Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 227
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64_201
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jun 14, 2018 6:27 pm

Pepe wrote:Hello JDunphy:
Still does not work, i must put

Code: Select all

--yes-I-know-dns-manual-mode-enough-go-ahead-please
in order to install, otherwise i cant.

Code: Select all

[zimbratest@prueba2 acme.sh]$ sh acme.sh --issue --dns -d mail.zimbraxyz.com
[jue jun 14 13:56:29 BOT 2018] It seems that you are using dns manual mode. Read this link first: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode


Do i have to use socat? Its just one test server. One thing more, i have separated servers, one for zimbra and other for dns.

Thank you.

No... Here is the full message about socat from the output of acme.sh.

Code: Select all

It is recommended to install socat first.
We use socat for standalone server if you use standalone mode.
If you don't use standalone mode, just ignore

Given you are not using acme.sh in one of its standalone verification methods such as the few based on http/https you don't need it.
Thanks for the heads up on that new option for manual DNS. I'll add that to this thread. I suspect that extra switch 'yes-I-know-dns-manual-mode-enough-go-ahead-please' was recently added to alert you to the fact the verification window has been decreasing by letsencrypt. The author of acme.sh most likely is trying to get people to use an automatic mode ... including those 2 automatic DNS modes or perhaps the many other server based options with acme.sh ... I don't like the server base modes myself with zimbra because I don't want to take a zimbra outage to get/test and validate a certificate. I also use a push methodolgy here so I don't need to be on the same machine I get my certs verified with those automatic DNS methods.

Note: This acme.sh software appears to be evolving fast so many of the comments in this thread have alerted me to go back and issue an 'acme.sh --update' to get a new version. I love that DNS alias method BTW which was added a few months ago.


User avatar
Pepe
Posts: 28
Joined: Mon Jun 26, 2017 2:28 am

Re: Another Letsencrypt method

Postby Pepe » Thu Jun 14, 2018 7:50 pm

Hello again JDunphy:
It does not work... this is the message i recieve when i try to renew

Code: Select all

[zimbratest@prueba2 acme.sh]$ sh acme.sh --renew --dns -d mail.zimbralocalxyz.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[jue jun 14 15:33:15 BOT 2018] Renew: 'mail.zimbralocalxyz.com'
[jue jun 14 15:36:52 BOT 2018] Single domain='mail.zimbralocalxyz.com'
[jue jun 14 15:36:52 BOT 2018] Getting domain auth token for each domain
[jue jun 14 15:36:52 BOT 2018] Verifying:mail.zimbralocalxyz.com
[jue jun 14 15:44:02 BOT 2018] mail.zimbralocalxyz.com:Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}


And this is my dns record

Code: Select all

_acme-challenge.mail.zimbralocalxyz.com.        IN      TXT     "ad5p2Cq7jIDLW6qfe5LPTsB5rcy01NQNLO1MJjJN9L0"


Gonna try with deploy.sh
Thanks.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 227
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64_201
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jun 14, 2018 8:08 pm

Pepe wrote:Hello again JDunphy:
It does not work... this is the message i recieve when i try to renew

And this is my dns record

Code: Select all

_acme-challenge.mail.zimbralocalxyz.com.        IN      TXT     "ad5p2Cq7jIDLW6qfe5LPTsB5rcy01NQNLO1MJjJN9L0"


Gonna try with deploy.sh
Thanks.


Don't use deploy until you have a valid cert. You need to see success back from acme.sh ... You should see something like this with Success most likely in green depending on your terminal window:

Code: Select all

[Wed Jun 13 09:33:04 PDT 2018] Verifying: mail.zimbralocalxyz.com
[Wed Jun 13 09:33:07 PDT 2018] Success
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 227
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64_201
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jun 14, 2018 8:29 pm

The order is: --init then --renew. If you get an error with --renew then you are back at --init again I believe. So the process is:

Code: Select all

acme.sh --init --dns  --yes-I-know-dns-manual-mode-enough-go-ahead-please -d mail.zimbralocalxyz.com

update the TXT record and SOA. Watch out for caching because letsencrypt is going to be pulling that txt record when you issue the --renew command for verification.

Code: Select all

acme.sh --renew --dns  --yes-I-know-dns-manual-mode-enough-go-ahead-please -d mail.zimbralocalxyz.com

The error message 'The challenge is not pending' seems to indicate that something went wrong at --init or the internal state files under .acme.sh/mail.zimbralocalxyz.com is corrupt I think.

Perhaps try with a clean state and wipe the ~/.acme.sh directory or just that .acme.sh/mail.zimbralocalxyz.com directory ... assuming you did your git clone of acme.sh in your home directory here is how to start fresh.

Code: Select all

mv ~/.acme.sh ~/acme.sh-to-delete
cd ~/acme.sh
acme.sh --update  # this will re-create the .acme.sh directory and files
cd ~/.acme.sh
Note: update account.conf if you had before with your email address, etc.

now begin with ./acme.sh --init --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please -d mail.zimbralocalxyz.com

Don't know what else to tell you. Perhaps ask the author of the software or change to one of the other verification methods or use one of the automatic DNS methods. Once this works, it seems pretty bullet proof from my experience. You can turn on debug mode but that might be more confusing to you.

Jim
User avatar
Pepe
Posts: 28
Joined: Mon Jun 26, 2017 2:28 am

Re: Another Letsencrypt method

Postby Pepe » Thu Jun 14, 2018 9:03 pm

Well, i did not even generate certs on folder .acme.sh/mail.zimbralocalxyz.com

Code: Select all

[zimbratest@prueba2 mail.zimbralocalxyz.com]$ ls
mail.zimbralocalxyz.com.conf  mail.zimbralocalxyz.com.csr.conf
mail.zimbralocalxyz.com.csr   mail.zimbralocalxyz.com.key


And still give me the error for --renew. I dont get it...
Thanks.

EDIT: commands --update and --init are unknown
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 227
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64_201
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Jun 14, 2018 9:18 pm

Pepe wrote:Well, i did not even generate certs on folder .acme.sh/mail.zimbralocalxyz.com

Code: Select all

[zimbratest@prueba2 mail.zimbralocalxyz.com]$ ls
mail.zimbralocalxyz.com.conf  mail.zimbralocalxyz.com.csr.conf
mail.zimbralocalxyz.com.csr   mail.zimbralocalxyz.com.key


And still give me the error for --renew. I dont get it...
Thanks.

I have to agree. Very weird. I use that acme.sh script on everything from apache,nginx, zimbra, etc on all different OS's...

I wonder why for your environment? If you want, add the --staging and --debug flags and email me the resulting logs and I could take a look. I mention the --staging because there is a limit of the number of times one can ask for validation from letsencrypt per day. Normally this just works out of the box first time so I don't mention the --staging/--testing in my notes.
xeqngai
Posts: 1
Joined: Sat Jun 16, 2018 3:53 am

Re: Another Letsencrypt method

Postby xeqngai » Sat Jun 16, 2018 4:03 am

awesome! thank you. it works

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 13 guests