kdiamond wrote:In let's encrypt I have a one-week ban as I tried to generate the certificates more than 5 times. I don't know. Maybe even to install a commercial multi-domain certificate.
Br,
Dali
A couple of things.
1) You can get around that ban by adding another name... make something up. tmail.example.com ... Doesn't matter, just another hostname on your domain on your issue line. Do all the same stuff you did for this new one ie) CNAME. See instructions in this thread. That ban I believe says for the same set of names... so we add another. Doesn't matter if you use it. That will get around that ban.
2) It does not appear that you are getting the LE alternative chain from what you are showing. acme.sh will default to zerossl unless you tell it otherwise. It will also pull the default chain when there are more signing chains. I just successful verified a new certificate with acme.sh version 3.05 so it would appear to be your environment and not latest version of acme.sh provided we can get you asking for the LE alternative chain.
A couple of things you can do. Look inside your mail.example.com directory for the per domain/certificate config file. There should be something like this if the first -d has been mail.example.com:
Code: Select all
# su - zimbra
% cd .acme.sh
% grep Le_Preferred_Chain mail.example.com/mail.example.com.conf
Le_Preferred_Chain='__ACME_BASE64__START_SVNSRw==__ACME_BASE64__END_'
% cat ca/acme-v02.api.letsencrypt.org/directory/ca.conf
ACCOUNT_URL='https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxx'
CA_KEY_HASH='....'
DEFAULT_PREFERRED_CHAIN='ISRG'
There use to be this option that you could specify on the issue but don't remember exact syntax.. something like this perhaps.
Code: Select all
./acme.sh --force --issue --server --preferred-chain "ISRG" --dns dns_cf --challenge-alias domainWeWillAddTxtRecord.com -d mail.example.com -d mail.example.net
Hints of things that might get you working.
1) you can move your mail.example.com directory out of the way then issue the 2 commands about the alternative and LE chain and then issue/verify that you have the Le_preferred_Chain, etc.
- I have not tested this with version 3.0.5 but that is how I did it in prior versions when we ran into this problem a few years ago.
see this:
https://github.com/acmesh-official/acme ... -945993399
2) you can manually put the Le_preferred_Chain option in the per domain certificate file... ie) from the grep above and then reissue certificate.
3) you can force the preferred chain using that option on the issue
About those certificates we saw with the grep BEGIN. The ca.cer.real is from the Zimbra.sh deploy script adding the ISG_X1.pem root to your ca.cer file. The ca.cer is the certificates that signed (intermediates) your certificate and your certificate.
Hope this makes sense. I am looking at the github for acme.sh now to see what has changed that would prevent you from getting the alternative chain given you think you are asking for the alternative for LE CA.
Here is the section for acme.sh documenation:
https://github.com/acmesh-official/acme ... default-CA
https://github.com/acmesh-official/acme ... rred-Chain
I am at a loss of why when you issued those 2 server commands that you didn't get the LE alternative chain.
Jim