Thank for your kind help. Unfortunately, I got the following error:
Code: Select all
[administrator@mail acme.sh]$ ./acme.sh --renew -d mail.zimilab.com
[Thu Mar 29 23:35:19 +07 2018] Renew: 'mail.zimilab.com'
[Thu Mar 29 23:35:21 +07 2018] Multi domain='DNS:zimilab.com'
[Thu Mar 29 23:35:21 +07 2018] Getting domain auth token for each domain
[Thu Mar 29 23:35:21 +07 2018] Getting webroot for domain='mail.zimilab.com'
[Thu Mar 29 23:35:21 +07 2018] Getting new-authz for domain='mail.zimilab.com'
[Thu Mar 29 23:35:24 +07 2018] The new-authz request is ok.
[Thu Mar 29 23:35:24 +07 2018] Getting webroot for domain='zimilab.com'
[Thu Mar 29 23:35:24 +07 2018] Getting new-authz for domain='zimilab.com'
[Thu Mar 29 23:35:25 +07 2018] The new-authz request is ok.
[Thu Mar 29 23:35:25 +07 2018] mail.zimilab.com is already verified, skip dns-01.
[Thu Mar 29 23:35:25 +07 2018] zimilab.com is already verified, skip dns-01.
[Thu Mar 29 23:35:25 +07 2018] Verify finished, start to sign.
[Thu Mar 29 23:35:28 +07 2018] Cert success.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
[Thu Mar 29 23:35:28 +07 2018] Your cert is in /home/administrator/.acme.sh/mail.zimilab.com/mail.zimilab.com.cer
[Thu Mar 29 23:35:28 +07 2018] Your cert key is in /home/administrator/.acme.sh/mail.zimilab.com/mail.zimilab.com.key
[Thu Mar 29 23:35:29 +07 2018] The intermediate CA cert is in /home/administrator/.acme.sh/mail.zimilab.com/ca.cer
[Thu Mar 29 23:35:29 +07 2018] And the full chain certs is there: /home/administrator/.acme.sh/mail.zimilab.com/fullchain.cer
[Thu Mar 29 23:35:29 +07 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Thu Mar 29 23:35:29 +07 2018] Call hook error.
I tried to continue with deploying cert to see what happen:
Code: Select all
[zimbra@mail letsencrypt]$ ./deploy-zimbra-letsencrypt.sh
zimbra/
zimbra/server/
zimbra/server/server.crt
zimbra/server/server.key
zimbra/server/server.csr
zimbra/ca/
zimbra/ca/ca.key
zimbra/ca/index.txt.attr
zimbra/ca/index.txt
zimbra/ca/ca.srl
zimbra/ca/ca.srl.old
zimbra/ca/zmssl.cnf
zimbra/ca/index.txt.old
zimbra/ca/newcerts/
zimbra/ca/newcerts/1514395920.pem
zimbra/ca/newcerts/1514395914.pem
zimbra/ca/newcerts/1514395905.pem
zimbra/ca/newcerts/1514395909.pem
zimbra/ca/ca.pem
zimbra/commercial/
zimbra/commercial/commercial_ca.crt
zimbra/commercial/commercial.key
zimbra/commercial/commercial.crt
zimbra/jetty.pkcs12
** Verifying 'mail.zimilab.com.cer' against 'mail.zimilab.com.key'
Certificate 'mail.zimilab.com.cer' and private key 'mail.zimilab.com.key' match.
** Verifying 'mail.zimilab.com.cer' against 'fullchain.cer'
ERROR: Unable to validate certificate chain: mail.zimilab.com.cer: CN = mail.zimilab.com
error 10 at 0 depth lookup:certificate has expired
OK
In https://github.com/Neilpang/acme.sh/wik ... anual-mode . I see:
Please add the TXT record to your DNS records. This step is required every time you renew your certificate. With DNS api mode, this step can be automated.
So I understand that I always have to update the TXT record manually even I do renew before 6o days?
Best regards,