do --issue first?

Code: Select all

acme.sh --issue --dns -d mail.zimilab.com
acme.sh --renew -dns -d mail.zimilab.com
If that --issue doesn't appear to have worked... please add --force --issue to get you to some known starting place, update your txt records. Then issue the --renew.
Next lets test the renew before 60 days.

Code: Select all

acme.sh --renew --force --dns -d mail.zimilab.com
Let me know because I have some certs for websites in 3 weeks and am very interested if the manual DNS process has changed. BTW, if you are checking the return code from running acme.sh in your scripts, this is what I key on.

1 --- failed to renew
2 --- not time to renew
0 --- success

BTW, I tend to use the automatic DNS method most of the time ... See ~/acme.sh/dnsapi for the supported API's .... ie. --dns dns_nsupdate would be the command line option for bind if you are managing your own DNS. Provided you have nsupdate and the keys created of course. :-)
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

Note: 60 days is no longer valid. It has changed to 30 days. You will need to issue --force and --renew within 30 days if you are manually updating the DNS and want to renew but not verify those TXT records again. Certificate is still good for 90 days but the verification window is what changed.
See this https://community.letsencrypt.org/t/fai ... time/31520

Here is both DNS verification methods (automatic and manual) and they both work.

First the automatic DNS method.

Code: Select all

% ./acme.sh  --renew --dns dns_cf mydog.gsans.com
[Thu Mar 29 12:09:11 PDT 2018] Renew: 'mydog.gsans.com'
[Thu Mar 29 12:09:11 PDT 2018] Skip, Next renewal time is: Sun Apr  1 16:32:04 UTC 2018
[Thu Mar 29 12:09:11 PDT 2018] Add '--force' to force to renew.
Following the directions, we add --force as acme.sh requested and it works perfectly.

Code: Select all

% ./acme.sh  --renew --dns dns_cf mydog.gsans.com
[Thu Mar 29 12:13:48 PDT 2018] Renew: 'mydog.gsans.com'
[Thu Mar 29 12:13:48 PDT 2018] Single domain='mydog.gsans.com'
[Thu Mar 29 12:13:48 PDT 2018] Getting domain auth token for each domain
[Thu Mar 29 12:13:48 PDT 2018] Getting webroot for domain='mydog.gsans.com'
[Thu Mar 29 12:13:48 PDT 2018] Getting new-authz for domain='mydog.gsans.com'
[Thu Mar 29 12:13:48 PDT 2018] The new-authz request is ok.
[Thu Mar 29 12:13:49 PDT 2018] Found domain api file: /home/jad/.acme.sh/dnsapi/dns_cf.sh
[Thu Mar 29 12:13:49 PDT 2018] Adding record
[Thu Mar 29 12:13:50 PDT 2018] Added, OK
[Thu Mar 29 12:13:50 PDT 2018] Sleep 120 seconds for the txt records to take effect
[Thu Mar 29 12:15:51 PDT 2018] Verifying:mydog.gsans.com
[Thu Mar 29 12:15:55 PDT 2018] Success
[Thu Mar 29 12:15:56 PDT 2018] Verify finished, start to sign.
[Thu Mar 29 12:15:57 PDT 2018] Cert success.
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
[Thu Mar 29 12:15:57 PDT 2018] Your cert is in  /home/jad/.acme.sh/mydog.gsans.com/mydog.gsans.com.cer 
[Thu Mar 29 12:15:57 PDT 2018] Your cert key is in  /home/jad/.acme.sh/mydog.gsans.com/mydog.gsans.com.key 
[Thu Mar 29 12:15:57 PDT 2018] The intermediate CA cert is in  /home/jad/.acme.sh/mydog.gsans.com/ca.cer 
[Thu Mar 29 12:15:57 PDT 2018] And the full chain certs is there:  /home/jad/.acme.sh/mydog.gsans.com/fullchain.cer 
[Thu Mar 29 12:15:57 PDT 2018] Installing cert to:/etc/httpd/ssl/mydog.gsans.com/cert.pem
[Thu Mar 29 12:15:57 PDT 2018] Installing CA to:/etc/httpd/ssl/mydog.gsans.com/mydog.gsans.com.ca
[Thu Mar 29 12:15:57 PDT 2018] Installing key to:/etc/httpd/ssl/mydog.gsans.com/key.pem
[Thu Mar 29 12:15:57 PDT 2018] Installing full chain to:/etc/httpd/ssl/mydog.gsans.com/fullchain.pem
[Thu Mar 29 12:15:57 PDT 2018] Installing cert to:/etc/httpd/ssl/mydog.gsans.com/cert.pem
[Thu Mar 29 12:15:57 PDT 2018] Installing CA to:/etc/httpd/ssl/mydog.gsans.com/mydog.gsans.com.ca
[Thu Mar 29 12:15:57 PDT 2018] Installing key to:/etc/httpd/ssl/mydog.gsans.com/key.pem
[Thu Mar 29 12:15:57 PDT 2018] Installing full chain to:/etc/httpd/ssl/mydog.gsans.com/fullchain.pem
For the manual process, it works the same but faster because there is no delay of 120 seconds as in the automatic DNS which always does verification with --forced.

Code: Select all

% acme.sh --renew --dns -d www.medhatactive.com -d medhatactive.com
[Fri Mar 30 05:56:48 PDT 2018] Renew: 'www.medhatactive.com'
[Fri Mar 30 05:56:48 PDT 2018] Skip, Next renewal time is: Mon May 28 19:27:36 UTC 2018
[Fri Mar 30 05:56:48 PDT 2018] Add '--force' to force to renew.
Adding the --force option with the manual DNS method

Code: Select all

% acme.sh --force --renew --dns -d www.medhatactive.com -d medhatactive.com
[Fri Mar 30 05:56:56 PDT 2018] Renew: 'www.medhatactive.com'
[Fri Mar 30 05:56:57 PDT 2018] Multi domain='DNS:medhatactive.com'
[Fri Mar 30 05:56:57 PDT 2018] Getting domain auth token for each domain
[Fri Mar 30 05:56:57 PDT 2018] Getting webroot for domain='www.medhatactive.com'
[Fri Mar 30 05:56:57 PDT 2018] Getting new-authz for domain='www.medhatactive.com'
[Fri Mar 30 05:56:58 PDT 2018] The new-authz request is ok.
[Fri Mar 30 05:56:58 PDT 2018] Getting webroot for domain='medhatactive.com'
[Fri Mar 30 05:56:58 PDT 2018] Getting new-authz for domain='medhatactive.com'
[Fri Mar 30 05:56:58 PDT 2018] The new-authz request is ok.
[Fri Mar 30 05:56:58 PDT 2018] www.medhatactive.com is already verified, skip dns-01.
[Fri Mar 30 05:56:58 PDT 2018] medhatactive.com is already verified, skip dns-01.
[Fri Mar 30 05:56:58 PDT 2018] Verify finished, start to sign.
[Fri Mar 30 05:56:59 PDT 2018] Cert success.
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
[Fri Mar 30 05:56:59 PDT 2018] Your cert is in  /home/jad/.acme.sh/www.medhatactive.com/www.medhatactive.com.cer 
[Fri Mar 30 05:56:59 PDT 2018] Your cert key is in  /home/jad/.acme.sh/www.medhatactive.com/www.medhatactive.com.key 
[Fri Mar 30 05:56:59 PDT 2018] The intermediate CA cert is in  /home/jad/.acme.sh/www.medhatactive.com/ca.cer 
[Fri Mar 30 05:56:59 PDT 2018] And the full chain certs is there:  /home/jad/.acme.sh/www.medhatactive.com/fullchain.cer 
[Fri Mar 30 05:56:59 PDT 2018] Installing cert to:/etc/httpd/ssl/www.medhatactive.com/cert.pem
[Fri Mar 30 05:56:59 PDT 2018] Installing CA to:/etc/httpd/ssl/www.medhatactive.com/www.medhatactive.com.ca
[Fri Mar 30 05:56:59 PDT 2018] Installing key to:/etc/httpd/ssl/www.medhatactive.com/key.pem
[Fri Mar 30 05:56:59 PDT 2018] Installing full chain to:/etc/httpd/ssl/www.medhatactive.com/fullchain.pem
Updated: I cut and past the wrong results for manual mode previously.
Last edited by JDunphy on Fri Mar 30, 2018 1:05 pm, edited 1 time in total.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Another Letsencrypt method

Post by zimico »

Dear JDunphy,

Thank for your time. I can not renew cert now because of letsencrypt rate limit. I will wait untill next week and start again then let you know the result.

Have a nice weekend JDunphy.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

You can test by using the letsencrypt staging server that has different limits... use --staging option with acme.sh to verify your process. Limits and uses are explained here: https://letsencrypt.org/docs/staging-environment/

Also did you see this new verification mode. https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode. In this mode, you have some other domain that is registered with a DNS provider that has an API like Cloud Flare but your domains you want certs for is without a DNS provider without an API. You create a cname such that _acme-challenge.YourZimbraDomain4Validation.com => _acme-challenge.aliasDomain4ValidationOnly.com.

I still need to try this out as this mode didn't exist the last time I looked at acme.sh github page... but you would issue it like this.

Code: Select all

acme.sh --issue  \
  -d  YourZimbraDomain4Validation --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
No more concerns with 30 days for validation problems and it just always works... Note: if you try this, use the --staging option until you get your scripts working the way you want.
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Another Letsencrypt method

Post by zimico »

Dear JDunphy,

Today I re-issue and re-new the cert again but still have the "Call hook error.".

Code: Select all

[administrator@mail ~]$ acme.sh --issue --dns -d mail.zimilab.com --yes-I-know-dns-manual-mode-enough-go-ahead-please --force
[Sun Apr  8 22:51:04 +07 2018] Single domain='mail.zimilab.com'
[Sun Apr  8 22:51:04 +07 2018] Getting domain auth token for each domain
[Sun Apr  8 22:51:04 +07 2018] Getting webroot for domain='mail.zimilab.com'
[Sun Apr  8 22:51:04 +07 2018] Getting new-authz for domain='mail.zimilab.com'
[Sun Apr  8 22:51:07 +07 2018] The new-authz request is ok.
[Sun Apr  8 22:51:07 +07 2018] mail.zimilab.com is already verified, skip dns-01.
[Sun Apr  8 22:51:07 +07 2018] Verify finished, start to sign.
[Sun Apr  8 22:51:10 +07 2018] Cert success.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[Sun Apr  8 22:51:10 +07 2018] Your cert is in  /home/administrator/.acme.sh/mail.zimilab.com/mail.zimilab.com.cer
[Sun Apr  8 22:51:10 +07 2018] Your cert key is in  /home/administrator/.acme.sh/mail.zimilab.com/mail.zimilab.com.key
[Sun Apr  8 22:51:11 +07 2018] The intermediate CA cert is in  /home/administrator/.acme.sh/mail.zimilab.com/ca.cer
[Sun Apr  8 22:51:11 +07 2018] And the full chain certs is there:  /home/administrator/.acme.sh/mail.zimilab.com/fullchain.cer

Code: Select all

[administrator@mail ~]$ acme.sh --renew --dns -d mail.zimilab.com --yes-I-know-dns-manual-mode-enough-go-ahead-please --force
[Sun Apr  8 22:51:40 +07 2018] Renew: 'mail.zimilab.com'
[Sun Apr  8 22:51:41 +07 2018] Single domain='mail.zimilab.com'
[Sun Apr  8 22:51:41 +07 2018] Getting domain auth token for each domain
[Sun Apr  8 22:51:41 +07 2018] Getting webroot for domain='mail.zimilab.com'
[Sun Apr  8 22:51:41 +07 2018] Getting new-authz for domain='mail.zimilab.com'
[Sun Apr  8 22:51:44 +07 2018] The new-authz request is ok.
[Sun Apr  8 22:51:44 +07 2018] mail.zimilab.com is already verified, skip dns-01.
[Sun Apr  8 22:51:44 +07 2018] Verify finished, start to sign.
[Sun Apr  8 22:51:46 +07 2018] Cert success.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[Sun Apr  8 22:51:46 +07 2018] Your cert is in  /home/administrator/.acme.sh/mail.zimilab.com/mail.zimilab.com.cer
[Sun Apr  8 22:51:46 +07 2018] Your cert key is in  /home/administrator/.acme.sh/mail.zimilab.com/mail.zimilab.com.key
[Sun Apr  8 22:51:47 +07 2018] The intermediate CA cert is in  /home/administrator/.acme.sh/mail.zimilab.com/ca.cer
[Sun Apr  8 22:51:47 +07 2018] And the full chain certs is there:  /home/administrator/.acme.sh/mail.zimilab.com/fullchain.cer
[Sun Apr  8 22:51:47 +07 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Sun Apr  8 22:51:47 +07 2018] Call hook error.
I enabled --debug but haven't seen any error relating to "call hook error"

Regards,
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

I run various versions of acme.sh on my servers... 2.6.9 still allows one to do manual DNS. Version 2.7.9 which has that new option --yes-I-know-dns-manual-mode-enough-go-ahead-please ( had to go look for it) :-) doesn't really do anything from looking at the code other than short circuiting some the API logic. I think you should ask this question to the author of the acme.sh software on his github page about that post hook message. He is really good about responding and fixing any issues. I have been playing with his new --challenge-alias option that was introduced in the latest acme.sh that I discovered with your recent questions ... I have that new mode documented in my github page under the recipes as method 2c.

Did you verify the certs generated? You can do that outside the deploy script by following the direction in my original post to create the file IdentTrust.pem if you need to.

Code: Select all

cat ../IdentTrust.pem >> fullchain.cer 
su zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm mail.example.com.key mail.example.com.cer fullchain.cer"
Also, this can give you a little information to look inside the cert to see if it appears valid.

Code: Select all

cd ~/.acme.sh/mail.zimilab.com
openssl x509 -in mail.zimilab.com.cer -text -noout 
User avatar
Pepe
Posts: 33
Joined: Mon Jun 26, 2017 2:28 am

Re: Another Letsencrypt method

Post by Pepe »

Greetings!
I tried this but always failed to create files .pem .crt and .key, am I doing something wrong?
I tried with the code

Code: Select all

./acme.sh --renew --dns -d mail.zimbralocalxyz.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
Generate txt record but not the files i mentioned before.
Thank you.
PS: with this certificate can i enter zimbra webmail without the warning of certificate in a local environment?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

Pepe wrote:Greetings!
I tried this but always failed to create files .pem .crt and .key, am I doing something wrong?
I tried with the code

Code: Select all

./acme.sh --renew --dns -d mail.zimbralocalxyz.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
Generate txt record but not the files i mentioned before.
Thank you.
PS: with this certificate can i enter zimbra webmail without the warning of certificate in a local environment?
The instructions from this thread and from https://github.com/Neilpang/acme.sh are:

Code: Select all

./acme.sh --init --dns -d mail.zimbralocalxyz.com
Then add your dns txt records from the output of the above command. Followed by this command after that is done.

Code: Select all

./acme.sh --renew --dns -d mail.zimbralocalxyz.com
The --renew at this point is doing the validate against those txt records you added for your zone file.
At this point, you can follow the rest of the instructions in this thread and yes there will be no warning. I like the DNS automatic methods myself these days because I don't have to add the txt record by hand which is documented at:https://github.com/JimDunphy/deploy-zim ... encrypt.sh For the automatic DNS methods, you only need the --init command since there is enough time delay in the acme.sh script to do the validate. ie. you don't have to do --renew
Note: letsencrypt has lowered the time to re-validate to 30 days ... meaning if you have a valid cert and then get a new one, you will not have to issue the --renew for the manual DNS method provided you do it within 30 days. This is a moving target so it would be best to use one of the automatic methods once you trust how this all works. This is not related to the expiration of the certificate - just the validation where you prove you control the domain.
User avatar
Pepe
Posts: 33
Joined: Mon Jun 26, 2017 2:28 am

Re: Another Letsencrypt method

Post by Pepe »

Hello JDunphy:
Still does not work, i must put

Code: Select all

--yes-I-know-dns-manual-mode-enough-go-ahead-please
in order to install, otherwise i cant.

Code: Select all

[zimbratest@prueba2 acme.sh]$ sh acme.sh --issue --dns -d mail.zimbraxyz.com
[jue jun 14 13:56:29 BOT 2018] It seems that you are using dns manual mode. Read this link first: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode
Do i have to use socat? Its just one test server. One thing more, i have separated servers, one for zimbra and other for dns.

Thank you.
Post Reply