Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bagett88
Posts: 1
Joined: Wed Aug 25, 2021 8:55 am

Re: Another Letsencrypt method

Post by bagett88 »

zimbraxtc wrote:
zimbraxtc wrote:Hello and thanks for a great thread!

Im running a old 8.6 and would like to install a lets encrypt cert...

So... I used getssl to generate those files:
-rw------- 1 root root 5768 apr 4 15:55 chain.crt
-rw------- 1 root root 6076 apr 4 16:21 fullchain.crt
-rw------- 1 root root 3448 apr 4 15:41 mymailserver.se.crt
-rw------- 1 root root 1614 apr 4 15:06 mymailserver.se.csr
-rw------- 1 root root 3243 apr 4 15:06 mymailserver.se.key

I also tried to append fullchain with files according to different posts but I didnt get it to work and just run into:
fredde@xx:~/.getssl/mymailserver/archive/2021_04_04_15_06$ sudo /opt/zimbra/bin/zmcertmgr verifycrt comm mymailserver.se.key mymailserver.se.crt fullchain.crt
** Verifying mymailserver.se.crt against mymailserver.se.key
Certificate (mymailserver.se.crt) and private key (mymailserver.key) match.
XXXXX ERROR: Invalid Certificate: mymailserver.se.crt: C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
error 2 at 2 depth lookup:unable to get issuer certificate

I have tried to append fullchain.crt with a lot of different certs but cant get it working...

I have looked into: https://letsencrypt.org/certificates/ but really cant see what I am doing wrong.

Any great ideas??

Thanks a lot!
Fixed it by rerunning getssl with a specified chain and appended correct cert x1. And got a OK
more details please...
have the same problem.
cmel
Posts: 1
Joined: Sat Aug 28, 2021 12:44 pm

Re: Another Letsencrypt method

Post by cmel »

bagett88 wrote:
zimbraxtc wrote:
zimbraxtc wrote:Hello and thanks for a great thread!

Im running a old 8.6 and would like to install a lets encrypt cert...

So... I used getssl to generate those files:
-rw------- 1 root root 5768 apr 4 15:55 chain.crt
-rw------- 1 root root 6076 apr 4 16:21 fullchain.crt
-rw------- 1 root root 3448 apr 4 15:41 mymailserver.se.crt
-rw------- 1 root root 1614 apr 4 15:06 mymailserver.se.csr
-rw------- 1 root root 3243 apr 4 15:06 mymailserver.se.key

I also tried to append fullchain with files according to different posts but I didnt get it to work and just run into:
fredde@xx:~/.getssl/mymailserver/archive/2021_04_04_15_06$ sudo /opt/zimbra/bin/zmcertmgr verifycrt comm mymailserver.se.key mymailserver.se.crt fullchain.crt
** Verifying mymailserver.se.crt against mymailserver.se.key
Certificate (mymailserver.se.crt) and private key (mymailserver.key) match.
XXXXX ERROR: Invalid Certificate: mymailserver.se.crt: C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
error 2 at 2 depth lookup:unable to get issuer certificate

I have tried to append fullchain.crt with a lot of different certs but cant get it working...

I have looked into: https://letsencrypt.org/certificates/ but really cant see what I am doing wrong.

Any great ideas??

Thanks a lot!
Fixed it by rerunning getssl with a specified chain and appended correct cert x1. And got a OK
more details please...
have the same problem.

I've managed to update my certificate, and here are the steps I've done that might help you:

1. Ensure you updated the acme.sh
2. Use the ZeroSSL version by calling at least once the "acmi.sh" with the flag

Code: Select all

--preferred-chain "ISRG"
3. Go through the DNS validation and your certificate will be generated
4. The generated "fullchain.cer" will not validate with Zimbra. You need to create the "correct" one.
5. Go to https://whatsmychaincert.com/ and paste your domain.com.cer value on "Generate the Correct Chain" and check the option to include the root certificate (this is important)
6. Copy the correct chain and use it as "fullchain.cer" on your zimbra server. This new and correct fullchain_correct.cer already has the root certificate!
7. Test that everything validates

Code: Select all

sudo /opt/zimbra/bin/zmcertmgr verifycrt comm "mail.domain.com.key" "mail.domain.com" "fullchain_correct.cer"
Hope it helps.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Another Letsencrypt method

Post by barrydegraaff »

--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
GlooM
Advanced member
Advanced member
Posts: 127
Joined: Sat Sep 13, 2014 12:50 am

Re: Another Letsencrypt method

Post by GlooM »

Big thanks!
dtpodnar
Posts: 6
Joined: Sat Sep 13, 2014 1:44 am

Re: Another Letsencrypt method

Post by dtpodnar »

Good day. I'm out over my skis a bit on a Zimbra 8 LetsEncrypt renewal.
I originally used the penzoiders github method for LetsEncrypt (https://github.com/penzoiders/zimbra-auto-letsencrypt).
I haven't been able to figure out how to renew that with the expired DSTRootCAX3.pem. The penzoiders method does weird things to /opt/zimbra/ssl.
I'd like to totally remove this method and use something more current, but I don't want to make it worse.
Any suggestions from someone who understands this script better than I?
Using Zimbra 8.8.15 Patch 28 on CentOS 7.9-2009 (all fully patched).
Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 NETWORK edition, Patch 8.8.15_P28.

Thanks in advance.
Tom
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

Seems like if you modify your config file and do 2 things you could get the alternative signing chain.

1) add --preferred-chain "ISRG Root X1" to the certbot command line 218 of the script (probably best or in the config file where the variable $letsencrypt is defined to be certbot)
2) replace the contents of DSTRootCAX3.pem with the certificate from: wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt

Ref: https://wiki.zimbra.com/wiki/Installing ... ertificate

Why? there are 2 signing chains and explained here: https://wiki.zimbra.com/wiki/JDunphy-LeChains
The default chain has 2 root CA's that have signed your certificate but we need openssl (zmcertmgr uses this) to stop at the ISRG X1 certificate because the other (top) trust anchor has expired (old android clients don't care about expiration of trust anchors but openssl clients do). That can be a problem for some openssl versions so some workarounds are to remove that from the chain in older versions. Most people don't need to support really really old android clients so we use the alternative chain but you have to ask for it to bypass this issue completely.

Having said that, you can remove the cron entries and try a new method without issue and switch back at anytime. Nothing happens until you issue the zmcertmgr deploycrt command and a corresponding cp of your private key so you can verify the certificate until you get it correct. A quick look at the script seems to indicate that if you comment out the block at 262 and the line 247 is where the installation happens in your script. Normally, most acme clients will copy the private key and then deploy your certificate and the full chain. They verify the chain first before they get to the installation part so you don't proceed until that works (look for clients that behave like that if you wish to change acme clients). You can run the zmcertmgr verifycrt as often as you like until you get it correct with these type of clients.

Perhaps a little more detail in this post if some of this is still to obtuse.
Ref: viewtopic.php?f=15&t=70238#p303334

HTH,

Jim
dtpodnar
Posts: 6
Joined: Sat Sep 13, 2014 1:44 am

Re: Another Letsencrypt method

Post by dtpodnar »

Thank you, Jim.
I'd identified the problem correctly, but my attempts at reaching one of the two solutions had failed.
Unless I broke something, one of your two should works.
I appreciate your kind attention and willingness to help. Thanks again!
Tom
radiogen
Posts: 2
Joined: Wed Dec 15, 2021 11:01 am

Re: Another Letsencrypt method

Post by radiogen »

@JDunphy trying to solve this issue but don't understand where to check. As I see ca.cer.real generated by zimbra hook and it says error to deploy.

./acme.sh --version
v3.0.2

[zimbra@mail .acme.sh]$ ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
** Verifying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' against '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.key'
Certificate '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' and private key '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.key' match.
** Verifying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' against '/opt/zimbra/.acme.sh/mail.example.com/ca.cer.real'
ERROR: Unable to validate certificate chain: Error loading file /opt/zimbra/.acme.sh/mail.example.com/ca.cer.real
[Wed Dec 15 14:41:44 UTC 2021] Error deploy for domain:mail.example.com
[Wed Dec 15 14:41:44 UTC 2021] Deploy error.
dtpodnar
Posts: 6
Joined: Sat Sep 13, 2014 1:44 am

Re: Another Letsencrypt method

Post by dtpodnar »

A shout out here to Jim. Your proposed solution was perfect and worked first-time. Thanks again!
Tom
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

radiogen wrote:@JDunphy trying to solve this issue but don't understand where to check. As I see ca.cer.real generated by zimbra hook and it says error to deploy.

./acme.sh --version
v3.0.2

[zimbra@mail .acme.sh]$ ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
** Verifying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' against '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.key'
Certificate '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' and private key '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.key' match.
** Verifying '/opt/zimbra/.acme.sh/mail.example.com/mail.example.com.cer' against '/opt/zimbra/.acme.sh/mail.example.com/ca.cer.real'
ERROR: Unable to validate certificate chain: Error loading file /opt/zimbra/.acme.sh/mail.example.com/ca.cer.real
[Wed Dec 15 14:41:44 UTC 2021] Error deploy for domain:mail.example.com
[Wed Dec 15 14:41:44 UTC 2021] Deploy error.
The error is with the verification of the chain. Given there are 2 chains now, I would recommend the following if you have not done this. You only have to do this once if you haven't done it previously as acme.sh wants to default to another CA after initially installing acme.sh

Code: Select all

# su - zimbra
% cd ~/.acme.sh
% ./acme.sh --set-default-ca  --server letsencrypt
% ./acme.sh  --set-default-chain  --preferred-chain  ISRG  --server letsencrypt
Re-issue your certificate and it should now verify. If that fails, look at the deploy/zimbra.sh script. It would have also changed in Sept 2021 to match the ISRG X1 certificate that is now the root CA for this chain. It can be found here: https://raw.githubusercontent.com/JimDu ... /zimbra.sh ... Then just attempt to deploy it again. No need to re-issue the certificate.

Ref: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
Ref: https://wiki.zimbra.com/wiki/JDunphy-LeChains

Jim
Post Reply