Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » ssl_cert_letsencrypt_zimbra
Trace:
internet:security:ssl_cert_letsencrypt_zimbra

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
internet:security:ssl_cert_letsencrypt_zimbra [2022/08/04 11:57]
gcooper 		internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31]
gcooper
Line 11: Line 11:
 <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note> <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note>
  
- +<note warning>The single-server portion of the howto is fantastic.  However, it only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.</note>
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
 +
 +Certbot logs to ''/var/log/letsencrypt/letsencrypt.log''.
  
 If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert. If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert.
Line 21: Line 22:
  
 If a certificate renewal fails, try reissuing a new cert instead. If a certificate renewal fails, try reissuing a new cert instead.
 +
 +===== Modifications =====
 +
 +<note tip>**Suppress daily cron e-mail message**...</note>
 +
 +<note tip>You **can** modify the script to support **additional SANs**...</note>
 +
 +<note tip>Adjust script to **only run if certificate is updated**...</note>
 +
 +<file>
 +#!/bin/bash
 +#
 +# Modification to suppress e-mailed cron job notifications every day
 +MAILTO=""
 +#
 +# Modification for SAN certificate with multiple hostnames
 +# This may/will need to be adjusted for hostnames and possibly cert name
 +# If you followed the howto above using just the actual hostname, it will look like this
 +/usr/local/sbin/certbot certonly --cert-name zimbra2.yourdomain.tld -d zimbra2.yourdomain.tld -d zimbra.yourdomain.tld --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email
 +#
 +# Modification to test if cert was changed then exit script
 +if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then
 +   exit 0
 +fi
 +#
 +cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
 +rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
 +cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
 +cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem"
 +chown zimbra:zimbra /etc/letsencrypt -R
 +cd /tmp
 +su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"'
 +rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
 +</file>

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki