This is an old revision of the document!
More notes than howto…
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh
When using DNS auth for LetsEncrypt, you cannot automatically renew unless your DNS is hosted by a provider with a supported API.
When creating or renewing without a DNS API, you run an 'issue' command, then ADD records to your DNS, then rerun the 'issue' command with the –renew flag.
su - zimbra
cd .acme.sh/
Set defalt CA to LetsEncrypt
./acme.sh –set-default-ca –preferred-chain “ISRG” –server letsencrypt
Upgrade script
./acme.sh –upgrade
View deployed certs
/opt/zimbra/bin/zmcertmgr viewdeployedcrt all ./acme.sh –list
Create or renew cert
acme.sh –issue –dns -d zimbra2.virtualarchitects.com -d zimbra.virtualarchitects.com –yes-I-know-dns-manual-mode-enough-go-ahead-please –renew
Original cert deployment ???
acme.sh –deploy –deploy-hook zimbra -d zimbra2.virtualarchitects.com -d zimbra.virtualarchitects.com
You can use the install wizard at the certbot
home page, or use your OS package manager.
yum install certbot --enablerepo=epel
The PPA is for Ubuntu versions up to 18.04.
apt-get update apt-get install software-properties-common add-apt-repository universe add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot
apt-get update apt-get install certbot
When installing certbot
via packages, we must disable auto-renewals configured in cron
by the package installation:
systemctl stop certbot.timer && systemctl disable certbot.timer vim /etc/cron.d/certbot
Comment out the last line.
-e san.domain.tld
flags.
rm -f certbot_zimbra.sh wget https://github.com/YetOpen/certbot-zimbra/raw/master/certbot_zimbra.sh chmod +x certbot_zimbra.sh ./certbot_zimbra.sh -n -c
If the existing certificate has expired, you probably need to generate a new cert.
./certbot_zimbra.sh -d
mv certbot_zimbra.sh /usr/local/bin/
vim /etc/cron.d/letsencrypt
# certbot_zimbra.sh requires bash and a path with /usr/sbin SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt 12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
Once your cron
job has run successfully a few times (maybe after the first successful renewal), you can suppress unwanted e-mail messages every time the cron job runs by adding this to the end of the cron
entry:
>> /dev/null 2>&1
tail -f /var/log/letsencrypt/letsencrypt.log cat /var/log/letsencrypt/letsencrypt.log certbot certificates cat /etc/cron.d/letsencrypt cat /etc/letsencrypt/renewal/hostname.domain.tld.conf
su - zimbra /opt/zimbra/bin/zmcertmgr viewdeployedcrt all
If you see an error like this in the log:
WARNING:certbot.renewal:Attempting to renew cert (hostname.domain.tld) from /etc/letsencrypt/renewal/hostname.domain.tld.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for hostname.domain.tld
This is probably due to a SAN hostname.
Try adding the missing line from the [webroot_map]
section:
vim /etc/letsencrypt/renewal/hostname.domain.tld.conf
hostname.domain.tld = /opt/zimbra/data/nginx/html sanhostname.domain.tld = /opt/zimbra/data/nginx/html
Then re-run the cron
command from /etc/cron.d/letsencrypt
:
Use of deploy-hook
should only restart Zimbra if the renewal is successful, whereas renew-hook
would cause it to restart even if the renewal fails.
/usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"