A new security patch has been released to further address CVE-2022-27924.
This issue has been ranked as High by the Zimbra Team and we recommend that you use the most recent release available to avoid any issues.
https://blog.zimbra.com/2022/05/new-zimbra-security-patches-9-0-0-patch-24-1-and-8-8-15-patch-31-1/ (May 10th 2022)

Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 707
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P31.1 RHEL8 Network Edition

Re: Another Letsencrypt method

Postby JDunphy » Tue May 03, 2022 5:44 pm

myriad wrote:I think I've found the problem. I have a restartzimbra.sh script that runs after your deploy code but it was not running and that's why the certificate isn't updated.

Understood. Your script looks good to me which is what I was recommending above. Might be a good idea to force a renewal sooner if possible and get to root cause. You can verify the certs deployed by looking at the dates of the copied files to know if a restart was not executed.

Code: Select all

 % ls -lt /opt/zimbra/conf/slapd.*
-rw-r----- 1 zimbra zimbra 7213 Aug  4 10:46 slapd.crt
-rw-r----- 1 zimbra zimbra 1679 Aug  4 10:46 slapd.key
% ls -lt /opt/zimbra/ssl/zimbra/commercial
-rw-r----- 1 zimbra zimbra 5030 Aug  4 10:46 commercial_ca.crt
-rw-r----- 1 zimbra zimbra 7213 Aug  4 10:46 commercial.crt
-rw-r----- 1 zimbra zimbra 1679 Aug  4 10:46 commercial.key
% ls -lt /opt/zimbra/conf/nginx.???
-rw-r----- 1 zimbra zimbra 7213 Aug  4 10:46 /opt/zimbra/conf/nginx.crt
-rw-r----- 1 zimbra zimbra 1679 Aug  4 10:46 /opt/zimbra/conf/nginx.key
%  -l /opt/zimbra/conf/smtpd.???
-rw-r----- 1 zimbra zimbra 7213 Aug  4 10:46 /opt/zimbra/conf/smtpd.crt
-rw-r----- 1 zimbra zimbra 1679 Aug  4 10:46 /opt/zimbra/conf/smtpd.key
% ls -l /opt/zimbra/mailboxd/etc/keystore
-rw-r----- 1 zimbra zimbra 4965 Aug  4 10:46 /opt/zimbra/mailboxd/etc/keystore
% ls -l /opt/zimbra/ssl/zimbra/jetty.pkcs12
-rw-r----- 1 zimbra zimbra 6952 Aug  4 10:46 /opt/zimbra/ssl/zimbra/jetty.pkcs12

Ref: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt

I see that you responded while I was writing this...The cron time didn't register with me that acme.sh was executing. You are correct. Bad advice on my part. It would restart every hour and then eventually stop after you couldn't issue any more certs. If you want to test sooner, Add an hour and min field.

Jim


User avatar
myriad
Advanced member
Advanced member
Posts: 87
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Postby myriad » Fri May 06, 2022 3:59 pm

Hey Jim:

The test works perfectly! I'll let you know in August if I have any issues. Have a good summer.

Richard
User avatar
BruceW
Posts: 5
Joined: Tue Jan 09, 2018 6:27 pm

Re: Another Letsencrypt method

Postby BruceW » Fri May 13, 2022 10:11 am

Hey, Jim, I am getting this error when installing 'certbot' using your preferred 'snap' method on Ubuntu 16.04. Is it safe to use the classic version? Please advise.

Code: Select all

@zimbra2:~# snap install certbot
error: This revision of snap "certbot" was published using classic confinement and thus may perform
       arbitrary system changes outside of the security sandbox that snaps are usually confined to,
       which may put your system at risk.

       If you understand and want to proceed repeat the command including --classic.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 707
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P31.1 RHEL8 Network Edition

Re: Another Letsencrypt method

Postby JDunphy » Fri May 13, 2022 3:40 pm

BruceW wrote:Hey, Jim, I am getting this error when installing 'certbot' using your preferred 'snap' method on Ubuntu 16.04. Is it safe to use the classic version? Please advise.

Code: Select all

@zimbra2:~# snap install certbot
error: This revision of snap "certbot" was published using classic confinement and thus may perform
       arbitrary system changes outside of the security sandbox that snaps are usually confined to,
       which may put your system at risk.

       If you understand and want to proceed repeat the command including --classic.

Sorry I don't use certbot. There are 100's of acme clients for the acme protocol to automate issue/verification of a certificate with certbot being one of them.This thread discusses another acme client called acme.sh (a bash script).

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 24 guests