The wiki cannot tell you what you should do, as everyone does something else, there are many ways to implement Let's Encrypt.kdmiller45 wrote:Appreciate the help with the instruction on using certbot with Zimbra however
the instructions in that link ( https://wiki.zimbra.com/wiki/Installing ... tificate?c)
Make sure to request a certificate with the --preferred-chain "ISRG Root X1" option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the --force-renewal --preferred-chain "ISRG Root X1" options.
It does not give the syntax to perform the command to request the required certs can you expand on that and then you link can be used
ie: certbot blahhh blahhhh blahhhh
Keith
Installing Letsencrypt cert after root expiration
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: Installing Letsencrypt cert after root expiration
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Re: Installing Letsencrypt cert after root expiration
Hi im one of the affected of the recent expiration of the root cert,barrydegraaff wrote:The wiki cannot tell you what you should do, as everyone does something else, there are many ways to implement Let's Encrypt.kdmiller45 wrote:Appreciate the help with the instruction on using certbot with Zimbra however
the instructions in that link ( https://wiki.zimbra.com/wiki/Installing ... tificate?c)
Make sure to request a certificate with the --preferred-chain "ISRG Root X1" option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the --force-renewal --preferred-chain "ISRG Root X1" options.
It does not give the syntax to perform the command to request the required certs can you expand on that and then you link can be used
ie: certbot blahhh blahhhh blahhhh
Keith
im using
ubuntu 18
zimbra 8.8.15
doing the renew manually every 3 mos. below attached file is the error that i got
hope you can provide tutorial on how to fix. Thanks.
Re: Installing Letsencrypt cert after root expiration
What version is installed?kdmiller45 wrote:This is the error I get when I run the command
certbot --version
My is - certbot 1.19.0
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: Installing Letsencrypt cert after root expiration
I think you need to add -d <your full server hostname> into the command. For example:kdmiller45 wrote:This is the error I get when I run the command
Code: Select all
certbot certonly -d mail.example.com --standalone --preferred-chain "ISRG Root X1"
Minh.
Re: Installing Letsencrypt cert after root expiration
There shouldn't be a difference. If the key "-d" is not specified, the domain name will be requested after the launch certbot.zimico wrote:I think you need to add -d <your full server hostname> into the command. For example:kdmiller45 wrote:This is the error I get when I run the commandRegards,Code: Select all
certbot certonly -d mail.example.com --standalone --preferred-chain "ISRG Root X1"
Minh.
-
- Posts: 41
- Joined: Sat Sep 13, 2014 3:29 am
Re: Installing Letsencrypt cert after root expiration
I am affected by the expiry of the root certificates.
This is the error I get when I try to renew and deploy new certificates:
System is Ubuntu 16.04 64 Bit with Zimbra 8.8.9 GA
Is there someone that can provide a simple set of commands that will resolves this.
The above certbot version is the latest version available from the 16.04 repo.
We are running the latest certbot_zimbra.sh script.
When we run the command in the previous post we get this:
Can anyone help us get this sorted and our systems back up.
Cheers
Spart
This is the error I get when I try to renew and deploy new certificates:
System is Ubuntu 16.04 64 Bit with Zimbra 8.8.9 GA
Code: Select all
Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-Iim5c5On/cert.pem' against '/run/certbot-zimbra/certs-Iim5c5On/privkey.pem'
Certificate '/run/certbot-zimbra/certs-Iim5c5On/cert.pem' and private key '/run/certbot-zimbra/certs-Iim5c5On/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-Iim5c5On/cert.pem' against '/run/certbot-zimbra/certs-Iim5c5On/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /run/certbot-zimbra/certs-Iim5c5On/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate
Code: Select all
certbot --version
certbot 0.31.0
We are running the latest certbot_zimbra.sh script.
When we run the command in the previous post we get this:
Code: Select all
sudo certbot certonly -d our.domain -d our.otherdomain --standalone --preferred-chain "ISRG Root X1"
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1
Cheers
Spart
-
- Posts: 41
- Joined: Sat Sep 13, 2014 3:29 am
Re: Installing Letsencrypt cert after root expiration
I followed this guide and I now have a fully working zimbra with up to date certificates.
Replace with your domain
Then:
cp /etc/letsencrypt/live//privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
The files in /etc/letsencrypt/live/ are symbolic links to files in /etc/letsencrypt/archive/.
Check which files they point at (cert.pem, chain.pem, ...)
Then perform this, but replace the part with correct one.
cat /tmp/R3.pem > /etc/letsencrypt/archive//chain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive//chain.pem
As zimbra (su - zimbra) user perform
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live//cert.pem /etc/letsencrypt/live//chain.pem
If it runs successfully perform deploy. If it gives you file permissions error temporarily do this:
chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/live
And verify the cert again.
You can run certbot-zimbra deploy, or the below one:
I ran certbot_zimbra.sh and selected to use the cert that I already had from the failed previous attempt.
Afterwards remove the extra permissions (as root)
chmod o-rx /etc/letsencrypt/archive
chmod o-rx /etc/letsencrypt/live
Restart zimbra:
zmcontrol restart`
I had to restart the full server to stop issues when I was sending test emails. So something requires a reboot of the system to be fully recognised.
Cheers
Spart
Replace with your domain
Then:
cp /etc/letsencrypt/live//privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
The files in /etc/letsencrypt/live/ are symbolic links to files in /etc/letsencrypt/archive/.
Check which files they point at (cert.pem, chain.pem, ...)
Then perform this, but replace the part with correct one.
cat /tmp/R3.pem > /etc/letsencrypt/archive//chain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive//chain.pem
As zimbra (su - zimbra) user perform
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live//cert.pem /etc/letsencrypt/live//chain.pem
If it runs successfully perform deploy. If it gives you file permissions error temporarily do this:
chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/live
And verify the cert again.
You can run certbot-zimbra deploy, or the below one:
I ran certbot_zimbra.sh and selected to use the cert that I already had from the failed previous attempt.
Afterwards remove the extra permissions (as root)
chmod o-rx /etc/letsencrypt/archive
chmod o-rx /etc/letsencrypt/live
Restart zimbra:
zmcontrol restart`
I had to restart the full server to stop issues when I was sending test emails. So something requires a reboot of the system to be fully recognised.
Cheers
Spart
Re: Installing Letsencrypt cert after root expiration
Please help me, I used the instructions, but I have an error.realsparticle wrote:I followed this guide and I now have a fully working zimbra with up to date certificates.
Replace with your domain
Then:
cp /etc/letsencrypt/live//privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
The files in /etc/letsencrypt/live/ are symbolic links to files in /etc/letsencrypt/archive/.
Check which files they point at (cert.pem, chain.pem, ...)
Then perform this, but replace the part with correct one.
cat /tmp/R3.pem > /etc/letsencrypt/archive//chain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive//chain.pem
As zimbra (su - zimbra) user perform
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live//cert.pem /etc/letsencrypt/live//chain.pem
If it runs successfully perform deploy. If it gives you file permissions error temporarily do this:
chmod o+rx /etc/letsencrypt/archive
chmod o+rx /etc/letsencrypt/live
And verify the cert again.
You can run certbot-zimbra deploy, or the below one:
I ran certbot_zimbra.sh and selected to use the cert that I already had from the failed previous attempt.
Afterwards remove the extra permissions (as root)
chmod o-rx /etc/letsencrypt/archive
chmod o-rx /etc/letsencrypt/live
Restart zimbra:
zmcontrol restart`
I had to restart the full server to stop issues when I was sending test emails. So something requires a reboot of the system to be fully recognised.
Cheers
Spart
zimbra@mail:/etc/letsencrypt/archive$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail.bss7.ru-0001/cert.pem /etc/letsencrypt/live/mail.bss7.ru-0001/chain.pem
** ** Verifying '/etc/lets'encrypt/live/mail.bss7.ru-0001/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/etc/lets'encrypt/live/mail.bss7.ru-0001/cert.pem'
I have set permissions
chmod o+rx /etc/let'sencrypt/archive
chmod o+rx /etc/lets'encrypt/live
Please help me to overcome the problem.
- kdmiller45
- Advanced member
- Posts: 59
- Joined: Sun Jan 19, 2020 11:08 pm
Re: Installing Letsencrypt cert after root expiration
Thanks all for the replys
Keith
Keith
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: Installing Letsencrypt cert after root expiration
Another guide is at https://postboxservices.com/blogs/post/ ... ates-on-it
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/