Certificate/Certbot - best way?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Thank you so so so much for all this valuable info!!! I really appreciate it.

So even if all process of getting a cert with CNAME went fine. ending with Cert Success. The validation fails.

Again using your notes from https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
cert.jpg
cert.jpg (208.13 KiB) Viewed 5284 times
saying

Code: Select all

root@mail:~/.acme.sh# cd mail.example.com
root@mail:~/.acme.sh/mail.example.com# cp mail.example.com.key mail.example.com.cer fullchain.cer /tmp
root@mail:~/.acme.sh/mail.example.com# su - zimbra
zimbra@mail:~$ cd /tmp
zimbra@mail:/tmp$ /opt/zimbra/bin/zmcertmgr verifycrt comm mail.example.com.key mail.example.com.cer fullchain.cer
** Verifying 'mail.example.com.cer' against 'mail.example.com.key'
Certificate 'mail.example.com.cer' and private key 'mail.example.com.key' match.
** Verifying 'mail.example.com.cer' against 'fullchain.cer'
ERROR: Unable to validate certificate chain: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup: unable to get issuer certificate
error mail.example.com.cer: verification failed
Br,
kd
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

JDunphy wrote:You are close.
but not there yet :)

./acme.sh --deploy --deploy-hook zimbra -d mail.example.com

Code: Select all

root@mail:~/.acme.sh# ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
zmcertmgr: ERROR: no longer runs as root!
[Tue Apr 20 19:02:34 CEST 2021] Error deploy for domain:mail.example.com
[Tue Apr 20 19:02:34 CEST 2021] Deploy error.
thx
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

You seem to be mixing manual (cd tmp) running as zimbra and automatic (--deploy) methods running as root.

What does this look like to see where you are:

Code: Select all

# su - zimbra
% ls -lt ~zimbra/.acme.sh/IdentTrust.pem
If the above doesn't exist then you probably installed acme.sh as the root user which will cause you a number of problems. I am guessing from the error messages you are providing.

Don't run anything as root as we will need to fix permissions at some point if you installed and are running the acme client as root. It appears when you ran the command where the validation failed in /tmp, you forgot to append the intermediate but you ran zmcertmgr as zimbra and got that validation certificate chain error message. The deploy script zimbra.sh does that addition of the intermediate for you so you made it further but then you attempted to run acme.sh as root which you can't do because zmcertmgr needs to be running as zimbra for Zimbra 8.7 and newer versions. Fortunately, the script did abort as required so you didn't cp the key or we would be fixing /opt/zimbra/ssl/zimbra/commercial/commercial.key permissions also.

The wiki article explains this fairly well and step by step but getting a certificate is only 2 commands to issue and install a certificate so what could go wrong. :-) :-)

Note: There is a rather serious bug in zmcertmgr where it can fail the install because of permissions because of the way they save cwd and then put it back so we don't want to break your system. That is why people tend to copy everything to /tmp before they begin the validation and installation when they do it manually like the first method you tried which I call the manual way. The deploy script doesn't have this problem as acme.sh is installed as the zimbra user. When you installed acme.sh as the zimbra user, it also installed a cron job to handle renewals so you got that for free. Renewals will begin to happen at day 60.

You might want to modify the zimbra.sh script until you get a hang of what is happening and kind of acts like a manual process so you can observe the validation of the cert.

Find the line inside zimbra.sh that says:

Code: Select all

   
/opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1
and add this line below it
return 0
This way you can test the deploy script without having to cp or restart anything. Once you have it validate and feel confident in your cert, you can remove the return 0 line and it should work.

If you did install the acme.sh client as root or another user, you might want to start again or do this to get you back to the wiki article using the deploy script:

Code: Select all

# cd
# mv .acme.sh ~zimbra/
# chown -R zimbra:zimbra ~zimbra/.acme.sh/
# su - zimbra
% cd .acme.sh
now you can run the commands
Note: you still need to add the following to crontab at the end if you want automatic renewals or you can put the 2 commands you just did --issue and the --deploy into your own script and kick it off how you like. Here is what I have on mine.

Code: Select all

[zimbra@mail ~]$ crontab -l |grep -B 2 acme.sh

# ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
18 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
So even though this runs every night, it won't renew until day 60 as there is a check to see if its time. If you want it sooner add the --force option with your --issue. BTW, that --force might be useful as you attempt to perfect your certificate --ssue with different domains.

I probably should mention if it isn't clear by now that we are installing one certificate with all your domains. They use Subject and Subject alternative names. That is why the -d ... -d .... -d ... -d ... (keep adding your others) until you have them all. The very first -d however is what you will use for --deploy and is the directory that will be created by acme.sh where your cert is installed. I generally make the first -d option my zmhostname.

You should be good now.

Jim
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Yes, I installed it as a root.

Luckily I have snapshots of VM before, so I will restore it and try it again with Zimbra user.

Should I keep the certificate I already made today, or should I issue a new one?

Thank you
Br,
kd
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

Get a new cert if you go that route as it will be simpler for you... That is the beauty of letsencrypt... Remember that --force option should you need to get a new one and it won't allow you because it isn't time.

Provided you are not using the --staging/--test with your --issue the manual method you attempted would also work provided you add that intermediate to the end of the chain or modify zimbra.sh in the deploy directory so you can verify without installing it. The wiki shows that manual step method first so you can understand the process but you are welcome to use the --deploy option with the zimbra.sh script there also.

I don't think you have messed anything up by installing as root that can not be fixed with the steps I showed to mv it from root and chown to zimbra.
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Thank you very much for helping me out. You have to realize I'm still struggling with ubuntu basics and at some point you got me lost.

So how to start not to repeat the same error again:

1. SSH with user zimbra
or
2. SSH with root user and then su - zimbra

because if I try to run

Code: Select all

curl https://get.acme.sh | sh

as zimbra user, it will say:

Code: Select all

Can not create working dir: /opt/zimbra/.acme.sh
thx

Br,
kd
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

kdiamond wrote:Thank you very much for helping me out. You have to realize I'm still struggling with ubuntu basics and at some point you got me lost.

So how to start not to repeat the same error again:

1. SSH with user zimbra
or
2. SSH with root user and then su - zimbra

because if I try to run

Code: Select all

curl https://get.acme.sh | sh

as zimbra user, it will say:

Code: Select all

Can not create working dir: /opt/zimbra/.acme.sh
thx

Br,
kd
Find the section in the wiki that says "Note: if you get an error attempting to install acme.sh as the zimbra user, do this as /opt/zimbra is owned by root".

Reason: /opt/zimbra is owned by root and zimbra does not have permission to write into /opt/zimbra as a result. How about you do this and then repeat what you are trying above.

Code: Select all

# su -
# mkdir /opt/zimbra/.acme.sh
# chown zimbra:zimbra /opt/zimbra/.acme.sh
Repeat your curl command as the zimbra user which now has permission and can write into /opt/zimbra/.acme.sh (because it is owned by zimbra) and you are done with acme.sh installation.

Jim
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Ok, I repeated the steps and install acme.sh as Zimbra user.

Now it will locate in /opt/zimbra/.acme.sh
I reissued the certificate with success.

Validation fails as IdentTrust.pem does not exist.
JDunphy wrote:

Code: Select all

# su - zimbra
% ls -lt ~zimbra/.acme.sh/IdentTrust.pem
file does not exist.

thx
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

I created IdentTrust.pem so validation does not reports it missing anymore.

Code: Select all

zimbra@mail:/tmp$ ls -lt ~zimbra/.acme.sh/IdentTrust.pem
-rw-r----- 1 zimbra zimbra 1200 Apr 20 23:31 /opt/zimbra/.acme.sh/IdentTrust.pem
I had to fix the server time too in order to get it working

Code: Select all

sudo apt-get install ntp
Finally!!!!!
If not else I learn a lot from this.

now let's see where I stop next.

Br,
kd
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Dear Jim.

I installed a certificate for one domain successfully. I didn't use hook zimbra to install the certificate, but I did steps 1-4 in your wiki, just to know every step is done well

So my next quest is:

1. To add certificates one after another, as I transfer the domains (in total 5) from my old email server.

I'm a bit confused about how to add a domain certificate(s), where one domain certificate is already up and running well. The wiki will cover only install of one or multiple certificates in one call, but not adding one.

the wiki:

Step 1 and 2 is clear.

Ster 3 will overwrite the existing commercial.key

Code: Select all

cp mail.example.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
Here's the confusion.

2. Create a cron job so all certificates get renewed in time.

Code: Select all

"/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" 
When I run this command all is well.
How do I know this will run periodically and update the certificates?
/etc/crontab does not contain any job.

Thank you!

Br,
kd
Post Reply