Differences

This shows you the differences between two versions of the page.

--- internet:security:ssl_cert_letsencrypt_zimbra [2022/08/04 12:32]
gcooper
+++ internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31]
gcooper
@@ Line 11: / Line 11: @@
 <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note>
-FIXME This next tip needs careful testing and verification!
+<note warning>The single-server portion of the howto is fantastic.  However, it only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.</note>
-<note tip>The single-server portion of the howto is fantastic.  However, it only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.  If you already have an Nginx Proxy Manager, you might use it to create a ''Redirection Host'' for your main Zimbra hostname, including the LetsEncrypt certificate.</note>
 ===== Troubleshooting =====
+Certbot logs to ''/var/log/letsencrypt/letsencrypt.log''.
 If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert.
@@ Line 24: / Line 22: @@
 If a certificate renewal fails, try reissuing a new cert instead.
+===== Modifications =====
+<note tip>**Suppress daily cron e-mail message**...</note>
+<note tip>You **can** modify the script to support **additional SANs**...</note>
+<note tip>Adjust script to **only run if certificate is updated**...</note>
+<file>
+#!/bin/bash
+#
+# Modification to suppress e-mailed cron job notifications every day
+MAILTO=""
+#
+# Modification for SAN certificate with multiple hostnames
+# This may/will need to be adjusted for hostnames and possibly cert name
+# If you followed the howto above using just the actual hostname, it will look like this
+/usr/local/sbin/certbot certonly --cert-name zimbra2.yourdomain.tld -d zimbra2.yourdomain.tld -d zimbra.yourdomain.tld --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email
+#
+# Modification to test if cert was changed then exit script
+if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then
+   exit 0
+fi
+#
+cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
+chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
+wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
+rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
+cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
+cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem"
+chown zimbra:zimbra /etc/letsencrypt -R
+cd /tmp
+su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"'
+rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
+</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools