myriad wrote:Hey Jim:
Quick question: I am using the deploy script and I have followed all of the suggestions in this thread, but even though the script runs successfully the certificates don't update?? When I updated .acme.sh, the updater didn't deploy a cron job so I am using the command: ./acme.sh --deploy --deploy-hook zimbra -d mail.mydomain.ca. Where am I going wrong? How do I renew successfully?
I am slightly confused so a bunch of answers.
Just in case... the process is to update or issue certificates followed by deploying those certificates. So it's always going to be 2 steps unless you use the --cron option show below in the cron answer and it will do both steps for you once you have issued these two steps at least one time. To recap:
Code: Select all
# su - zimbra
% cd .acme.sh
% ./acme.sh --issue ... # this will get the certificate
% ./acme.sh --deploy ... # this will install/deploy it in zimbra
This should update a file in directory mail.mydomain.ca given that is the first -d argument in your deploy above. If you do this:
Code: Select all
% egrep '(Le_webroot|Le_DeployHook)' /opt/zimbra/.acme.sh/mail.mydomain.ca/mail.mydomain.ca.conf
Le_Webroot='dns_cf'
Le_DeployHook='zimbra,'
You can see that acme.sh now knows the method you are validating and the deploy hook you would use upon a successful certificate issue
Cron entry answer:
Code: Select all
# su - zimbra
% cd .acme.sh; ./acme.sh --install-cronjob
% crontab -l |grep -B 2 acme
# ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
18 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
Later if you decided to test this process or get a new certificate you can do this in one step from the command line should you be < 60 days from last issue (adding the --force):
Code: Select all
% /opt/zimbra/.acme.sh/acme.sh --cron --force --home /opt/zimbra/.acme.sh
% /opt/zimbra/.acme.sh/acme.sh --list
Does this help? Most of the time once you can verify that the --cron works from the command line you can expect to have renewals handled every 60 days even though the certificate is good for as long as 90 days.
I think my wiki article might explain this in more detail if any of this isn't as clear as it should be. I was caught off guard when acme.sh became this super client that handles other CA's which is why we force it back to letsencrypt with a few extra commands for newer versions of the script and to use the alternative letsencrypt chain. Once those 2 commands are working, I think we are good until the 2035.
Jim