Hi Dali,
It's not going to be a problem with the cert if you do an in place update (I have not done this in over a year with 8.8.15). You can also copy the /opt/zimbra/.acme.sh directory to another machine like this if your current certificate covers those domains or you want to add a few additional domain names to the certificate or want to test the update process on a clone of your 8.8.15 version. You can also back up the acme.sh directory with the method below if you are worried something will happen to it. Everything is self-contained in that tar image I show below for your certificate.
Code: Select all
% su -
# cd /opt/zimbra
# tar cvf /tmp/acme.sh.tar .acme.sh
# scp /tmp/acme.sh.tar newmachine:/tmp/
then on that new machine, do this:
Code: Select all
% su -
# cd /opt/zimbra
# tar xvf /tmp/acme.sh.tar
# su - zimbra
% cd /opt/zimbra/.acme.sh
% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
After this, the new machine has the same certificate installed and running with zimbra. No need to grab a new certificate or re-validate unless you are adding new domains. Especially useful when you are installing a fresh image of Zimbra which comes with a self-signed certificate. The only thing that you have to do when copying your certificate stuff is make sure renewals happen automatically and that is to add the cron entry for the zimbra user on this new machine to check when/if the certificate needs to be renewed. Normally this is done by default by the acme.sh script but we used tar here to do the installation so the cron entry was not created.
As for Zimbra 9, I am not running that. If you are a network/commercial customer the decision is easier to make on that choice given the security patches are released immediately. For the OSS installs, they often need to wait for patches I believe. I think zextra's is still trying to get a version of Zimbra 9 that has P27 out if I understood the zextras forums yesterday and we are now at P28 for Zimbra 9.
If you are running the OSS version then you should search in these forums as I am not experienced with the effort it takes to keep it patched. I know Ian Walker has put together a great resource to build and pull the latest images for OSS Version 9. I use that myself when testing. Ref:
https://github.com/ianw1974/zimbra-build-scripts
Note: I recently was experimenting with Zimbra 9 and Carbonio on a new machine. I used the same certificate and .acme.sh directory. The only difference is that I deployed it like this as I have a hook for Carbonio also. No need to get new certificates from letsencrypt.
Code: Select all
# su - zextras
% cd /opt/zextras/.acme.sh
% ./acme.sh --deploy --deploy-hook carbonio -d mail.example.com
HTH,
Jim