Letsencrypt after October 1

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Letsencrypt after October 1

Post by phoenix »

Hi Jim

I've just tried the commands you posted and I'm getting an error say there's an 'unknown parameter':

Code: Select all

[zimbra@server .acme.sh]$ ./acme.sh  --set-default-chain  --preferred-chain  ISRG  --server letsencrypt
[Tue Oct 19 11:39:04 UTC 2021] Unknown parameter : --set-default-chain


[zimbra@server .acme.sh]$ ./acme.sh -v
https://github.com/acmesh-official/acme.sh
v2.8.8
Have I missed something obvious?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Letsencrypt after October 1

Post by JDunphy »

Hi Bill,

upgrade the acme.sh software. Here is a working example of all the steps assuming one installed it as zimbra and are using the deploy method zimbra.

Code: Select all

# su - zimbra
% cd ~/.acme.sh
% ./acme.sh --upgrade
% ./acme.sh --version
v3.0.1
% ./acme.sh --set-default-ca  --server letsencrypt
% ./acme.sh  --set-default-chain  --preferred-chain  ISRG  --server letsencrypt
If you are using the zimbra.sh deploy method, pull the latest version so you get the ISRG cert.

Code: Select all

% cd /tmp
% wget https://raw.githubusercontent.com/JimDunphy/acme.sh/master/deploy/zimbra.sh -O zimbra.sh
% cp zimbra.sh /opt/zimbra/.acme.sh/deploy
Those set-default-ca and set-default-chain options create entries in account.conf and ca.conf so that subsequent issues don't need to know anymore about trust anchors, future acme.sh new CA's, etc. The letsencrypt root ISRG X1 expires in 2035. I make those 2 commands my steps to any new or existing installation as acme.sh is now more capable and supports various commercial certificates in addition to a free version of zeroSSL certificates. The acme protocol looks like the big win for CA's over the past 10 years as more and more moved to this for their commercial users. For zimbra users, letsencrypt works perfectly and continues to be hands off after the initial install and certificate issue.

HTH,

Jim
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Letsencrypt after October 1

Post by phoenix »

Thanks Jim,

I updated my certificates recently and thought I'd already updated the acme sdript but obviously not!! I'll give it an update and rerun it tomorrow. Thanks for helping an old man with a fading memory. :roll:
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Letsencrypt after October 1

Post by phoenix »

Thanks Jim, as usual it all went to plan and thanks for your help and clear instructions, again. :)
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Letsencrypt after October 1

Post by JDunphy »

phoenix wrote:Thanks Jim, as usual it all went to plan and thanks for your help and clear instructions, again. :)
That is great to hear!

I thought I had this stuff figured out and then ran into an issue when the syntax didn't do what I thought it should be doing so hopefully we have a reproducible method that is bullet proof going forward. That acme.sh script while awesome has been so actively maintained/enhanced since I started using it that you don't realize how much it does until it doesn't work as intended. ;-) I don't want to go back to the days where I have to remember how I installed a commercial certificate each year when they come up for renewal.

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Letsencrypt after October 1

Post by myriad »

Hey Jim:

Quick question: I am using the deploy script and I have followed all of the suggestions in this thread, but even though the script runs successfully the certificates don't update?? When I updated .acme.sh, the updater didn't deploy a cron job so I am using the command: ./acme.sh --deploy --deploy-hook zimbra -d mail.mydomain.ca. Where am I going wrong? How do I renew successfully?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Letsencrypt after October 1

Post by JDunphy »

myriad wrote:Hey Jim:

Quick question: I am using the deploy script and I have followed all of the suggestions in this thread, but even though the script runs successfully the certificates don't update?? When I updated .acme.sh, the updater didn't deploy a cron job so I am using the command: ./acme.sh --deploy --deploy-hook zimbra -d mail.mydomain.ca. Where am I going wrong? How do I renew successfully?
I am slightly confused so a bunch of answers.

Just in case... the process is to update or issue certificates followed by deploying those certificates. So it's always going to be 2 steps unless you use the --cron option show below in the cron answer and it will do both steps for you once you have issued these two steps at least one time. To recap:

Code: Select all

# su - zimbra
% cd .acme.sh
% ./acme.sh --issue ...       # this will get the certificate
% ./acme.sh --deploy ...     # this will install/deploy it in zimbra
This should update a file in directory mail.mydomain.ca given that is the first -d argument in your deploy above. If you do this:

Code: Select all

% egrep '(Le_webroot|Le_DeployHook)' /opt/zimbra/.acme.sh/mail.mydomain.ca/mail.mydomain.ca.conf
Le_Webroot='dns_cf'
Le_DeployHook='zimbra,'
You can see that acme.sh now knows the method you are validating and the deploy hook you would use upon a successful certificate issue

Cron entry answer:

Code: Select all

# su - zimbra
% cd .acme.sh; ./acme.sh --install-cronjob     
% crontab -l |grep -B 2 acme
# ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
18 0 * * * "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh" > /dev/null
Later if you decided to test this process or get a new certificate you can do this in one step from the command line should you be < 60 days from last issue (adding the --force):

Code: Select all

% /opt/zimbra/.acme.sh/acme.sh --cron --force --home /opt/zimbra/.acme.sh
% /opt/zimbra/.acme.sh/acme.sh --list
Does this help? Most of the time once you can verify that the --cron works from the command line you can expect to have renewals handled every 60 days even though the certificate is good for as long as 90 days.

I think my wiki article might explain this in more detail if any of this isn't as clear as it should be. I was caught off guard when acme.sh became this super client that handles other CA's which is why we force it back to letsencrypt with a few extra commands for newer versions of the script and to use the alternative letsencrypt chain. Once those 2 commands are working, I think we are good until the 2035.

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Letsencrypt after October 1

Post by myriad »

It worked once I configured and ran the cron job. The only issue I had was that the restart command fails as all services don't shutdown and restart properly (Though I had this issue with previous zimbra.sh scripts also.):

Code: Select all

Host mail.xxx.ca 
Stopping zmconfigd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done. 
Stopping proxy...Done. 
Stopping memcached...Done.
Stopping mailbox...Done
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.

Host mail.xxx.ca
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Failed.
Starting logswatch...failed.
Starting mailbox...Done.
Starting memcached...Done.
Starting proxy...Done.
Starting amavis...Done. 
Starting antispam...Done. 
Starting antivirus...Done.
Starting opendkim...Done.
Starting snmp...Done.
Starting spell...Done. 
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Done.
Starting zimbra webapp...Done.
Starting zimbraAdmin webapp...Done.
Starting zimlet webapp...Done.

[Fri Feb 4 08:42:41 EST 2022] Success


Thanks again for helping Jim, you are a lifesaver!

Rick
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Letsencrypt after October 1

Post by JDunphy »

myriad wrote:It worked once I configured and ran the cron job. The only issue I had was that the restart command fails as all services don't shutdown and restart properly (Though I had this issue with previous zimbra.sh scripts also.)

Rick
Hi Rick,

That isn't the way zmcontrol restart should work is it?... Not terribly surprised as I have found other instances years ago with MTA where we eventually got a patch that started shipping with the 8.8 release to fix the pid rollover issue that the many of those scripts didn't compensate for to determine if a process was running. :-) ... One option is to add a pending notify the day before so you can run the command manually or at least be aware that the certificate will be renewing the next day so you can verify things came up later, etc. I came up with a script after that MTA bug. One can add it below your acme.sh cron entry in zimbra's crontab.

Code: Select all

17 0 * * * /usr/local/bin/zmcertNotice.sh > /dev/null 2>&1
All zmcertNotice.sh does is a acme.sh --list and will email you the day before it will attempt renewal. The location of where to find that file is in my wiki article under Script to Notify of Pending Renewal. If you do not need to know 24 hours in advance, that script probably isn't necessary given acme.sh has added hooks I believe for notification. The other idea is to modify the zimbra.sh deploy hook and have it send you an email after the restart or add your solution after the zmcontrol restart if it's always the logger stuff for you. Here it doesn't fail but I am running the NETWORK version so don't know if there is any difference in the start up scripts. I would hope there wouldn't be.

Jim
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: Letsencrypt after October 1

Post by myriad »

I had a script I wrote to externally restart zimbra that I had used previously. I think the problem has to do with the bash environment so I have put the script in the 'Deploy' directory and modified your code a bit:

Code: Select all

   #/opt/zimbra/bin/zmcontrol restart
   #Call restart script
   sh ./restartzimbra.sh
      return 0
}
Now I haven't tested it yet but it did work before so YMMV.

I have attached the restartzimbra.sh below.
Attachments
restartzimbra.zip
(620 Bytes) Downloaded 65 times
Post Reply