A new security patch has been released to further address CVE-2022-27924.
This issue has been ranked as High by the Zimbra Team and we recommend that you use the most recent release available to avoid any issues.
https://blog.zimbra.com/2022/05/new-zimbra-security-patches-9-0-0-patch-24-1-and-8-8-15-patch-31-1/ (May 10th 2022)

Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
radiogen
Posts: 2
Joined: Wed Dec 15, 2021 11:01 am

Re: Another Letsencrypt method

Postby radiogen » Thu Dec 16, 2021 1:47 pm

Hi Jim, I did force re-issuing certificate and it helped! Zimbra hook went without errors now.

I have this crontab entry under zimbra user:
59 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null

is it enough for automatic renewal?


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 707
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P31.1 RHEL8 Network Edition

Re: Another Letsencrypt method

Postby JDunphy » Thu Dec 16, 2021 3:55 pm

radiogen wrote:I have this crontab entry under zimbra user:
59 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null

That is all that is required for automatic renewal. You can test it now if you want to verify by adding the --force. Do something like this:

Code: Select all

# su - zimbra
% ./acme.sh --list
% "/opt/zimbra/.acme.sh"/acme.sh --force --cron --home "/opt/zimbra/.acme.sh"

It will run every night checking and then exit and in about 60 days it will renew by itself.

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 87
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Certificate renewing but not deploying...

Postby myriad » Tue May 03, 2022 2:24 pm

Hey Jim:

Any idea why the cron job is renewing but not deploying the certificate? When I run the command:

Code: Select all

/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
I see that the certificates have renewed but they don't deploy. I am using the zimbra.sh script. and my cron job is

Code: Select all

"/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" >/dev/null 2>&1
.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 707
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P31.1 RHEL8 Network Edition

Re: Another Letsencrypt method

Postby JDunphy » Tue May 03, 2022 3:48 pm

That generally happens if a deploy hasn't been run the first time. You can verify this by doing the following on the conf file inside the domain that you are having trouble with. Example:

Code: Select all

# su - zimbra
% cd .acme.sh/mail.example.com
% grep DeployHook mail.example.com.conf
Le_DeployHook='zimbra,'

If you don't have a deploy hook, you can add it manually or you can run the syntax with acme.sh using deploy and it should be there from now on and will work with cron.

Code: Select all

% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com

If the deploy hook is in the conf file, still run it manually to see if there is something wrong with the zimbra.sh deploy script.

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 87
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Postby myriad » Tue May 03, 2022 4:18 pm

Ok all steps above work:

Code: Select all

zimbra@mail:~/.acme.sh/mail.myriad.ca$ grep DeployHook mail.myriad.ca.conf           
Le_DeployHook='zimbra,'


But when I run :

Code: Select all

/.acme.sh/mail.myriad.ca$ ./acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
I get:

Code: Select all

-su: ./acme.sh: No such file or directory
Looks like a path issue maybe?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 707
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P31.1 RHEL8 Network Edition

Re: Another Letsencrypt method

Postby JDunphy » Tue May 03, 2022 4:28 pm

myriad wrote:
But when I run :

Code: Select all

/.acme.sh/mail.myriad.ca$ ./acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
I get:

Code: Select all

-su: ./acme.sh: No such file or directory
Looks like a path issue maybe?

You are in the wrong directory according to your prompt. Use either ../acme.sh or full pathname from that location when down a level of the .acme.sh folder.
User avatar
myriad
Advanced member
Advanced member
Posts: 87
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Postby myriad » Tue May 03, 2022 4:35 pm

Ok, the command:

Code: Select all

 .acme.sh/acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
runs the deploy correctly. Do I need to change the cron to reflect this path change?
Last edited by myriad on Tue May 03, 2022 5:05 pm, edited 1 time in total.
User avatar
myriad
Advanced member
Advanced member
Posts: 87
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Postby myriad » Tue May 03, 2022 5:05 pm

I think I've found the problem. I have a restartzimbra.sh script that runs after your deploy code but it was not running and that's why the certificate isn't updated. I have modified your script with:

Code: Select all

 # Set script path for restart
 scriptPath="/opt/zimbra/.acme.sh/deploy/"
 # Restart script name
 scriptName="restartzimbra.sh"

Then I call my script from your script with (after commenting out your restart code):

Code: Select all

   #/opt/zimbra/bin/ldap restart
   #/opt/zimbra/bin/zmmailboxdctl reload
   #/opt/zimbra/bin/zmproxyctl reload
   #/opt/zimbra/bin/zmmtactl reload
   #/opt/zimbra/bin/zmcontrol restart
   #Call restart script
   $scriptPath/$scriptName
I will wait and see if it all works next renewal.
Attachments
restartzimbra.zip
(586 Bytes) Downloaded 87 times
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 707
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P31.1 RHEL8 Network Edition

Re: Another Letsencrypt method

Postby JDunphy » Tue May 03, 2022 5:08 pm

If you didn't make any changes to your domain conf file and it worked from the command line only but not cron, let's assume there is something different with your environment with cron and do a test for tomorrow by executing zimbra's .bashrc first. One method is to comment out the existing cron entry for acme.sh in zimbra cron and add this line.

Code: Select all

# su -
% crontab -e
#18 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
# add this with --force and  execute .bashrc first
18 0 * * * ". /opt/zimbra/.bashrc;/opt/zimbra/.acme.sh"/acme.sh --force --cron --home "/opt/zimbra/.acme.sh" > /dev/null

The other way is to modify the deploy/zimbra.sh script and add . /opt/zimbra/.bashrc close to the top but before any of the zimbra specific commands (zmcertmgr) would be executed. You would also need to add --force to the existing entry given you have just issued a new certificate; otherwise it would be another 60 days before you could test again.

If this works and you have a new certificate issued and deployed than you can keep that cron entry after removing the --force option; otherwise switch back to the old cron entry and we need to dig a little deeper for cause. If this is the fix, I will update the deploy/zimbra.sh file so anyone else in the future doesn't hit the same issue.

Does this make sense what we are testing?

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 87
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Postby myriad » Tue May 03, 2022 5:23 pm

I think I get where you're going. The problem I had with your script was it wouldn't restart Zimbra correctly as there were always a few services that failed to start. I thought it was a bashrc environment problem because a zimbra -su 'zmcontrol restart' from the command line worked perfectly, hence my restartzimbra.sh script. One question, if I set the cron to 'force' and it's default is set to 10min execution, won't it play havoc with my server or do you mean I should just try it one time tomorrow and see what happens?

Return to “Administrators”

Who is online

Users browsing this forum: Bing [Bot], kdmiller45 and 28 guests