Certificate/Certbot - best way?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

The single certificate will list all your domains. You are using a single certificate that has a subject name and alternative subject names which is the terminology that is used in certificates for your FQDN. It just works for as many domains. There is a limit but it is in the 100's if not higher. Can't remember off the top of my head but it's in the original thread I wrote on this in the Admin forums.

So you will reissue a new certificate but it will not work because you are less than 60 days should you try... adding --force will get you the certificate.

Jim
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Thank you, Jim.

Ahh, yes. Now it's clear.

One single certificate for many domains. So whenever I add a domain, I force reissue a certificate for all existing domains including a new one.

Code: Select all

./acme.sh --issue --dns dns_cf --challenge-alias mail.example.com -d mail.example1.com -d mail.example2.com...
CNAME record for every domain must be set

Code: Select all

_acme-challenge           IN CNAME _acme-challenge.adifferentCFzone.com.
Would that be correct?

Regarding crontab

Code: Select all

# su - zimbra
% crontab -l |grep acme
24 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
I guess it works. Every 24h the script should get executed.

Thank you
Br,
kd
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

kdiamond wrote:Thank you, Jim.

Ahh, yes. Now it's clear.

One single certificate for many domains. So whenever I add a domain, I force reissue a certificate for all existing domains including a new one.

Code: Select all

./acme.sh --issue --dns dns_cf --challenge-alias mail.example.com -d mail.example1.com -d mail.example2.com...
CNAME record for every domain must be set

Code: Select all

_acme-challenge           IN CNAME _acme-challenge.adifferentCFzone.com.
Would that be correct?
Yes
kdiamond wrote:
Regarding crontab

Code: Select all

# su - zimbra
% crontab -l |grep acme
24 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
I guess it works. Every 24h the script should get executed.
Yes every 24 hours it will run and immediately exit until day 60 when it will renew the certificate.
You can tell when by doing this:

Code: Select all

# su - zimbra
% cd .acme.sh
% ./acme.sh --list
Note: There is going to be some oddity with making renewal installation work for you as that cron entry normally does renewal + installation but you installed manually and it doesn't know how to do the second part yet.

You have 2 options to get around this. The first is to remove or move the directory that was created with your certificate which happens to be the first -d argument. The second is to modify the .conf file in the directory so that it uses the deploy option you want for installation.

If you want to continue to do this install manually and not use the zimbra.sh script for installation, then you can create your own installation script and add that to cron. The acme.sh --cron line will renew the certificate on day 60 but not deploy it in that scenario. Your own script could install it on day 61 or later for example or you could have your own cron script remind you to do it manually again until you are confident with the installation process. I have a cron script I use to remind myself via email that tomorrow the certificate will be renewed because the process is too automated for renewal and I would miss it otherwise. Early on, we experienced an odd bug when the MTA didn't start but Zimbra thought it had because of PID wrap around that fooled the start scripts for postfix which was fixed a few years ago.

Now it simpler to use this with acme.sh to alert yourself... you could install it (your script) or email yourself. Our zimbra.sh deploy script uses logger which goes to a central syslog server we watch here on our NOC displays.

Code: Select all

--renew-hook                      Command to be run once for each successfully renewed certificate.

Jim
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

In case it isn't obvious, you can test the renewal process anytime from the command line like this ... just cutting and pasting the line from cron and addiing --force.

Code: Select all

# su - zimbra
% "/opt/zimbra/.acme.sh"/acme.sh --force --cron --home "/opt/zimbra/.acme.sh"
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Thank you Jim.

I will pick the less complicated option, of course. I will use your script as it was designed to do. I did those steps manually, just to see if all steps are working well.

So if I got everything right, for 3 domains I should do the following:

1. make VM Snapshot
2. backup /opt/zimbra/.acme.sh folder

3. delete /opt/zimbra/.acme.sh/mail.my domain.com folderd containing current certificate

4. ./acme.sh --issue --dns dns_cf --force --challenge-alias someotherdomain.com -d mail1.example.com -d mail2.example.com -d mail3.example.com
5. ./acme.sh --deploy --deploy-hook zimbra -d mail1.example.com -d mail2.example.com -d mail3.example.com

Should that be all?

Thank you
Br,
Dali
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

It works!!! Pure magic.

Thank you for your great help and patience!

Br,
Dali
ernani
Posts: 2
Joined: Fri Jun 11, 2021 1:41 pm

Re: Certificate/Certbot - best way?

Post by ernani »

Hi everyone!

Thank you all for all the effort you've invested in explaining how to install our certificates with the acme script, and particularly JDunphy.

One question: It isn't clear to me if the cron job will renew and deploy the certificates after 60 days or if it will simply renew them and then I have to login as zimbra user to deploy them. I was expecting that the account.conf file should have some info about the deploy hook we use (the zimbra script) but there isn't any...
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Certificate/Certbot - best way?

Post by JDunphy »

ernani wrote: One question: It isn't clear to me if the cron job will renew and deploy the certificates after 60 days or if it will simply renew them and then I have to login as zimbra user to deploy them. I was expecting that the account.conf file should have some info about the deploy hook we use (the zimbra script) but there isn't any...
Short answer: - there is another conf file.

Cron will renew AND deploy the certificate including the restart of zimbra if you issued the deploy option at anytime and were successful. That zimbra cron entry was created by acme.sh when you installed the acme.sh script as zimbra since zmcertgmr needs to run as zimbra with 8.7+. It is possible to not use acme.sh for installation since it is really 2 commands. Issue and deploy... This allows one maximum flexibility to verify they can issue certificates with whatever validation method they have chosen and also have zimbra validate it without installing it. At anytime you can do the --issue manually and if you like the result than move to the --deploy next. If you forget than cron will do it for you at your next time interval. When it does that renewal/install is determined by the output of ./acme.sh --list ... So the --cron option is running both --issue and --deploy if it can depending on what is in that other conf file. If the issue fails, it will not attempt installation of the bad certificate. The zimbra.sh deploy script will also bail if the certificate will not validate with zimbra so there is a second fail safe in place at the deploy stage.

Explaining this in a little more detail.

For acme.sh, it learns as you go and updates the conf file for you. If you issue the deploy at anytime then it will update a file in the directory which was the first -d option you gave. For example:

Code: Select all

# su - zimbra
% cd .acme.sh
% ./acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net
% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
If you look inside ~/acme.sh/mail.example.com you will see a mail.example.com.conf file that it maintains. The account.conf file you mention is used by verification scripts like dnsapi/dns_cf.sh for authentication parameters and acme.sh itself. (so for above: Le_Webroot='dns_cf' would be present in mail.example.com.conf ... Similarly if you change your preferred letsencrypt chain it will add a field to that file.

You can use the deploy option at anytime even on machines where you didn't create the certificate. An example when you might do that is if you are migrating zimbra to another server or a new server. All you need is that ~zimbra/.acme.sh directory and its contents on the new server.. then --deploy option above and it will install.

Finally... you could issue your certificates with another method say --stateless or --tls and then use the --deploy --deploy-hook zimbra if DNS verification wasn't something you wanted to do.

Note: The deploy/zimbra.sh script needs to get smarter because different preferred chains with letsecrypt and now a different CA from ZeroSSL are possible.

HTH,

Jim
Last edited by JDunphy on Fri Jun 11, 2021 9:11 pm, edited 1 time in total.
ernani
Posts: 2
Joined: Fri Jun 11, 2021 1:41 pm

Re: Certificate/Certbot - best way?

Post by ernani »

Thanks Jim!

Looking forward to the acme.sh + ZeroSSL tutorial you promised :). I thought of trying out myself using ZeroSSL but it wasn't clear if I had to manually download and concatenate the root certificate of ZeroSSL or not, as in the case of Let's Encrypt. Therefore I decided to try out let's encrypt certificate for 90 days, and if it turns out that using ZeroSSL would be more preferable in the future, I'd simply delete my domain's certificates folder and issue new ones.

Thanks again for all your help!
kdiamond
Posts: 43
Joined: Mon Apr 12, 2021 12:52 am

Re: Certificate/Certbot - best way?

Post by kdiamond »

Dear Jim. Hello after a long time!!!

I need help again!

Today my certificates failed to work. It says those are expired. Don't know why it failed. It was working great since June 2021.

When I try to deploy it manually it says:

Code: Select all

zimbra@dbstudio:~/.acme.sh/mail.dbstudio.si$ acme.sh --deploy --deploy-hook zimbra -d mail.dbstudio.si -d mail.dspsound.si -d mail.xstarbay.com -d mail.globevoices.com
** Verifying '/opt/zimbra/.acme.sh/mail.dbstudio.si/mail.dbstudio.si.cer' against '/opt/zimbra/.acme.sh/mail.dbstudio.si/mail.dbstudio.si.key'
Certificate '/opt/zimbra/.acme.sh/mail.dbstudio.si/mail.dbstudio.si.cer' and private key '/opt/zimbra/.acme.sh/mail.dbstudio.si/mail.dbstudio.si.key' match.
** Verifying '/opt/zimbra/.acme.sh/mail.dbstudio.si/mail.dbstudio.si.cer' against '/opt/zimbra/.acme.sh/mail.dbstudio.si/ca.cer.real'
ERROR: Unable to validate certificate chain: O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
error /opt/zimbra/.acme.sh/mail.dbstudio.si/mail.dbstudio.si.cer: verification failed
[Mon Aug 22 02:04:08 CEST 2022] Error deploy for domain:mail.dbstudio.si
[Mon Aug 22 02:04:08 CEST 2022] Deploy error.
zimbra@dbstudio:~/.acme.sh/mail.dbstudio.si$
I have just updated acme version to v3.0.5, but still the same.

It will do all steps with a success, only --deploy with fail.

Do you know the cause of it?

Thank you

Br,
Dali
Post Reply