current documentation for using letsencrypt

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

current documentation for using letsencrypt

Post by kdmiller45 »

is there current documentation for installing letsencrypt for Zimbra

O/S: Ubuntu 18.04
Zimbra: 8.8.15_GA_4272.FOSS

Keith
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

Re: current documentation for using letsencrypt

Post by kdmiller45 »

When I try to perform the following task I get the error shown performed as zimbra user
zimbra@justourmail: /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/justourmail.com/cert.pem /etc/letsencrypt/live/justourmail.com/chain.pem

** Verifying '/etc/letsencrypt/live/justourmail.com/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Can't read file '/etc/letsencrypt/live/justourmail.com/cert.pem'

here is the directory
directory own.jpg
directory own.jpg (70.52 KiB) Viewed 2503 times
Do I need to make Zimbra owner of the files that now belong to root and what permissions should they if that is so
Last edited by kdmiller45 on Sun May 22, 2022 1:55 pm, edited 1 time in total.
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: current documentation for using letsencrypt

Post by andras0602 »

Have you seen this GitHub repo?
https://github.com/VojtechMyslivec/letsencrypt-zimbra
It works for me on CentOS7. But on Ubuntu, I would probably install certbot from snap.
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

Re: current documentation for using letsencrypt

Post by kdmiller45 »

andras0602 wrote:Have you seen this GitHub repo?
https://github.com/VojtechMyslivec/letsencrypt-zimbra
It works for me on CentOS7. But on Ubuntu, I would probably install certbot from snap.
I THINK my issue here is the ownership of the files, I just want confirmation of that and what permissions the files should have and if I also need to change the group ownership

I changed ownership and groups as shown below and still get same error
Attachments
new config directory own.jpg
new config directory own.jpg (87.81 KiB) Viewed 2411 times
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: current documentation for using letsencrypt

Post by JDunphy »

Keith,

Looking at the documentation from the wiki https://wiki.zimbra.com/wiki/Installing ... ertificate it would appear you have to do the following.

1) install certbot and issue a certificate that validates from the NON default chain which is the alternative chain and specified by ISRG Root X1
From your comments, it would appear you have that part working and a valid issued certificate for your domain. (no errors returned by certbot)
2) add ISRG-X1.pem to the end of chain.pem you just generated
3) copy the private key to zimbra manually

Things do get a little tricky with permission if you are issuing your certificate as root which is what I am thinking how you are doing it. I believe Barry (author of that official letsencrypt wiki) uses the DNS method of validation so the official wiki documentation could have assumed all files required are readable by the zimbra user.

Looking at what you posted, it would be something like this had you issued them as root if I am following the wiki documentation above.

Code: Select all

% su - 
# cp /etc/letsencrypt/live/justourmail.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
# wget https://letsencrypt.org/certs/isrgrootx1.pem.txt -O /tmp/ISRG-X1.pem
# cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/justourmail.com/chain.pem
After this, we have 2 files we need to use that are owned by root if you issued your certs as that user. We also might have directory access problems to those 2 files.

Next you can verify permissions first by doing this as the zimbra user even if they are owned by root. If not, you could chmod/chown them to allow the zimbra user read access but a better plan might be to copy them to /tmp and chown them there to zimbra or make sure the zimbra user has read access to them.

Code: Select all

# su - zimbra
% cat /etc/letsencrypt/live/justourmail.com/chain.pem
% cat /etc/letsencrypt/live/justourmail.com/cert.pem
Once zimbra can read the chain.pem and cert.pem files, zmcertmgr verifycrt will work. Unfortunately, the next command of zmcertmgr deploycrt can fail if access permissions is wrong some where in the pathname.
That is because of a bug in zmcertmgr with how they save current working directory should directory access permission not be correct. [bug]107454[/bug].

So the simplest way around this is to copy the 2 files to /tmp as the zimbra user

Code: Select all

# su - zimbra
% cp /etc/letsencrypt/live/justourmail.com/chain.pem /tmp
% cp /etc/letsencrypt/live/justourmail.com/cert.pem /tmp
Now issue the 2 commands like this:

Code: Select all

# su - zimbra
% /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem
% /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem
The first command will verify certificates that all the signings are correct and you have valid certificates. The second command will copy the 2 certificates for you. One of the certs contains your public key and the other certificate has your public key and the public keys of any other certificates that signed your certificate. Restart zimbra and remove those 2 files from /tmp once you have success.

I don't user certbot myself and speculation on my part what may have gone wrong if you followed the wiki documentation explicitly.

HTH,

Jim
Last edited by JDunphy on Mon May 23, 2022 12:49 am, edited 1 time in total.
User avatar
andras0602
Advanced member
Advanced member
Posts: 62
Joined: Sat May 21, 2022 3:11 pm
ZCS/ZD Version: 8.8.15

Re: current documentation for using letsencrypt

Post by andras0602 »

kdmiller45 wrote:
andras0602 wrote:Have you seen this GitHub repo?
https://github.com/VojtechMyslivec/letsencrypt-zimbra
It works for me on CentOS7. But on Ubuntu, I would probably install certbot from snap.
I THINK my issue here is the ownership of the files, I just want confirmation of that and what permissions the files should have and if I also need to change the group ownership

I changed ownership and groups as shown below and still get same error
You probably changed the ownership of the symlinks but not the real files they point to. Both will change with a cert renewal.
So in this case you can:

- elevate privileges to root with restrictions (maybe with sudo)

- or set an ACL with read access on the letsencrypt folder like:

Code: Select all

setfacl -d -R -m user:zimbra:rX /etc/letsencrypt
setfacl -R -m user:zimbra:rX /etc/letsencrypt
- OR create a custom post-hook script and place it into this folder (do not forget the executable flag!)

Code: Select all

/etc/letsencrypt/renewal-hooks/post

IMHO the post-hook script is the best and smartest approach and also the most common one. Just cat/copy the new certs to a different location, chown them to zimbra and do the necessary hocus-pocus with zmcertmgr.

But DO NOT set 755 recursively on the /etc/letsencrypt folder! It would make read-executable everything, even your private key to all users (like "nobody").
Btw. have you created RSA or EC certificates? How did you install the certbot?
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

Re: current documentation for using letsencrypt

Post by kdmiller45 »

I performed this command and got the error below

zimbra@justourmail:/tmp$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem
** Verifying '/tmp/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/cert.pem' against '/tmp/chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /tmp/cert.pem: verification failed

Keith
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: current documentation for using letsencrypt

Post by JDunphy »

Keith,

That verify that is failing is doing a few things but it is failing as it attempts to walk the chain of trust and validating that the certificate you presented is signed by valid trust anchors. That chain file contains all the certificates that signed your issued certificate. If you grep for BEGIN on that chain file, you can count the number of certificates that zmcertmgr is walking including your own. If you issued your certificate with the default chain then that last certificate (root anchor) is expired and the openssl command which is what zmcertmgr uses to verify the trust will have a problem with that fact.

Code: Select all

$ grep -A 1 BEGIN /tmp/chain.pem
What does all this mean? You either didn't present a certificate that was signed with the alternative letsencrypt chain when you issued your certificate or you forgot that step where you cat a certificate to the fullchain for this alternative signed chain. I have also seen people that did that cat certificate step but the file they were adding to the end of the chain file was empty so nothing was added and they didn't realize that. For most people when they count the BEGIN's they should see 4 if they have the default chain and 3 if they have the alternative chain. In general it is much harder to use letsencrypt certificates signed by the default chain with zimbra as it requires a lot more workarounds associated with openssl. The irony is that if one was able to install the certificates and bypass the zmcertmgr checks - browsers and MUA's would have no issue with the certificate.

Does any of this make sense?

For a deeper background on why this is all so confusing, I put some notes together from the video letencrypt did to present the problems with their trust anchor expiring and their workarounds. My notes: https://wiki.zimbra.com/wiki/JDunphy-LeChains
At the bottom are some links to tools that can tell you how/what your certificate was issued and signed and the original youtube video that the notes are based on.

letsencrypt can be difficult at first with zimbra and then it works flawlessly. It probably doesn't help that there are 100's of acme protocol clients you can choose to issue your certificates. I use a different tool which is a single bash script called acme.sh. You use one called certbot. They all work the same and get the job done. Once you have your certificate than the zimbra dance is the same.

Jim
Post Reply