Certificate/Certbot - best way?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Hi Jim.
double check your certificate/domain conf file to make sure you see that preferred chain I mentioned previously or you will have problems during the automatic renewal.
Yes, it contains the line

Code: Select all

Le_Preferred_Chain='__ACME_BASE64__START_SVNSRw==__ACME_BASE64__END_'
One can test the cron process with the --force (if renewal time is not time yet) using the cron entry you see. Cut/Paste that onto the command line and watch.
Yes it force renew certificates, deploys and restarts zimbra.

Thank you so much again!

Br,
Dali
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Hi Jim.

I hope you're doing well.

I was just thinking to do Zimbra 8 to 9 upgrade and was wondering if it's gonna affect/brake certificate renewing process in any way? Really don't want the panic again :shock: :o

Upgrade seems very simple using the install script.
https://www.youtube.com/watch?v=TBrRk92 ... el=MasSaad

Since on the subject, but a bit off topic. Would there be any reason why not to upgrade to 9 in general?

Thank you

Br,
Dali
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

Hi Dali,

It's not going to be a problem with the cert if you do an in place update (I have not done this in over a year with 8.8.15). You can also copy the /opt/zimbra/.acme.sh directory to another machine like this if your current certificate covers those domains or you want to add a few additional domain names to the certificate or want to test the update process on a clone of your 8.8.15 version. You can also back up the acme.sh directory with the method below if you are worried something will happen to it. Everything is self-contained in that tar image I show below for your certificate.

Code: Select all

% su -
# cd /opt/zimbra
# tar cvf /tmp/acme.sh.tar .acme.sh
# scp /tmp/acme.sh.tar newmachine:/tmp/
then on that new machine, do this:

Code: Select all

% su -
# cd /opt/zimbra
# tar xvf /tmp/acme.sh.tar
# su - zimbra
% cd /opt/zimbra/.acme.sh
% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
After this, the new machine has the same certificate installed and running with zimbra. No need to grab a new certificate or re-validate unless you are adding new domains. Especially useful when you are installing a fresh image of Zimbra which comes with a self-signed certificate. The only thing that you have to do when copying your certificate stuff is make sure renewals happen automatically and that is to add the cron entry for the zimbra user on this new machine to check when/if the certificate needs to be renewed. Normally this is done by default by the acme.sh script but we used tar here to do the installation so the cron entry was not created.

As for Zimbra 9, I am not running that. If you are a network/commercial customer the decision is easier to make on that choice given the security patches are released immediately. For the OSS installs, they often need to wait for patches I believe. I think zextra's is still trying to get a version of Zimbra 9 that has P27 out if I understood the zextras forums yesterday and we are now at P28 for Zimbra 9.

If you are running the OSS version then you should search in these forums as I am not experienced with the effort it takes to keep it patched. I know Ian Walker has put together a great resource to build and pull the latest images for OSS Version 9. I use that myself when testing. Ref: https://github.com/ianw1974/zimbra-build-scripts

Note: I recently was experimenting with Zimbra 9 and Carbonio on a new machine. I used the same certificate and .acme.sh directory. The only difference is that I deployed it like this as I have a hook for Carbonio also. No need to get new certificates from letsencrypt. ;-)

Code: Select all

# su - zextras
% cd /opt/zextras/.acme.sh
% ./acme.sh --deploy --deploy-hook carbonio -d mail.example.com
HTH,

Jim
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Thank you for your reply Jim.

I just realized the latest open source is my version, the network edition is 9. So no official update for me anyway. But there is a Zextras build that is 9 as you suggested.

My philosophy is never to jump on new releases too soon, but never let your version get too old. Both can be problematic. So occasional updates to a stable version are necessary IMHO.
For a moment I'm extremely happy with my Zimbra and would not like to get any heart attack surprises. For the moment I will stay with v8.

Another off-topic question. Mal servers are kinda hard to reverse to old VM snapshots, as new emails are already in the inbox. So let's say after a few days of the update I notice something is not OK with the new version. I can revert to a backup snapshot, but I lose new emails. Is there any script/tool to back-up past emails for a certain period of time for all accounts and restore them to the old version? You know where I'm getting.

Thank you so much Jim for always helping me out with Zimbra.

Br,
Dali
Post Reply