You can use any folder you like.
What operating system are you using?
That's good.
What version of ca-certificates does it have?
Try:
apt list | grep ca-cert | grep installed
1 Like
The question is not about the folder, but rather about its content. In that first statement the chain.pem that should be in "/opt/zimbra/ssl/letsencrypt" is going to be copied to the /"tmp"/shortchain.pem and if there is no such a folder (yet) it made no sense to me. But let's suppose we copied the files acquired by certbot into it.
Current solution is to copy the R3 certificate that is contained as first certificate in the chain.pem and the X1 certificate that can be downloaded from the web (isrgrootx1.pem).
As far as I can understand, you're suggesting to copy entire chain.pem to shortchain.pem, output into the same shortchain.pem output of a command (which meaning I don't understand yet) and then to deploy the final shortchain.pem (that I suppose will contain 2 certificates from initial chain.pem and one or more certificates after executing the second statement) to Zimbra.
If I'm correct, than this method might not work as it will contain more than necessary certificates.
I'm on a CentOS Linux 8.5.2111
[root@mail temp]# dnf list ca-cert
Last metadata expiration check: 0:27:27 ago on Fri 21 Jan 2022 05:26:53 PM EET.
Error: No matching Packages to list
[root@mail temp]# dnf list ca-cert*
Last metadata expiration check: 0:28:08 ago on Fri 21 Jan 2022 05:26:53 PM EET.
Installed Packages
ca-certificates.noarch 2021.2.50-80.0.el8_4 @baseos
I tried following version of your commands:
[root@mail temp]# cat ./cch.sh
#!/bin/bash
RootTemp=/opt/zimbra/ssl/temp
MyDomain=mail.example.com
openssl x509 -in /etc/letsencrypt/live/$MyDomain/chain.pem > shortchain.pem
cat IRGO.pem >> shortchain.pem # IRGO.pem is the same downloaded isrgrootx1.pem with X1 certificate
su - zimbra -c "cd $RootTemp/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem shortchain.pem"
And the output was following:
[root@mail temp]# ./cch.sh
** Verifying '/opt/zimbra/ssl/temp/cert.pem' against '/opt/zimbra/ssl/temp/privkey.pem'
Certificate '/opt/zimbra/ssl/temp/cert.pem' and private key '/opt/zimbra/ssl/temp/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/temp/cert.pem' against '/opt/zimbra/ssl/temp/shortchain.pem'
Valid certificate chain: /opt/zimbra/ssl/temp/cert.pem: OK
So, I assume that in my version with CentOS 8 openssl works just like I've used it in my version of script. Perhaps, in the Ubuntu it won't work the same.
Your method is a bit static/hard-coded.
When you use:
It creates the current short chain.
From there, we add the additional (Zimbra required) self-signed root:
[that finds the root cert used by that chain]
3 Likes
Sorry, I don't think that last command will work in:
In CentOS, I found many files with the "ISRG Root X1" cert in them:
/etc/ssl/certs/ca-bundle.crt
/etc/ssl/certs/ca-bundle.trust.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/tls/cert.pem
/etc/pki/tls/certs/ca-bundle.crt
/etc/pki/tls/certs/ca-bundle.trust.crt
but none are stored as a separate file 
So maybe there is no simple automated way to keep the files updated (for CentOS).
1 Like
Can you test in your environment and confirm that X1 certificate is downloaded with certbot? In my case there is no such certificate even with --preferred-chain ISRG Root X1.
OK,
As far as I can understand, for Zimbra on CentOS there is no chance to entirely automate the process of getting the certificates and putting them in the Zimbras SSL repository. Thus a script would include a workaround to download that script from the web, but as soon as the certificate on the web could be wrong, the script might return an error. So, the process is automatic, but should be controlled manually.
I have written a script for this purpose and would like to share it with you. The script will launch certbot, will copy the certificates to a working directory in Zimbra home path, will build a file with certification chain and finally will try to verify the certificates against each other. If successful, a deployment will follow together with restarting Zimbra services and backing up new certificates. Otherwise, the script will issue a warning and will exit without modification of the Zimbras certificates. So, services are not affected by a wrong or missing chain certificate.
#!/bin/bash
#
# Script to update letsencrypt certificates into Zimbra.
# It downloads you certificates then builds a chain certicate containing
# R3 certificate and X1 certificate (in this order).
# It is trying a check for the newly downloaded certificate and the new chain certificate
# If success, these are deployed to Zimbra. Otherwise script ends without changing the system, so your
# server is not affected by failed renewal.
# Thanks to Rudy for his help
#
MYDOMAIN="www.example.com" # change www.example.com with your own domain
ZimbraSSL="/opt/zimbra/ssl/letsencrypt"
certbot certonly --standalone --preferred-chain "ISRG Root X1"
cd $ZimbraSSL/
rm ./*.pem
cp /etc/letsencrypt/live/$MYDOMAIN/*.pem ./
# First version of getting shortchain.pem by downloading both certificates from "certs" on the letsencrypt site
# Uncomment following row if necessary
#wget https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/isrgrootx1.pem -O ./shortchain.pem
# Rudys suggestion to acquire shortchain.pem. Unfortunately, not working in my environment.
# Uncomment 3 rows below if necessary [b]instead[/b] of the previous statement.
#openssl x509 -in /etc/letsencrypt/live/$MyDomain/chain.pem > shortchain.pem
#wget https://letsencrypt.org/certs/isrgrootx1.pem -O ./ISRG-X1.pem
#cat ISRG-X1.pem >> shortchain.pem
# Let's check the certificates!
chown zimbra:zimbra ./*
su - zimbra -c "cd $ZimbraSSL/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem shortchain.pem"
if [ $? -ne 0 ]; then # Following statements are terminal oriented designed for CentOS8 and
# might not work with, let's say, Ubuntu.
# All the strings down to "read" or even "exit" can be cut out.
# Let's play a bit with text formatting.
RESET=$(tput sgr0)
CB=$(tput sgr0 && tput setaf 6 && tput bold)
YU=$(tput sgr0 && tput setaf 3 && tput bold && tput smul)
echo $(tput clear)
echo ""
echo ""
echo ""
echo " $CB*****************************************************************"
echo " *****************************************************************"
echo " ** **"
echo " ** **"
echo " ** $YU W A R N I N G !!! $CB **"
echo " ** **"
echo " ** $YU A C H T U N G !!! U W A G A !!! $CB **"
echo " ** **"
echo " ** **"
echo " ** $YU Letsencrypt Certificate could not be verified, thus $CB **"
echo " ** **"
echo " ** $YU it was not applied to your site. Check the output of $CB **"
echo " ** **"
echo " ** $YU the verifycrt command and make necessary corrections $CB **"
echo " ** **"
echo " ** **"
echo " ** $YU Take care of yourself... $CB **"
echo " ** **"
echo " ** **"
echo " ** **"
echo " *****************************************************************"
echo " *****************************************************************$RESET"
echo ""
echo ""
echo ""
read -n 1 -p "Press any key to resume ..."
echo
exit 1
fi
# Here we already checked successfully the certificates, so we are going to deply them further
# Backup Zimbra SSL directory
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
# Stop the jetty or nginx service at Zimbra level
runuser -l zimbra -c 'zmproxyctl stop'
runuser -l zimbra -c 'zmmailboxdctl stop'
# Deploy the certificates
\cp ./privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c "cd $ZimbraSSL/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem shortchain.pem"
# Get Zimbra back to life
runuser -l zimbra -c 'zmcontrol restart'
Correcting issues in the script is welcome.
I think that it is ok to close this thread as my issue finally was resolved. We could even change the threads title and add the words "CentOS 8.5", "Zimbra 8.8" and "Solved".
1 Like
I think you misunderstand the parameter OR how certs are delivered.
Let me begin with the second part.
When certs are delivered, the root cert of the chain is never provided.
Why? Because all root certs are expected to already be in their trusted root stores.
This is how 99.99% of the Internet "works".
Zimbra, however, expects to be provided the entire cert chain (root included).
[this is very bad news for all Zimbra users and creates the problem we're in]
In order to create such a properly "complete" chain (now we have to address the first issue)...
We have to use the parameter that generates the shorter chain and then "manually" add in the expected root cert.
Why (the short chain)? Because the "long" chain includes the cross-signed ISRG Root X1 and Zimbra would require us to add the signing root [which is expired and Zimbra won't validate].
Again, here Zimbra fails to follow the Internet and does things in a very difficult way.
So, Zimbra must use the shorter self-signed cert chain.
But only OS updates provide root certs.
So, we have to get the closest chain to that and then add the missing piece.
Do you get it now?
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.