certbot-zimbra v0.2
certbot-zimbra v0.2
Hi
An update for the users of this script: I've partially rewritten it so that now it patches nginx's template file instead of production ones. It should now better behave in different conditions.
I've also embedded the patches inside the script, so there's less crap around to handle.
If you're using it testing is welcome.
Thanks
https://github.com/YetOpen/certbot-zimbra
An update for the users of this script: I've partially rewritten it so that now it patches nginx's template file instead of production ones. It should now better behave in different conditions.
I've also embedded the patches inside the script, so there's less crap around to handle.
If you're using it testing is welcome.
Thanks
https://github.com/YetOpen/certbot-zimbra
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: certbot-zimbra v0.2
I've sticky-ed it for couple of weeks.
-
- Elite member
- Posts: 1112
- Joined: Sat Sep 13, 2014 12:47 am
Re: certbot-zimbra v0.2
Hi Maxxer,
I have used the beta4 version of the script, and it works great to get and deploy a new certificate. All I needed to do was temporarily open port 80 on the firewall.
However, if I run the command
a second time, I get a menu - presumably from Let's Encrypt certbot that states
If I answer 1 to keep the existing certificate the script goes ahead and redeploys the certificate again - restarting zimbra in the process.
Questions
(a) is there a flag I can pass to the script so that it will not prompt with that menu (and will assume answer 1)?
(b) if there a flag I can pass to the script that will tell it to skip redeploying the script if it wasn't renewed?
Thanks
I have used the beta4 version of the script, and it works great to get and deploy a new certificate. All I needed to do was temporarily open port 80 on the firewall.
However, if I run the command
Code: Select all
/path-to/certbot-zimbra-0.4.0-beta/certbot_zimbra.sh -n
Code: Select all
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/my.domain.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Questions
(a) is there a flag I can pass to the script so that it will not prompt with that menu (and will assume answer 1)?
(b) if there a flag I can pass to the script that will tell it to skip redeploying the script if it wasn't renewed?
Thanks
Re: certbot-zimbra v0.2
Why are you running -n again? That should be executed just the first time for the request.
When the certificate has been renewed you should call the script with -r, which deploys the renewed cert. See the cron configuration in the readme.
When the certificate has been renewed you should call the script with -r, which deploys the renewed cert. See the cron configuration in the readme.
-
- Elite member
- Posts: 1112
- Joined: Sat Sep 13, 2014 12:47 am
Re: certbot-zimbra v0.2
Works great. Have auto-renewed twice now. Thank you.
Re: certbot-zimbra v0.2
Thanks was able to install it and I followed the section "Renewal using crontab" to auto renew.
-
- Elite member
- Posts: 1112
- Joined: Sat Sep 13, 2014 12:47 am
Re: certbot-zimbra v0.2
If anyone is interested, I have now combined Maxxer's script with a DNS hook to auto-renew certificates without patching the nginx files, and thus without opening the web server to unwanted probes. I started to look into this when letsencrypt started to do multi-source validation for http challenges, as I could no longer rely on identifying the letsencrypt servers to whitelist them.
The LetsEncrypt community maintains a list of the major providers who have built-in hooks for DNS validation. https://community.letsencrypt.org/t/dns ... tion/86438 In my case, our ISP is not on that list but uses cPanel for DNS management, so I used this script - https://github.com/letsdebug/certbot-cp ... -auth-hook - there are lots of others out there.
Once the correct URL and credentials are added to the cPanel script, it is as simple as re-issuing your certificate so that the new validation method and hooks are recorded for renewal purposes.
For the crontab renewal you need to add a flag to auto-acknowledge the logging of your IP Address for the manual mode renewal.
The LetsEncrypt community maintains a list of the major providers who have built-in hooks for DNS validation. https://community.letsencrypt.org/t/dns ... tion/86438 In my case, our ISP is not on that list but uses cPanel for DNS management, so I used this script - https://github.com/letsdebug/certbot-cp ... -auth-hook - there are lots of others out there.
Once the correct URL and credentials are added to the cPanel script, it is as simple as re-issuing your certificate so that the new validation method and hooks are recorded for renewal purposes.
Code: Select all
/usr/bin/certbot certonly --renew-hook "/opt/certbot-zimbra/certbot_zimbra.sh -d " --manual --manual-auth-hook "/root/cpanel-dns.py create" --manual-cleanup-hook "/root/cpanel-dns.py delete" -d "<Your mail server>" --preferred-challenges dns-01
Code: Select all
/usr/bin/certbot renew --manual-public-ip-logging-ok --renew-hook "/opt/certbot-zimbra/certbot_zimbra.sh -d "
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: certbot-zimbra v0.2
That is pretty neat and another way to do DNS verification for letsencrypt cert!liverpoolfcfan wrote: The LetsEncrypt community maintains a list of the major providers who have built-in hooks for DNS validation. https://community.letsencrypt.org/t/dns ... tion/86438 In my case, our ISP is not on that list but uses cPanel for DNS management, so I used this script - https://github.com/letsdebug/certbot-cp ... -auth-hook - there are lots of others out there.
Once the correct URL and credentials are added to the cPanel script, it is as simple as re-issuing your certificate so that the new validation method and hooks are recorded for renewal purposes.
One thing you can do with the DNS method when your provider doesn't support DNS management for your zimbra domains via a supported API or is supported via dns scripts with the letsencryhpt tool is to statically add a CNAME to another domain that you have some DNS provider/registrar support with the script you are using. For example, if mail.example.com is my zimbra site then you would add the following static entry one time with Cpanel - see CNAME entry below. That would point to another domain that you keep perhaps only to do letsencrypt validation because it does creation/deletion of the txt records... For example, cloudflare has wholesale prices for their domains so .com's are a little under $9.00/year as I write this. If I had a domain say... 123jad.com with them that is supported with my letsencrypt tools, than I could use this CNAME technique for the case where I want example.com and mail.example.com to have certs ... When you have lots of domains with different DNS providers, you only need a single CNAME for each domain with each domain that look like this and because they are static - you create them with whatever method the provider supports (admin interfaces, cpanel, zone files, etc). Back to this example for the zone file for the domain example.com where we wants certs for both mail.example.com and example.com
Code: Select all
_acme-challenge.mail.example.com. IN CNAME _acme-challenge.123jad.com.
_acme-challenge.example.com. IN CNAME _acme-challenge.123jad.com.
While I don't know the syntax for the letsencrypt scripts you are using, the one I use has a command line flag: --challenge-alias which in this example would point to 123jad.com ... The other flags are as expected where you specify the names you wants certificates for and the scripts/logic you want invoked for your DNS provider api auth to add/del TXT entries used in the letsencrypt challenge. If you have lots of hosts that all need certificates like zimbra, web servers, telegrafd, plex, etc... it's all the same... Create a few CNAME entries for certs you want in every domain that needs certs and point them to your challenge alias. Scripts are then copy and paste or with some methods just command line arguments and no wrapper scripts required to do letsencrypt certificate creation and renewals.
HTH,
Jim
PS. Another thing to do now that you are using DNS validation is to sign up for transparent logging which more and more CA's now support. Letsencrypt will log any certificate creation and I have cloudflare email me when new certs are created ore renewed. Finally, you can add CAA 128 issue "letsencrypt.org" for your domains that only letsencrypt certs should be issued.
CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain
Ref: https://support.dnsimple.com/articles/caa-record
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: certbot-zimbra v0.2
Another Let's Encrypt step-by-step guide at https://wiki.zimbra.com/wiki/Installing ... ertificate
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/