How to install SSL certificate carbionio mail server?

crackdj · May 1, 2023, 4:08am

Hi guys,
I have tried to put SSL on my mail server without this working correctly, I have gone through the process indicated in Free SSL Certificates Using Let’s Encrypt and Certbot for Carbonio Community Edition | Carbonio CE - Zextras Community several times using-lets-encrypt-and-certbot/ with no good results. Here I detail more information about my structure.

My domain is: mail.infordata.com.ec

I ran this command: su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'

It produced this output:** Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
139818709017920:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' do not match.

My web server is (include version): carbonio mail

The operating system my web server runs on is (include version): ubuntu

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.5.0

rg305 · May 1, 2023, 4:34am

Hi @crackdj, welcome to the LE community forum

By default, Certbot now issues EC certs.
Zimbra only works with RSA certs.
You will need to issue another cert using:
--key-type rsa

[you only need to do that once - the renewals will renew the last type issued]

crackdj · May 1, 2023, 8:06pm

Thanks @rg305

Could you help me what would be the process to follow?

rg305 · May 1, 2023, 8:40pm

OK.
Let's start with the output of:
certbot certificates

crackdj · May 2, 2023, 2:27am

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: mail.infordata.com.ec
Serial Number: 3354d6056c8adf402a0cf1e87e6ea569e99
Key Type: ECDSA
Domains: mail.infordata.com.ec
Expiry Date: 2023-07-30 02:50:19+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.infordata.com.ec/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.infordata.com.ec/privkey.pem

root@mail:~#

rg305 · May 2, 2023, 5:39am

Please show the renewal file:
/etc/letsencrypt/renewal/mail.infordata.com.ec.conf

crackdj · May 2, 2023, 1:23pm

root@mail:~# cat /etc/letsencrypt/renewal/mail.infordata.com.ec.conf

# renew_before_expiry = 30 days
version = 2.5.0
archive_dir = /etc/letsencrypt/archive/mail.infordata.com.ec
cert = /etc/letsencrypt/live/mail.infordata.com.ec/cert.pem
privkey = /etc/letsencrypt/live/mail.infordata.com.ec/privkey.pem
chain = /etc/letsencrypt/live/mail.infordata.com.ec/chain.pem
fullchain = /etc/letsencrypt/live/mail.infordata.com.ec/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = c738b2c32659490a37fedadf14693b44
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

crackdj · May 3, 2023, 3:52pm

Hi @rg305

I understand that your time is valuable and I appreciate your help in solving my problem. I am waiting for any information you require from me to help me.

rg305 · May 3, 2023, 6:37pm

Sorry for the delay and that no one else has chimed in.
[we usually work "as a team" and pickup others slack]

Let's try:

certbot renew --key-type rsa -d mail.infordata.com.ec --force-renewal

crackdj · May 3, 2023, 7:35pm

I really appreciate the time you take to analyze my case.

I have done what you tell me and the answer is the following

root@mail:~# certbot renew --key-type rsa -d mail.infordata.com.ec --force-renewal

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

rg305 · May 3, 2023, 7:37pm

Try:
certbot certonly --key-type rsa -d mail.infordata.com.ec --force-renewal

crackdj · May 3, 2023, 7:40pm

now we have this

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

An ECDSA certificate named mail.infordata.com.ec already exists. Do you want to
update its key type to RSA?

rg305 · May 3, 2023, 7:42pm

Yes.

crackdj · May 3, 2023, 7:45pm

(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for mail.infordata.com.ec

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.infordata.com.ec/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.infordata.com.ec/privkey.pem
This certificate expires on 2023-08-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

root@mail:~#

rg305 · May 3, 2023, 8:53pm

Let's recheck this again now:

crackdj · May 3, 2023, 9:12pm

now we have this...

root@mail:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

I found the following certificates:
Certificate name: mail.infordata.com.ec
Serial number: 316bba7baa2299878103c5f8821803ef082
Key type: RSA
Domains: mail.infordata.com.ec
Expiration date: 2023-08-01 18:45:07+00:00 (VALID: 89 days)
Certificate path: /etc/letsencrypt/live/mail.infordata.com.ec/fullchain.pem
Private key path: /etc/letsencrypt/live/mail.infordata.com.ec/privkey.pem

rg305 · May 4, 2023, 4:21am

There you go!

crackdj · May 4, 2023, 4:36am

Hello, it's me, again.

I did the certificate verification and got the same error

root@mail:~# su - zextras
zextras@mail:~$ cd /opt/zextras/ssl/carbonio/commercial
zextras@mail:~/ssl/carbonio/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
140509829821760:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate 'commercial.crt' and private key 'commercial.key' do not match.
zextras@mail:~/ssl/carbonio/commercial$

rg305 · May 4, 2023, 4:39am

Did you copy the cert files from:

to:

???

crackdj · May 4, 2023, 4:48am

of course

zextras@mail:~/ssl/carbonio/commercial$ ls -l
total 28
-rw-r--r-- 1 zextras zextras 3127 Apr 10 22:25 commercial.crt
-rw-r--r-- 1 root root 1678 Apr 10 22:11 commercial.crt.bak
-rw-r--r-- 1 zextras zextras 241 Apr 30 22:58 commercial.key
-rw-r--r-- 1 zextras zextras 1448 Apr 10 22:25 commercial_ca.crt
-rw-r--r-- 1 root root 5607 May 3 23:50 fullchain.pem
-rw------- 1 root root 1704 May 3 23:50 privkey.pem