Well, that's the standard behaviour. You should install the LetsEncrypt certificate (including its CA) as if it was a commercial certificate instead.liverpoolfcfan wrote: ↑Tue May 14, 2024 1:05 pm It is quite weird what the installation script is doing.
I have a LetsEncrypt certificate on my test server. I put the LetsEncrypt CA certificates (X1-Root, X2-Root, E1) into the file /opt/zimbra/conf/ca/ca.pem
Maldua's Zimbra FOSS Builds - Share your feedback
- adrian.gibanel.btactic
- Outstanding Member
- Posts: 200
- Joined: Thu Jan 30, 2014 11:13 am
Re: Maldua's Zimbra FOSS Builds - Share your feedback
-
- Elite member
- Posts: 1138
- Joined: Sat Sep 13, 2014 12:47 am
Re: Maldua's Zimbra FOSS Builds - Share your feedback
I have done that too.adrian.gibanel.btactic wrote: ↑Wed May 22, 2024 4:21 pm Well, that's the standard behaviour. You should install the LetsEncrypt certificate (including its CA) as if it was a commercial certificate instead.
It just doesn't make sense to test the validity of the CA/certificate in place, then ignore the fact it is valid and go ahead and create a new CA and a new certificate to overwrite them anyway.
- adrian.gibanel.btactic
- Outstanding Member
- Posts: 200
- Joined: Thu Jan 30, 2014 11:13 am
Re: Maldua's Zimbra FOSS Builds - Share your feedback
Sorry, I cannot help you. I recommend you to check the actual source code behind those commands and if you think that behaviour is not ok you can always open a thread in Developers forum and complain there so that they fix or that they explain what it was designed like that in the first place.liverpoolfcfan wrote: ↑Thu May 23, 2024 8:17 amI have done that too.adrian.gibanel.btactic wrote: ↑Wed May 22, 2024 4:21 pm Well, that's the standard behaviour. You should install the LetsEncrypt certificate (including its CA) as if it was a commercial certificate instead.
It just doesn't make sense to test the validity of the CA/certificate in place, then ignore the fact it is valid and go ahead and create a new CA and a new certificate to overwrite them anyway.
The only thing it makes sense to me is that using the Zimbra installations to generate a new self-signed certificate diminishes the self-certificate being expired.
-
- Outstanding Member
- Posts: 202
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Maldua's Zimbra FOSS Builds - Share your feedback
Can you show your commands to confirm? It would be something like:liverpoolfcfan wrote: ↑Thu May 23, 2024 8:17 amI have done that too.adrian.gibanel.btactic wrote: ↑Wed May 22, 2024 4:21 pm Well, that's the standard behaviour. You should install the LetsEncrypt certificate (including its CA) as if it was a commercial certificate instead.
It just doesn't make sense to test the validity of the CA/certificate in place, then ignore the fact it is valid and go ahead and create a new CA and a new certificate to overwrite them anyway.
Code: Select all
cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp chain.pem /tmp
cp cert.pem /tmp
chown zimbra:zimbra /tmp/chain.pem /tmp/cert.pem
sudo -u zimbra /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.
- adrian.gibanel.btactic
- Outstanding Member
- Posts: 200
- Joined: Thu Jan 30, 2014 11:13 am
Re: Maldua's Zimbra FOSS Builds - Share your feedback
Hello,
Maldua's Zimbra 10.1.0 FOSS Builds have just been released.
Please share your experience when upgrading or installing from scratch.
Versions:
Thank you very much!
Notes:
Maldua's Zimbra 10.1.0 FOSS Builds have just been released.
Please share your experience when upgrading or installing from scratch.
Versions:
- 10.1.0
- RHEL7 (Red Hat Enterprise Linux 7, Oracle Linux 7, CentOS 7)
- RHEL8 (Red Hat Enterprise Linux 8, Oracle Linux 8, CentOS 8, Rocky Linux 8)
- Ubuntu 18.04
- Ubuntu 20.04
- Ubuntu 22.04 (Flagged as beta as the NE Ubuntu 22.04 download is also flagged as beta).
Thank you very much!
Notes:
- These are recent releases. They will become stable releases when after 15 days of being public there has not been any major negative feedback.
- This is not an official Zimbra/Synacor build.
- Apparently no more patches will be provided by Synacor for Ubuntu 18.04 so I might remove that platform from future builds so that sysadmins consider migrating to Ubuntu 20.04. Update: Zimbra 10.1.0 has an official ZCS 10.1.0 NE for Ubuntu 18.04 so let's keep it anyways.
Last edited by adrian.gibanel.btactic on Tue Aug 13, 2024 1:18 pm, edited 5 times in total.
-
- Outstanding Member
- Posts: 202
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Maldua's Zimbra FOSS Builds - Share your feedback
I just tested 'zcs-10.1.0_GA_4200000.UBUNTU18_64.20240719155652.tgz' on a copy of my installation, which is the Ian 10.0.6 semi-dev version (from techfiles.online). Preliminary tests are good:
- It installs fine. The LDAP attribute problems of 10.0.8 when installing didn't happen on this version. I successfully said: Updating zimbraLDAPSchemaVersion to version '1717060748'.
- Initial just browsing around and looking at e-mail seems to work. More testing needs to be done.
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.
Re: Maldua's Zimbra FOSS Builds - Share your feedback
Watching patiently as would like to use Ubuntu 22.04 so have a long term platform. Thank you for the hard work
- adrian.gibanel.btactic
- Outstanding Member
- Posts: 200
- Joined: Thu Jan 30, 2014 11:13 am
Re: Maldua's Zimbra FOSS Builds - Share your feedback
I have built the 10.1.0 release for Ubuntu 22.04. It's flagged as beta as per the NE download being flagged as beta).strengthandmind wrote: ↑Sat Jul 20, 2024 12:13 pm Watching patiently as would like to use Ubuntu 22.04 so have a long term platform. Thank you for the hard work
I have not tested it at all.
So your feedback is highly appreciated.
Last edited by adrian.gibanel.btactic on Tue Jul 30, 2024 1:17 pm, edited 1 time in total.
- adrian.gibanel.btactic
- Outstanding Member
- Posts: 200
- Joined: Thu Jan 30, 2014 11:13 am
Re: Maldua's Zimbra FOSS Builds - Share your feedback
Well, that makes sense. This is one of the few occasions where the LDAPSchemaVersion from a tagged version is higher or equal than a few weeks old snapshot of the dev branch. This is brand new.
-
- Outstanding Member
- Posts: 202
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Maldua's Zimbra FOSS Builds - Share your feedback
For the next test step, I tried upgrading my Ubuntu and go from 'zcs-10.1.0_GA_4200000.UBUNTU18_64.20240719155652' to 'zcs-10.1.0_GA_4200000.UBUNTU20_64.20240719155625'. I tried the normal 'install.sh', but also the 'install.sh --software-only' method as described on the wiki, which involves placing back your local config and running '/opt/zimbra/libexec/zmsetup.pl'. Both had the same result, of ldap issues.
The config menu fails on everything ldap. I'll show part of it:
That MX error seems unrelated, nor do I want an MX record on that subdomain.
The log is filled with stuff like:
So far, I haven't found the fix/cause.
The config menu fails on everything ldap. I'll show part of it:
Code: Select all
# /opt/zimbra/libexec/zmsetup.pl
Operations logged to /tmp/zmsetup.20240728-163918.log
Installing LDAP configuration database...done.
Setting defaults...
DNS ERROR resolving MX for meel.halfgaar.net
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes] no
done.
Checking for port conflicts
Port conflict detected: 53 (zimbra-dnscache)
Port conflicts detected! - Press Enter/Return key to continue
Checking ldap status....not running.
Starting ldap...done.
Setting defaults from ldap...done.
Main menu
1) Common Configuration:
+Hostname: meel.halfgaar.net
+Ldap master host: meel.halfgaar.net
+Ldap port: 389
******* +Ldap Admin password: Not Verified
+Store ephemeral attributes outside Ldap: yes
+Value for zimbraEphemeralBackendURL: ldap://default
+Secure interprocess communications: yes
+TimeZone: Europe/Berlin
+IP Mode: ipv4
+Default SSL digest: sha256
2) zimbra-ldap: Enabled
+Create Domain: yes
+Domain to create: halfgaar.net
+Ldap root password: set
+Ldap replication password: set
******* +Ldap postfix password: Not Verified
******* +Ldap amavis password: Not Verified
******* +Ldap nginx password: Not Verified
******* +Ldap Bes Searcher password: Not Verified
The log is filled with stuff like:
Code: Select all
Sun Jul 28 16:39:53 2024 Checking ldap on meel.halfgaar.net:389
Sun Jul 28 16:39:53 2024 Unable to bind to ldap://meel.halfgaar.net:389 with user uid=zmbes-searcher,cn=appaccts,cn=zimbra:
Sun Jul 28 16:39:53 2024 Couldn't bind to meel.halfgaar.net as uid=zmbes-searcher,cn=appaccts,cn=zimbra
Sun Jul 28 16:39:53 2024 Checking ldap on meel.halfgaar.net:389
Sun Jul 28 16:39:53 2024 Unable to bind to ldap://meel.halfgaar.net:389 with user uid=zmnginx,cn=appaccts,cn=zimbra:
Sun Jul 28 16:39:53 2024 Couldn't bind to meel.halfgaar.net as uid=zmnginx,cn=appaccts,cn=zimbra
Sun Jul 28 16:39:53 2024 Checking ldap on meel.halfgaar.net:389
Sun Jul 28 16:39:53 2024 Unable to bind to ldap://meel.halfgaar.net:389 with user uid=zmpostfix,cn=appaccts,cn=zimbra:
Sun Jul 28 16:39:53 2024 Couldn't bind to meel.halfgaar.net as uid=zmpostfix,cn=appaccts,cn=zimbra
Consider seriously: because of the history of exploits: block Zimbra web interface with VPN, firewall or HTTP proxy.