Certificate/Certbot - best way?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Certificate/Certbot - best way?

Post by kdiamond »

Hi.

Newbie alert. Coming from hmailserver(Windows). I just installed Zimbra, so far very good :)

Before I dig into certificates and spent hours searching the forum and try out the possible obsolete solutions, I would kindly as what's the best, hassle-free option up to date?
I'm assuming Certbot is the way to go. Had used it on my other ubuntu servers, but for Zimbra, I guess it's not so simple.

It would be much help if anyone can point me to a working script.

Thank you

Br,
kd
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: Certificate/Certbot - best way?

Post by liverpoolfcfan »

There are 2 approaches pinned in this forum.

I used this one viewtopic.php?f=15&t=62705 - tweaked to use DNS validation for certbot instead of editing the nginx templates. It has worked great for me this far. See post No.7 in the thread.

Many others have used JDunphy's method but I haven't tried it myself - viewtopic.php?f=15&t=60781
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Thank you for your reply!

Yes, I was looking at both methods. My current DNS provider does not allow for DNS validation. You think it's wise to switch for another DNS provider (Cloudflare for example), just to have that feature?

Thank you
Br,
kd
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

kdiamond wrote:Thank you for your reply!

Yes, I was looking at both methods. My current DNS provider does not allow for DNS validation. You think it's wise to switch for another DNS provider (Cloudflare for example), just to have that feature?

Thank you
Br,
kd
Probably not. Cloudflare however is free and you are not changing registrar's but simply re-delegating the name servers but now you need to learn their interface which might not be optimal for you and there is a learning curve.

Another option is to use another challenge methods such as http, etc if DNS doesn't work for you with these ACME clients (certbot, acme.sh, etc)

see: https://letsencrypt.org/docs/challenge-types/

I will also note that you can still make this work with your current DNS provider if you have another domain that is with a DNS provider that has support for DNS updates via an API.

Here is a list of supported DNS hosting providers with acme.sh (see dnsapi directory)

Code: Select all

% ls dnsapi/
README.md           dns_da.sh          dns_exoscale.sh       dns_kas.sh        dns_neodigit.sh      dns_rackspace.sh
dns_1984hosting.sh  dns_ddnss.sh       dns_freedns.sh        dns_kinghost.sh   dns_netcup.sh        dns_rcode0.sh
dns_acmedns.sh      dns_desec.sh       dns_gandi_livedns.sh  dns_knot.sh       dns_netlify.sh       dns_regru.sh
dns_acmeproxy.sh    dns_df.sh          dns_gcloud.sh         dns_leaseweb.sh   dns_nic.sh           dns_scaleway.sh
dns_active24.sh     dns_dgon.sh        dns_gd.sh             dns_lexicon.sh    dns_njalla.sh        dns_schlundtech.sh
dns_ad.sh           dns_dnsimple.sh    dns_gdnsdk.sh         dns_linode.sh     dns_nm.sh            dns_selectel.sh
dns_ali.sh          dns_do.sh          dns_he.sh             dns_linode_v4.sh  dns_nsd.sh           dns_servercow.sh
dns_anx.sh          dns_doapi.sh       dns_hetzner.sh        dns_loopia.sh     dns_nsone.sh         dns_simply.sh
dns_arvan.sh        dns_domeneshop.sh  dns_hexonet.sh        dns_lua.sh        dns_nsupdate.sh      dns_tele3.sh
dns_autodns.sh      dns_dp.sh          dns_hostingde.sh      dns_maradns.sh    dns_nw.sh            dns_transip.sh
dns_aws.sh          dns_dpi.sh         dns_huaweicloud.sh    dns_me.sh         dns_one.sh           dns_ultra.sh
dns_azure.sh        dns_dreamhost.sh   dns_infoblox.sh       dns_miab.sh       dns_online.sh        dns_unoeuro.sh
dns_cf.sh           dns_duckdns.sh     dns_infomaniak.sh     dns_misaka.sh     dns_openprovider.sh  dns_variomedia.sh
dns_clouddns.sh     dns_durabledns.sh  dns_internetbs.sh     dns_myapi.sh      dns_openstack.sh     dns_vscale.sh
dns_cloudns.sh      dns_dyn.sh         dns_inwx.sh           dns_mydevil.sh    dns_opnsense.sh      dns_vultr.sh
dns_cn.sh           dns_dynu.sh        dns_ionos.sh          dns_mydnsjp.sh    dns_ovh.sh           dns_world4you.sh
dns_conoha.sh       dns_dynv6.sh       dns_ispconfig.sh      dns_namecheap.sh  dns_pdns.sh          dns_yandex.sh
dns_constellix.sh   dns_easydns.sh     dns_jd.sh             dns_namecom.sh    dns_pleskxml.sh      dns_zilore.sh
dns_cx.sh           dns_edgedns.sh     dns_joker.sh          dns_namesilo.sh   dns_pointhq.sh       dns_zone.sh
dns_cyon.sh         dns_euserv.sh      dns_kappernet.sh      dns_nederhost.sh  dns_rackcorp.sh      dns_zonomi.sh
For example, with the acme.sh client (bash script)... you would add a resource record (CNAME) that points to this other domain that is with a dns providers like cloudflare. After that, add this option. --challenge-alias ... This is listed in the wiki article as we run our own delegated dns servers here without any api and that is how I get around the problem (same as you). I have a domain with cloudflare that isn't related to our mail servers which I will call someotherdomain.com for this example.

You would have this entry with your current DNS provider for your domain that provides no api to add/remove txt records.

Code: Select all

_acme-challenge.mail.example.com.      IN CNAME _acme-challenge.someotherdomain.com.
_acme-challenge.mail2.example.com.      IN CNAME _acme-challenge.someotherdomain.com.
Then when you are creating a certificate for mail.example.com you would reference it via the --challenge-alias someotherdomain.com so the complete line would look like this:

Code: Select all

./acme.sh --issue --dns dns_cf --challenge-alias someotherdomain.com -d mail.example.com -d mail2.example.com
If that worked, then all you do is deploy it:

Code: Select all

./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
Finally, ACME is the protocol for challenge/verification so acme.sh also supports ZeroSSL (like letsencrypt and free) which will become the default in Aug 2021 for acme.sh. Existing acme.sh installations will continue to use letsencryipt but new installs will default to ZeroSSL (also free) unless a command line switch is provided. I'll update our instructions once I see the new switch.

Here are a list of other clients that support ACME client implementations:

https://letsencrypt.org/docs/client-options/

With any of these, the installation of the letsencrypt certificate with Zimbra will be the same and use the zmcertmgr program that comes with Zimbra.

HTH,

Jim
Last edited by JDunphy on Fri May 07, 2021 11:39 pm, edited 1 time in total.
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Thank you for your reply Jim!

I never thought by migrating windows server to Ubuntu VMs (InvoiceNinja, OsTicket, Webserver, MailServer, FTP) Zimbra certificates will be the trickiest part :)

I'm assuming you are referring to this script:
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt

I did try it, but somehow I hit a Letsencrypt request limit. And that's where I stopped. I will try it again.

What I gathered so far is that only DNS validation doesn't require Zimbra restart. Unlike apache on other services that are instant, Zimbra restart takes a lot of time, so I would like to avoid it if possible.

CNAME way you are suggesting makes perfect sense. I have a testing domain I can move it to Cloudflare only for that purpose.

The question is: Can I have one domain (with a DNS provider that has support for DNS updates via an API) to get certificates for the other 10 domains (with a DNS provider without support for DNS updates via an API)?

Thank you!
Br,
kd
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

JDunphy wrote:
kdiamond wrote:Thank you for your reply!
If that worked, then all you do is deploy it:
Jim
According to instructions https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt I added 2 lines in the account.conf at the bottom of the file on line 13 and 14.

Code: Select all

SAVED_CF_Key='Global API Key found in https://dash.cloudflare.com/profile'
CF_EMAIL='my email that I use to login cloudflare'

I get this error:

Code: Select all

[Tue Apr 20 17:55:34 CEST 2021] You didn't specify a Cloudflare api key and email yet.
[Tue Apr 20 17:55:34 CEST 2021] You can get yours from here https://dash.cloudflare.com/profile.
[Tue Apr 20 17:55:34 CEST 2021] Error add txt for domain:_acme-challenge.globevoices.eu
[Tue Apr 20 17:55:34 CEST 2021] Please add '--debug' or '--log' to check more details.
[Tue Apr 20 17:55:34 CEST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
What could that be?

I don't want to test too many times not to fit the request limit again.

Thank you
Br,
kd
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

I made it work by replacing 2 lines to:

Code: Select all

export CF_Key='Global API Key found in https://dash.cloudflare.com/profile'
export CF_Email='my email that I use to login cloudflare'
Thx
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

kdiamond wrote:Thank you for your reply Jim!

I never thought by migrating windows server to Ubuntu VMs (InvoiceNinja, OsTicket, Webserver, MailServer, FTP) Zimbra certificates will be the trickiest part :)

I'm assuming you are referring to this script:
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt

I did try it, but somehow I hit a Letsencrypt request limit. And that's where I stopped. I will try it again.

What I gathered so far is that only DNS validation doesn't require Zimbra restart. Unlike apache on other services that are instant, Zimbra restart takes a lot of time, so I would like to avoid it if possible.

CNAME way you are suggesting makes perfect sense. I have a testing domain I can move it to Cloudflare only for that purpose.

The question is: Can I have one domain (with a DNS provider that has support for DNS updates via an API) to get certificates for the other 10 domains (with a DNS provider without support for DNS updates via an API).

Thank you!
Br,
kd
Yes that wiki link is my notes ... You are correct that for validation, nginx (proxy) generally would need to be shutdown so that your acme clients can listen (they become mini webservers) on the socket at 80/443 depending on the validation option you provided your acme client. There is a method where you can have nginx deliver a special file or token on your behalf for validation. My concern would be any changes to nginx conf files could be lost during zimbra upgrades so I chose DNS for myself. For the acme.sh client they have a few methods to support this. The ALPN is rather odd as you setup a load balancer which seems like too much work when DNS validation just works. ;-)

https://github.com/acmesh-official/acme ... eless-Mode
https://github.com/acmesh-official/acme ... t-downtime

BTW, there is an option with acme.sh that allows you to test getting a certificate without hitting those per day limits but you won't be able to install the certificate because it won't validate. Use the --staging, or --test parameter which should help getting your syntax working and testing with your cloud provider using the CNAME trick. The concept was than you could remove that --staging parameter and it would work because you wouldn't be hitting the daily access limits given you have worked out your syntax.

Code: Select all

  --staging, --test                 Use staging server, just for test.
The CNAME trick with challenge-alias is powerful because it will also allow you to have certificates in rfc1918 space for things like plex servers, internal routers, or any in house servers given how sensitive browsers are becoming to non PKI (CA's that your browser has preloaded, etc) certs so it has other advantages than for domains that have no DNS API hosting provider.

Answering your last question. Yes that is exactly the reason for the challenge-alias option. Further every domain (without the DNS api) is basically the same CNAME entry so it's easy to replicate across 10's or 100's of domains.There is a layer of security to this method also. Generally, you would expose the API keys to those 10's of domains or various accounts which means the acme client would be able to add/delete/update any resource record for any of those 10 domains in theory. If you use the challenge-alias option, only the domain with the DNS provider that has an API could be changed and for you 10 domains - only for this one resource record which is that CNAME... so in other words only this:

Code: Select all

_acme-challenge.mail.example.com
They could not change example.com or http://www.example.com because there was no CNAME entry.

So what goes on during DNS validation? The acme client (acme.sh/certbot) add a TXT record with a special string that letsencrypt has told it wants to see. The letsencrypt client that is verifying that you control the domain looks for this txt record and if the value matches you will be granted you a certificate. The acme client than deletes this TXT record it just created... but when using the Challenge-alias option that is with the someotherdomain.com from my example above. You get certificates for every domain without having to have them with a DNS hosting provider with an API. So these add/del text records happen for the someotherdomain.com zone but you are getting certificates for domains that had that CNAME pointing to it. The certificate never includes someotherdomain.com as it's subject or subject alternate name.

Jim
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Hi Jim

Getting closer and closer :)
./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
It says:

Code: Select all

The deploy hook zimbra is not found.
What could that be?

Thx
Br,
kd.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

My wiki... copy that zimbra.sh script and put it inside the deploy directory.

You are close.

Jim
Post Reply