Installing Letsencrypt cert after root expiration

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Installing Letsencrypt cert after root expiration

Post by barrydegraaff »

kdmiller45 wrote:Appreciate the help with the instruction on using certbot with Zimbra however

the instructions in that link ( https://wiki.zimbra.com/wiki/Installing ... tificate?c)
Make sure to request a certificate with the --preferred-chain "ISRG Root X1" option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the --force-renewal --preferred-chain "ISRG Root X1" options.

It does not give the syntax to perform the command to request the required certs can you expand on that and then you link can be used

ie: certbot blahhh blahhhh blahhhh
Keith
The wiki cannot tell you what you should do, as everyone does something else, there are many ways to implement Let's Encrypt.
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
bryllej8
Posts: 41
Joined: Sun Aug 04, 2019 10:41 pm

Re: Installing Letsencrypt cert after root expiration

Post by bryllej8 »

barrydegraaff wrote:
kdmiller45 wrote:Appreciate the help with the instruction on using certbot with Zimbra however

the instructions in that link ( https://wiki.zimbra.com/wiki/Installing ... tificate?c)
Make sure to request a certificate with the --preferred-chain "ISRG Root X1" option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the --force-renewal --preferred-chain "ISRG Root X1" options.

It does not give the syntax to perform the command to request the required certs can you expand on that and then you link can be used

ie: certbot blahhh blahhhh blahhhh
Keith
The wiki cannot tell you what you should do, as everyone does something else, there are many ways to implement Let's Encrypt.
Hi im one of the affected of the recent expiration of the root cert,

im using
ubuntu 18
zimbra 8.8.15

doing the renew manually every 3 mos. below attached file is the error that i got
Capture1.PNG
Capture1.PNG (36.39 KiB) Viewed 9513 times
Capture2.PNG
Capture2.PNG (24.44 KiB) Viewed 9495 times
Capture3.PNG
Capture3.PNG (42.41 KiB) Viewed 9495 times

hope you can provide tutorial on how to fix. Thanks.
GlooM
Advanced member
Advanced member
Posts: 127
Joined: Sat Sep 13, 2014 12:50 am

Re: Installing Letsencrypt cert after root expiration

Post by GlooM »

kdmiller45 wrote:This is the error I get when I run the command
What version is installed?

certbot --version


My is - certbot 1.19.0
User avatar
zimico
Outstanding Member
Outstanding Member
Posts: 225
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.8.15 P3
Contact:

Re: Installing Letsencrypt cert after root expiration

Post by zimico »

kdmiller45 wrote:This is the error I get when I run the command
I think you need to add -d <your full server hostname> into the command. For example:

Code: Select all

certbot certonly -d mail.example.com --standalone --preferred-chain "ISRG Root X1"
Regards,
Minh.
GlooM
Advanced member
Advanced member
Posts: 127
Joined: Sat Sep 13, 2014 12:50 am

Re: Installing Letsencrypt cert after root expiration

Post by GlooM »

zimico wrote:
kdmiller45 wrote:This is the error I get when I run the command
I think you need to add -d <your full server hostname> into the command. For example:

Code: Select all

certbot certonly -d mail.example.com --standalone --preferred-chain "ISRG Root X1"
Regards,
Minh.
There shouldn't be a difference. If the key "-d" is not specified, the domain name will be requested after the launch certbot.
realsparticle
Posts: 41
Joined: Sat Sep 13, 2014 3:29 am

Re: Installing Letsencrypt cert after root expiration

Post by realsparticle »

I am affected by the expiry of the root certificates.

This is the error I get when I try to renew and deploy new certificates:

System is Ubuntu 16.04 64 Bit with Zimbra 8.8.9 GA

Code: Select all



Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-Iim5c5On/cert.pem' against '/run/certbot-zimbra/certs-Iim5c5On/privkey.pem'
Certificate '/run/certbot-zimbra/certs-Iim5c5On/cert.pem' and private key '/run/certbot-zimbra/certs-Iim5c5On/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-Iim5c5On/cert.pem' against '/run/certbot-zimbra/certs-Iim5c5On/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /run/certbot-zimbra/certs-Iim5c5On/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate
Is there someone that can provide a simple set of commands that will resolves this.

Code: Select all

certbot --version
certbot 0.31.0
The above certbot version is the latest version available from the 16.04 repo.

We are running the latest certbot_zimbra.sh script.

When we run the command in the previous post we get this:

Code: Select all

sudo certbot certonly -d our.domain -d our.otherdomain --standalone --preferred-chain "ISRG Root X1"
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1
Can anyone help us get this sorted and our systems back up.

Cheers
Spart
realsparticle
Posts: 41
Joined: Sat Sep 13, 2014 3:29 am

Re: Installing Letsencrypt cert after root expiration

Post by realsparticle »

I followed this guide and I now have a fully working zimbra with up to date certificates.

Replace with your domain :)

Then:

cp /etc/letsencrypt/live//privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
The files in /etc/letsencrypt/live/ are symbolic links to files in /etc/letsencrypt/archive/.
Check which files they point at (cert.pem, chain.pem, ...)

Then perform this, but replace the part with correct one.

cat /tmp/R3.pem > /etc/letsencrypt/archive//chain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive//chain.pem
As zimbra (su - zimbra) user perform

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live//cert.pem /etc/letsencrypt/live//chain.pem
If it runs successfully perform deploy. If it gives you file permissions error temporarily do this:

chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/live

And verify the cert again.

You can run certbot-zimbra deploy, or the below one:

I ran certbot_zimbra.sh and selected to use the cert that I already had from the failed previous attempt.

Afterwards remove the extra permissions (as root)

chmod o-rx /etc/letsencrypt/archive
chmod o-rx /etc/letsencrypt/live

Restart zimbra:

zmcontrol restart`

I had to restart the full server to stop issues when I was sending test emails. So something requires a reboot of the system to be fully recognised.

Cheers
Spart
rd3adx
Posts: 1
Joined: Fri Oct 29, 2021 9:44 am

Re: Installing Letsencrypt cert after root expiration

Post by rd3adx »

realsparticle wrote:I followed this guide and I now have a fully working zimbra with up to date certificates.

Replace with your domain :)

Then:

cp /etc/letsencrypt/live//privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
The files in /etc/letsencrypt/live/ are symbolic links to files in /etc/letsencrypt/archive/.
Check which files they point at (cert.pem, chain.pem, ...)

Then perform this, but replace the part with correct one.

cat /tmp/R3.pem > /etc/letsencrypt/archive//chain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive//chain.pem
As zimbra (su - zimbra) user perform

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live//cert.pem /etc/letsencrypt/live//chain.pem
If it runs successfully perform deploy. If it gives you file permissions error temporarily do this:

chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/live

And verify the cert again.

You can run certbot-zimbra deploy, or the below one:

I ran certbot_zimbra.sh and selected to use the cert that I already had from the failed previous attempt.

Afterwards remove the extra permissions (as root)

chmod o-rx /etc/letsencrypt/archive
chmod o-rx /etc/letsencrypt/live

Restart zimbra:

zmcontrol restart`

I had to restart the full server to stop issues when I was sending test emails. So something requires a reboot of the system to be fully recognised.

Cheers
Spart
Please help me, I used the instructions, but I have an error.
zimbra@mail:/etc/letsencrypt/archive$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail.bss7.ru-0001/cert.pem /etc/letsencrypt/live/mail.bss7.ru-0001/chain.pem
** ** Verifying '/etc/lets'encrypt/live/mail.bss7.ru-0001/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/etc/lets'encrypt/live/mail.bss7.ru-0001/cert.pem'

I have set permissions
chmod o+rx /etc/let'sencrypt/archive
chmod o+rx /etc/lets'encrypt/live

Please help me to overcome the problem.
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

Re: Installing Letsencrypt cert after root expiration

Post by kdmiller45 »

Thanks all for the replys

Keith
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Installing Letsencrypt cert after root expiration

Post by barrydegraaff »

--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Post Reply