I need to renew the SSL certification for my Linux mail server (Zimbra)


#1

Hi,

I need to renew the SSL certification for my Linux mail server.
Can you please let me know how to do that?
Should I purchase the certificate? if yes, from where?

Thanks


#2

Did your current cert come from Let’s Encrypt? If so, how did you get it?

If you like, but you shouldn’t need to.


#3

I checked the certificate and it mentioned that it has been issued by Let’s Encrypt.
I don’t know how and where the previous IT guys purchase it from as they are not working here any more.


#4

Letsencrypt-certificates are free.

But you need a client to automate this.

Look, if there is a Certbot installed. Or a directory with the certificates.


#5

I found the directory under name “certbot”, I’m not sure if it’s the one that we are looking for!!!
is there any differece between installing SSL for webserver and mailserver?


#6

There may be a directory like

/etc/letsencrypt/live/yourdomainname

Look there

Perhaps you can use something like

certbot certificates

to show the current certificates.

Webservers often allow an automatic installation. Mailservers - puh, if they have a config-file or something else.


#7

I found the etc/letsencrypt/live folder and am able to see the current certificate bur somehow the certbot command is not working.

it said that command not found


#8

You have to address certbot complete.

/opt/ or /var/ yourfolder/certbot

And normally, you should use it as root.


#9

It might also be certbot-auto and might have been downloaded into root’s home directory (or elsewhere on the system that’s not part of the default command PATH).


#10

I found certbot-auto in root folder, when I run it, it returns an error on line 208:

ReturnWithArgs() {
“$0” --cb-auto-has-root “0$”
exit 0
}

it said:

certbot-auto: line 208: certbot-auto: command not found
any idea??


#11

Did you run it with something like export PATH=$PATH:/root; certbot-auto, or ./certbot-auto, or /root/certbot-auto, or some other way?


#12

I run “bash certbot-auto” from root.
it’s not working without bash


#13

In this case you should try to run it as ./certbot-auto instead of bash certbot-auto. Programs in the current directory are not in your PATH by default and so you need to specify what directory they’re in, such as the current directory (.).


#14

perfect.

it asked me to run as “./certbot-auto certonly” and now I have two options:

1: Spin up a temperoray webserver (Standalone)
2: Place files in webroot directory (webroot)

as I want this cert for my mailserver not the webserver which option should I choose?


#15

Is there a webserver running on port 80 on the same machine as the mail server? If so, use webroot; if not, standalone.

If you choose webroot you’ll need to know what directory the webserver serves its files from.


#16

no, it’s just mailserver


#17

In that case you should choose the standalone option (1).

EDIT: reading back, it might also be worth trying:

./certbot-auto renew

to see if it can just find your existing settings from when you got the original cert and renew it based on the same settings.


#18

I tried ./certbot-auto renew but it failed:

No renewals were attempted.
additionally, the following renewal configuration files were invalid:

/etc/letsencrypt/reneal/mailserver.mydomain.ca-0001.conf (parsefail)
/etc/letsencrypt/reneal/mailserver.mydomain.ca-0002.conf (parsefail)
/etc/letsencrypt/reneal/mailserver.mydomain.ca.conf (parsefail)

it seems the mailserver.mydomain.ca.conf is broken.

then I run ./certbot-auto certonly and after I choose the first option and entered my mailserver address mailserver.maydomain.ca, this is what I got:

Performing the following challenges:
tls-sni-01 challenge for mailserver.mydomain.ca
cleaning up challenges
problem binding to port 443: could not bind to IPv4 or IPv6

#19

Hmm, do you have something else running on port 443?

Maybe try this, which should use port 80:

./certbot-auto certonly --standalone --preferred-challenges http

Are you sure you don’t have a webserver on this machine?

It might be worth having a look at the renewal configuration files too, to see if we can figure out why they couldn’t be parsed.


#20

no there is no webserver on this machine.

you mean mailserver.mydomain.ca-0002.conf file?