Another Letsencrypt method
Re: Another Letsencrypt method
Hi Jim, I did force re-issuing certificate and it helped! Zimbra hook went without errors now.
I have this crontab entry under zimbra user:
59 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
is it enough for automatic renewal?
I have this crontab entry under zimbra user:
59 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
is it enough for automatic renewal?
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Another Letsencrypt method
That is all that is required for automatic renewal. You can test it now if you want to verify by adding the --force. Do something like this:radiogen wrote: I have this crontab entry under zimbra user:
59 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
Code: Select all
# su - zimbra
% ./acme.sh --list
% "/opt/zimbra/.acme.sh"/acme.sh --force --cron --home "/opt/zimbra/.acme.sh"
Jim
- myriad
- Advanced member
- Posts: 90
- Joined: Fri Sep 12, 2014 11:51 pm
- ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS
Certificate renewing but not deploying...
Hey Jim:
Any idea why the cron job is renewing but not deploying the certificate? When I run the command: I see that the certificates have renewed but they don't deploy. I am using the zimbra.sh script. and my cron job is .
Any idea why the cron job is renewing but not deploying the certificate? When I run the command:
Code: Select all
/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
Code: Select all
"/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" >/dev/null 2>&1
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Another Letsencrypt method
That generally happens if a deploy hasn't been run the first time. You can verify this by doing the following on the conf file inside the domain that you are having trouble with. Example:
If you don't have a deploy hook, you can add it manually or you can run the syntax with acme.sh using deploy and it should be there from now on and will work with cron.
If the deploy hook is in the conf file, still run it manually to see if there is something wrong with the zimbra.sh deploy script.
Jim
Code: Select all
# su - zimbra
% cd .acme.sh/mail.example.com
% grep DeployHook mail.example.com.conf
Le_DeployHook='zimbra,'
Code: Select all
% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
Jim
- myriad
- Advanced member
- Posts: 90
- Joined: Fri Sep 12, 2014 11:51 pm
- ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS
Re: Another Letsencrypt method
Ok all steps above work:
But when I run : I get: Looks like a path issue maybe?
Code: Select all
zimbra@mail:~/.acme.sh/mail.myriad.ca$ grep DeployHook mail.myriad.ca.conf
Le_DeployHook='zimbra,'
Code: Select all
/.acme.sh/mail.myriad.ca$ ./acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
Code: Select all
-su: ./acme.sh: No such file or directory
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Another Letsencrypt method
You are in the wrong directory according to your prompt. Use either ../acme.sh or full pathname from that location when down a level of the .acme.sh folder.myriad wrote:
But when I run :I get:Code: Select all
/.acme.sh/mail.myriad.ca$ ./acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
Looks like a path issue maybe?Code: Select all
-su: ./acme.sh: No such file or directory
- myriad
- Advanced member
- Posts: 90
- Joined: Fri Sep 12, 2014 11:51 pm
- ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS
Re: Another Letsencrypt method
Ok, the command: runs the deploy correctly. Do I need to change the cron to reflect this path change?
Code: Select all
.acme.sh/acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
Last edited by myriad on Tue May 03, 2022 5:05 pm, edited 1 time in total.
- myriad
- Advanced member
- Posts: 90
- Joined: Fri Sep 12, 2014 11:51 pm
- ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS
Re: Another Letsencrypt method
I think I've found the problem. I have a restartzimbra.sh script that runs after your deploy code but it was not running and that's why the certificate isn't updated. I have modified your script with:
Then I call my script from your script with (after commenting out your restart code): I will wait and see if it all works next renewal.
Code: Select all
# Set script path for restart
scriptPath="/opt/zimbra/.acme.sh/deploy/"
# Restart script name
scriptName="restartzimbra.sh"
Code: Select all
#/opt/zimbra/bin/ldap restart
#/opt/zimbra/bin/zmmailboxdctl reload
#/opt/zimbra/bin/zmproxyctl reload
#/opt/zimbra/bin/zmmtactl reload
#/opt/zimbra/bin/zmcontrol restart
#Call restart script
$scriptPath/$scriptName
- Attachments
-
- restartzimbra.zip
- (586 Bytes) Downloaded 401 times
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Another Letsencrypt method
If you didn't make any changes to your domain conf file and it worked from the command line only but not cron, let's assume there is something different with your environment with cron and do a test for tomorrow by executing zimbra's .bashrc first. One method is to comment out the existing cron entry for acme.sh in zimbra cron and add this line.
The other way is to modify the deploy/zimbra.sh script and add . /opt/zimbra/.bashrc close to the top but before any of the zimbra specific commands (zmcertmgr) would be executed. You would also need to add --force to the existing entry given you have just issued a new certificate; otherwise it would be another 60 days before you could test again.
If this works and you have a new certificate issued and deployed than you can keep that cron entry after removing the --force option; otherwise switch back to the old cron entry and we need to dig a little deeper for cause. If this is the fix, I will update the deploy/zimbra.sh file so anyone else in the future doesn't hit the same issue.
Does this make sense what we are testing?
Jim
Code: Select all
# su -
% crontab -e
#18 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
# add this with --force and execute .bashrc first
18 0 * * * ". /opt/zimbra/.bashrc;/opt/zimbra/.acme.sh"/acme.sh --force --cron --home "/opt/zimbra/.acme.sh" > /dev/null
If this works and you have a new certificate issued and deployed than you can keep that cron entry after removing the --force option; otherwise switch back to the old cron entry and we need to dig a little deeper for cause. If this is the fix, I will update the deploy/zimbra.sh file so anyone else in the future doesn't hit the same issue.
Does this make sense what we are testing?
Jim
- myriad
- Advanced member
- Posts: 90
- Joined: Fri Sep 12, 2014 11:51 pm
- ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS
Re: Another Letsencrypt method
I think I get where you're going. The problem I had with your script was it wouldn't restart Zimbra correctly as there were always a few services that failed to start. I thought it was a bashrc environment problem because a zimbra -su 'zmcontrol restart' from the command line worked perfectly, hence my restartzimbra.sh script. One question, if I set the cron to 'force' and it's default is set to 10min execution, won't it play havoc with my server or do you mean I should just try it one time tomorrow and see what happens?