Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
radiogen
Posts: 2
Joined: Wed Dec 15, 2021 11:01 am

Re: Another Letsencrypt method

Post by radiogen »

Hi Jim, I did force re-issuing certificate and it helped! Zimbra hook went without errors now.

I have this crontab entry under zimbra user:
59 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null

is it enough for automatic renewal?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

radiogen wrote: I have this crontab entry under zimbra user:
59 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
That is all that is required for automatic renewal. You can test it now if you want to verify by adding the --force. Do something like this:

Code: Select all

# su - zimbra
% ./acme.sh --list
% "/opt/zimbra/.acme.sh"/acme.sh --force --cron --home "/opt/zimbra/.acme.sh"
It will run every night checking and then exit and in about 60 days it will renew by itself.

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Certificate renewing but not deploying...

Post by myriad »

Hey Jim:

Any idea why the cron job is renewing but not deploying the certificate? When I run the command:

Code: Select all

/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
I see that the certificates have renewed but they don't deploy. I am using the zimbra.sh script. and my cron job is

Code: Select all

"/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" >/dev/null 2>&1
.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

That generally happens if a deploy hasn't been run the first time. You can verify this by doing the following on the conf file inside the domain that you are having trouble with. Example:

Code: Select all

# su - zimbra
% cd .acme.sh/mail.example.com
% grep DeployHook mail.example.com.conf
Le_DeployHook='zimbra,'
If you don't have a deploy hook, you can add it manually or you can run the syntax with acme.sh using deploy and it should be there from now on and will work with cron.

Code: Select all

% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com 
If the deploy hook is in the conf file, still run it manually to see if there is something wrong with the zimbra.sh deploy script.

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Ok all steps above work:

Code: Select all

zimbra@mail:~/.acme.sh/mail.myriad.ca$ grep DeployHook mail.myriad.ca.conf           
Le_DeployHook='zimbra,'
But when I run :

Code: Select all

/.acme.sh/mail.myriad.ca$ ./acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
I get:

Code: Select all

-su: ./acme.sh: No such file or directory
Looks like a path issue maybe?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

myriad wrote:
But when I run :

Code: Select all

/.acme.sh/mail.myriad.ca$ ./acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
I get:

Code: Select all

-su: ./acme.sh: No such file or directory
Looks like a path issue maybe?
You are in the wrong directory according to your prompt. Use either ../acme.sh or full pathname from that location when down a level of the .acme.sh folder.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

Ok, the command:

Code: Select all

 .acme.sh/acme.sh --deploy --deploy-hook zimbra -d mail.myriad.ca
runs the deploy correctly. Do I need to change the cron to reflect this path change?
Last edited by myriad on Tue May 03, 2022 5:05 pm, edited 1 time in total.
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

I think I've found the problem. I have a restartzimbra.sh script that runs after your deploy code but it was not running and that's why the certificate isn't updated. I have modified your script with:

Code: Select all

 # Set script path for restart
 scriptPath="/opt/zimbra/.acme.sh/deploy/"
 # Restart script name
 scriptName="restartzimbra.sh"
Then I call my script from your script with (after commenting out your restart code):

Code: Select all

   #/opt/zimbra/bin/ldap restart
   #/opt/zimbra/bin/zmmailboxdctl reload
   #/opt/zimbra/bin/zmproxyctl reload
   #/opt/zimbra/bin/zmmtactl reload
   #/opt/zimbra/bin/zmcontrol restart
   #Call restart script
   $scriptPath/$scriptName
I will wait and see if it all works next renewal.
Attachments
restartzimbra.zip
(586 Bytes) Downloaded 249 times
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Another Letsencrypt method

Post by JDunphy »

If you didn't make any changes to your domain conf file and it worked from the command line only but not cron, let's assume there is something different with your environment with cron and do a test for tomorrow by executing zimbra's .bashrc first. One method is to comment out the existing cron entry for acme.sh in zimbra cron and add this line.

Code: Select all

# su - 
% crontab -e
#18 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
# add this with --force and  execute .bashrc first
18 0 * * * ". /opt/zimbra/.bashrc;/opt/zimbra/.acme.sh"/acme.sh --force --cron --home "/opt/zimbra/.acme.sh" > /dev/null
The other way is to modify the deploy/zimbra.sh script and add . /opt/zimbra/.bashrc close to the top but before any of the zimbra specific commands (zmcertmgr) would be executed. You would also need to add --force to the existing entry given you have just issued a new certificate; otherwise it would be another 60 days before you could test again.

If this works and you have a new certificate issued and deployed than you can keep that cron entry after removing the --force option; otherwise switch back to the old cron entry and we need to dig a little deeper for cause. If this is the fix, I will update the deploy/zimbra.sh file so anyone else in the future doesn't hit the same issue.

Does this make sense what we are testing?

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Another Letsencrypt method

Post by myriad »

I think I get where you're going. The problem I had with your script was it wouldn't restart Zimbra correctly as there were always a few services that failed to start. I thought it was a bashrc environment problem because a zimbra -su 'zmcontrol restart' from the command line worked perfectly, hence my restartzimbra.sh script. One question, if I set the cron to 'force' and it's default is set to 10min execution, won't it play havoc with my server or do you mean I should just try it one time tomorrow and see what happens?
Post Reply