You seem to be mixing manual (cd tmp) running as zimbra and automatic (--deploy) methods running as root.
What does this look like to see where you are:
Code: Select all
# su - zimbra
% ls -lt ~zimbra/.acme.sh/IdentTrust.pem
If the above doesn't exist then you probably installed acme.sh as the root user which will cause you a number of problems. I am guessing from the error messages you are providing.
Don't run anything as root as we will need to fix permissions at some point if you installed and are running the acme client as root. It appears when you ran the command where the validation failed in /tmp, you forgot to append the intermediate but you ran zmcertmgr as zimbra and got that validation certificate chain error message. The deploy script zimbra.sh does that addition of the intermediate for you so you made it further but then you attempted to run acme.sh as root which you can't do because zmcertmgr needs to be running as zimbra for Zimbra 8.7 and newer versions. Fortunately, the script did abort as required so you didn't cp the key or we would be fixing /opt/zimbra/ssl/zimbra/commercial/commercial.key permissions also.
The wiki article explains this fairly well and step by step but getting a certificate is only 2 commands to issue and install a certificate so what could go wrong.
Note: There is a rather serious bug in zmcertmgr where it can fail the install because of permissions because of the way they save cwd and then put it back so we don't want to break your system. That is why people tend to copy everything to /tmp before they begin the validation and installation when they do it manually like the first method you tried which I call the manual way. The deploy script doesn't have this problem as acme.sh is installed as the zimbra user. When you installed acme.sh as the zimbra user, it also installed a cron job to handle renewals so you got that for free. Renewals will begin to happen at day 60.
You might want to modify the zimbra.sh script until you get a hang of what is happening and kind of acts like a manual process so you can observe the validation of the cert.
Find the line inside zimbra.sh that says:
Code: Select all
/opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1
and add this line below it
return 0
This way you can test the deploy script without having to cp or restart anything. Once you have it validate and feel confident in your cert, you can remove the return 0 line and it should work.
If you did install the acme.sh client as root or another user, you might want to start again or do this to get you back to the wiki article using the deploy script:
Code: Select all
# cd
# mv .acme.sh ~zimbra/
# chown -R zimbra:zimbra ~zimbra/.acme.sh/
# su - zimbra
% cd .acme.sh
now you can run the commands
Note: you still need to add the following to crontab at the end if you want automatic renewals or you can put the 2 commands you just did --issue and the --deploy into your own script and kick it off how you like. Here is what I have on mine.
Code: Select all
[zimbra@mail ~]$ crontab -l |grep -B 2 acme.sh
# ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
18 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
So even though this runs every night, it won't renew until day 60 as there is a check to see if its time. If you want it sooner add the --force option with your --issue. BTW, that --force might be useful as you attempt to perfect your certificate --ssue with different domains.
I probably should mention if it isn't clear by now that we are installing one certificate with all your domains. They use Subject and Subject alternative names. That is why the -d ... -d .... -d ... -d ... (keep adding your others) until you have them all. The very first -d however is what you will use for --deploy and is the directory that will be created by acme.sh where your cert is installed. I generally make the first -d option my zmhostname.
You should be good now.
Jim