Certificate/Certbot - best way?
Certificate/Certbot - best way?
Hi.
Newbie alert. Coming from hmailserver(Windows). I just installed Zimbra, so far very good
Before I dig into certificates and spent hours searching the forum and try out the possible obsolete solutions, I would kindly as what's the best, hassle-free option up to date?
I'm assuming Certbot is the way to go. Had used it on my other ubuntu servers, but for Zimbra, I guess it's not so simple.
It would be much help if anyone can point me to a working script.
Thank you
Br,
kd
Newbie alert. Coming from hmailserver(Windows). I just installed Zimbra, so far very good
Before I dig into certificates and spent hours searching the forum and try out the possible obsolete solutions, I would kindly as what's the best, hassle-free option up to date?
I'm assuming Certbot is the way to go. Had used it on my other ubuntu servers, but for Zimbra, I guess it's not so simple.
It would be much help if anyone can point me to a working script.
Thank you
Br,
kd
-
- Elite member
- Posts: 1112
- Joined: Sat Sep 13, 2014 12:47 am
Re: Certificate/Certbot - best way?
There are 2 approaches pinned in this forum.
I used this one viewtopic.php?f=15&t=62705 - tweaked to use DNS validation for certbot instead of editing the nginx templates. It has worked great for me this far. See post No.7 in the thread.
Many others have used JDunphy's method but I haven't tried it myself - viewtopic.php?f=15&t=60781
I used this one viewtopic.php?f=15&t=62705 - tweaked to use DNS validation for certbot instead of editing the nginx templates. It has worked great for me this far. See post No.7 in the thread.
Many others have used JDunphy's method but I haven't tried it myself - viewtopic.php?f=15&t=60781
Re: Certificate/Certbot - best way?
Thank you for your reply!
Yes, I was looking at both methods. My current DNS provider does not allow for DNS validation. You think it's wise to switch for another DNS provider (Cloudflare for example), just to have that feature?
Thank you
Br,
kd
Yes, I was looking at both methods. My current DNS provider does not allow for DNS validation. You think it's wise to switch for another DNS provider (Cloudflare for example), just to have that feature?
Thank you
Br,
kd
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Certificate/Certbot - best way?
Probably not. Cloudflare however is free and you are not changing registrar's but simply re-delegating the name servers but now you need to learn their interface which might not be optimal for you and there is a learning curve.kdiamond wrote:Thank you for your reply!
Yes, I was looking at both methods. My current DNS provider does not allow for DNS validation. You think it's wise to switch for another DNS provider (Cloudflare for example), just to have that feature?
Thank you
Br,
kd
Another option is to use another challenge methods such as http, etc if DNS doesn't work for you with these ACME clients (certbot, acme.sh, etc)
see: https://letsencrypt.org/docs/challenge-types/
I will also note that you can still make this work with your current DNS provider if you have another domain that is with a DNS provider that has support for DNS updates via an API.
Here is a list of supported DNS hosting providers with acme.sh (see dnsapi directory)
Code: Select all
% ls dnsapi/
README.md dns_da.sh dns_exoscale.sh dns_kas.sh dns_neodigit.sh dns_rackspace.sh
dns_1984hosting.sh dns_ddnss.sh dns_freedns.sh dns_kinghost.sh dns_netcup.sh dns_rcode0.sh
dns_acmedns.sh dns_desec.sh dns_gandi_livedns.sh dns_knot.sh dns_netlify.sh dns_regru.sh
dns_acmeproxy.sh dns_df.sh dns_gcloud.sh dns_leaseweb.sh dns_nic.sh dns_scaleway.sh
dns_active24.sh dns_dgon.sh dns_gd.sh dns_lexicon.sh dns_njalla.sh dns_schlundtech.sh
dns_ad.sh dns_dnsimple.sh dns_gdnsdk.sh dns_linode.sh dns_nm.sh dns_selectel.sh
dns_ali.sh dns_do.sh dns_he.sh dns_linode_v4.sh dns_nsd.sh dns_servercow.sh
dns_anx.sh dns_doapi.sh dns_hetzner.sh dns_loopia.sh dns_nsone.sh dns_simply.sh
dns_arvan.sh dns_domeneshop.sh dns_hexonet.sh dns_lua.sh dns_nsupdate.sh dns_tele3.sh
dns_autodns.sh dns_dp.sh dns_hostingde.sh dns_maradns.sh dns_nw.sh dns_transip.sh
dns_aws.sh dns_dpi.sh dns_huaweicloud.sh dns_me.sh dns_one.sh dns_ultra.sh
dns_azure.sh dns_dreamhost.sh dns_infoblox.sh dns_miab.sh dns_online.sh dns_unoeuro.sh
dns_cf.sh dns_duckdns.sh dns_infomaniak.sh dns_misaka.sh dns_openprovider.sh dns_variomedia.sh
dns_clouddns.sh dns_durabledns.sh dns_internetbs.sh dns_myapi.sh dns_openstack.sh dns_vscale.sh
dns_cloudns.sh dns_dyn.sh dns_inwx.sh dns_mydevil.sh dns_opnsense.sh dns_vultr.sh
dns_cn.sh dns_dynu.sh dns_ionos.sh dns_mydnsjp.sh dns_ovh.sh dns_world4you.sh
dns_conoha.sh dns_dynv6.sh dns_ispconfig.sh dns_namecheap.sh dns_pdns.sh dns_yandex.sh
dns_constellix.sh dns_easydns.sh dns_jd.sh dns_namecom.sh dns_pleskxml.sh dns_zilore.sh
dns_cx.sh dns_edgedns.sh dns_joker.sh dns_namesilo.sh dns_pointhq.sh dns_zone.sh
dns_cyon.sh dns_euserv.sh dns_kappernet.sh dns_nederhost.sh dns_rackcorp.sh dns_zonomi.sh
You would have this entry with your current DNS provider for your domain that provides no api to add/remove txt records.
Code: Select all
_acme-challenge.mail.example.com. IN CNAME _acme-challenge.someotherdomain.com.
_acme-challenge.mail2.example.com. IN CNAME _acme-challenge.someotherdomain.com.
Code: Select all
./acme.sh --issue --dns dns_cf --challenge-alias someotherdomain.com -d mail.example.com -d mail2.example.com
Code: Select all
./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
Here are a list of other clients that support ACME client implementations:
https://letsencrypt.org/docs/client-options/
With any of these, the installation of the letsencrypt certificate with Zimbra will be the same and use the zmcertmgr program that comes with Zimbra.
HTH,
Jim
Last edited by JDunphy on Fri May 07, 2021 11:39 pm, edited 1 time in total.
Re: Certificate/Certbot - best way?
Thank you for your reply Jim!
I never thought by migrating windows server to Ubuntu VMs (InvoiceNinja, OsTicket, Webserver, MailServer, FTP) Zimbra certificates will be the trickiest part
I'm assuming you are referring to this script:
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
I did try it, but somehow I hit a Letsencrypt request limit. And that's where I stopped. I will try it again.
What I gathered so far is that only DNS validation doesn't require Zimbra restart. Unlike apache on other services that are instant, Zimbra restart takes a lot of time, so I would like to avoid it if possible.
CNAME way you are suggesting makes perfect sense. I have a testing domain I can move it to Cloudflare only for that purpose.
The question is: Can I have one domain (with a DNS provider that has support for DNS updates via an API) to get certificates for the other 10 domains (with a DNS provider without support for DNS updates via an API)?
Thank you!
Br,
kd
I never thought by migrating windows server to Ubuntu VMs (InvoiceNinja, OsTicket, Webserver, MailServer, FTP) Zimbra certificates will be the trickiest part
I'm assuming you are referring to this script:
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
I did try it, but somehow I hit a Letsencrypt request limit. And that's where I stopped. I will try it again.
What I gathered so far is that only DNS validation doesn't require Zimbra restart. Unlike apache on other services that are instant, Zimbra restart takes a lot of time, so I would like to avoid it if possible.
CNAME way you are suggesting makes perfect sense. I have a testing domain I can move it to Cloudflare only for that purpose.
The question is: Can I have one domain (with a DNS provider that has support for DNS updates via an API) to get certificates for the other 10 domains (with a DNS provider without support for DNS updates via an API)?
Thank you!
Br,
kd
Re: Certificate/Certbot - best way?
According to instructions https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt I added 2 lines in the account.conf at the bottom of the file on line 13 and 14.JDunphy wrote:kdiamond wrote:Thank you for your reply!
If that worked, then all you do is deploy it:
Jim
Code: Select all
SAVED_CF_Key='Global API Key found in https://dash.cloudflare.com/profile'
CF_EMAIL='my email that I use to login cloudflare'
I get this error:
Code: Select all
[Tue Apr 20 17:55:34 CEST 2021] You didn't specify a Cloudflare api key and email yet.
[Tue Apr 20 17:55:34 CEST 2021] You can get yours from here https://dash.cloudflare.com/profile.
[Tue Apr 20 17:55:34 CEST 2021] Error add txt for domain:_acme-challenge.globevoices.eu
[Tue Apr 20 17:55:34 CEST 2021] Please add '--debug' or '--log' to check more details.
[Tue Apr 20 17:55:34 CEST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
I don't want to test too many times not to fit the request limit again.
Thank you
Br,
kd
Re: Certificate/Certbot - best way?
I made it work by replacing 2 lines to:
Thx
Code: Select all
export CF_Key='Global API Key found in https://dash.cloudflare.com/profile'
export CF_Email='my email that I use to login cloudflare'
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Certificate/Certbot - best way?
Yes that wiki link is my notes ... You are correct that for validation, nginx (proxy) generally would need to be shutdown so that your acme clients can listen (they become mini webservers) on the socket at 80/443 depending on the validation option you provided your acme client. There is a method where you can have nginx deliver a special file or token on your behalf for validation. My concern would be any changes to nginx conf files could be lost during zimbra upgrades so I chose DNS for myself. For the acme.sh client they have a few methods to support this. The ALPN is rather odd as you setup a load balancer which seems like too much work when DNS validation just works.kdiamond wrote:Thank you for your reply Jim!
I never thought by migrating windows server to Ubuntu VMs (InvoiceNinja, OsTicket, Webserver, MailServer, FTP) Zimbra certificates will be the trickiest part
I'm assuming you are referring to this script:
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
I did try it, but somehow I hit a Letsencrypt request limit. And that's where I stopped. I will try it again.
What I gathered so far is that only DNS validation doesn't require Zimbra restart. Unlike apache on other services that are instant, Zimbra restart takes a lot of time, so I would like to avoid it if possible.
CNAME way you are suggesting makes perfect sense. I have a testing domain I can move it to Cloudflare only for that purpose.
The question is: Can I have one domain (with a DNS provider that has support for DNS updates via an API) to get certificates for the other 10 domains (with a DNS provider without support for DNS updates via an API).
Thank you!
Br,
kd
https://github.com/acmesh-official/acme ... eless-Mode
https://github.com/acmesh-official/acme ... t-downtime
BTW, there is an option with acme.sh that allows you to test getting a certificate without hitting those per day limits but you won't be able to install the certificate because it won't validate. Use the --staging, or --test parameter which should help getting your syntax working and testing with your cloud provider using the CNAME trick. The concept was than you could remove that --staging parameter and it would work because you wouldn't be hitting the daily access limits given you have worked out your syntax.
Code: Select all
--staging, --test Use staging server, just for test.
Answering your last question. Yes that is exactly the reason for the challenge-alias option. Further every domain (without the DNS api) is basically the same CNAME entry so it's easy to replicate across 10's or 100's of domains.There is a layer of security to this method also. Generally, you would expose the API keys to those 10's of domains or various accounts which means the acme client would be able to add/delete/update any resource record for any of those 10 domains in theory. If you use the challenge-alias option, only the domain with the DNS provider that has an API could be changed and for you 10 domains - only for this one resource record which is that CNAME... so in other words only this:
Code: Select all
_acme-challenge.mail.example.com
So what goes on during DNS validation? The acme client (acme.sh/certbot) add a TXT record with a special string that letsencrypt has told it wants to see. The letsencrypt client that is verifying that you control the domain looks for this txt record and if the value matches you will be granted you a certificate. The acme client than deletes this TXT record it just created... but when using the Challenge-alias option that is with the someotherdomain.com from my example above. You get certificates for every domain without having to have them with a DNS hosting provider with an API. So these add/del text records happen for the someotherdomain.com zone but you are getting certificates for domains that had that CNAME pointing to it. The certificate never includes someotherdomain.com as it's subject or subject alternate name.
Jim
Re: Certificate/Certbot - best way?
Hi Jim
Getting closer and closer
What could that be?
Thx
Br,
kd.
Getting closer and closer
It says:./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
Code: Select all
The deploy hook zimbra is not found.
Thx
Br,
kd.
- JDunphy
- Outstanding Member
- Posts: 901
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: Certificate/Certbot - best way?
My wiki... copy that zimbra.sh script and put it inside the deploy directory.
You are close.
Jim
You are close.
Jim