Hi everyone, some time ago I had to rebuild a Zimbra mail server from scratch. Now everything works correctly and I wanted to recreate a certificate with certbot and insert it on zimbra. I followed the same guide:
but i got stuck on command:
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
also when I check the certificates, I get the error:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/zimbra.adm-srl.it/cert.pem /etc/letsencrypt/live/zimbra.adm-srl.it/chain.pem
Hi rudy, thank you for your reply; then I ran the guide you suggested (which would then be the official one), but at the time of the command sudo certbot certonly --standalone, it gives me the error in the picture.
I noticed that the error is on the www suffix which does NOT match my public ip ... but the question is that I don't want a certificate for www ... but rather for zimbra.mydomain.ext
I could modify the dns file of the website, but this would make it unreachable and this is not good ... what do you think?
eh, this is the site that I don't actually manage ... but the provider ... I only manage zimbra. Maybe since there is an existing certificate on the provider it gives me an error .. can it be?
No two services can use the same port on the same IP [without some very sophisticated "trickery"].
If you are using certbot with --standalone, it will need to bind to port 80 (HTTP).
But there is already an Apache server seen there now.
You either:
shutdown the Apache server to call certbot (then started it back up afterwards)
port forwarded HTTP to some other port (not 80) where Apache runs
are behind an Apache proxy
are NOT on the right system Please show the output of: curl -4 ifconfig.co
I beg your pardon, I expressed myself badly.
Zimbra is located locally by the customer, and has a public ip 185.52.xx.xx, where I have the http port 80 open vs the local ip 192.168.88.194
The website, located in the cloud on the provider, already has an https certificate given by the same provider and ip 62.149.xx.xx
Okay, I guess, but I should ask for a wildcard maybe.
However, to solve the problem, I should point zimbra.adm-srl.it to my client's public ip, or where zimbra is, open door 80 to the local zimbra ip and in the certbot request, request it for zimbra.adm-srl.it and NOT for adm-srl.it, is it correct?
The driving so far has only issued a cert.
Zimbra cert integration is a very unusual process.
You will likely have to move slowly and test (and write down) all your steps along that way.
cd ~ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem
in reality, with these 2 commands (the first verifies and the second execution) you import the certificate in zimbra, restart the services and everything works
now, i wanted to configure crontab to start it every 3 months, but at the same time, i don't want to stay open port 80 ... how could i do?