I need to renew the SSL certification for my Linux mail server (Zimbra)

Yes, well all three of them really, it’s surprising that any of them would fail to parse.

this is the inside of the file:

So when you said “mailserver” you actually meant Zimbra, right?

yes the mailserver is Zimbra

how did you find it’s Zimbra? :smiley:

But Zimbra includes a webserver too, so that's probably what's taking up port 443.

Sorry but I'm not familiar with Zimbra. Their wiki gives some advice but it seems a little deficient: it describes an old way of installing certbot and doesn't seem to explain how to set up auto-renewal. I guess it would be something like... you would need to put all the steps that happen before and after the certbot command into two scripts, and pass them to the --pre-hook and --post-hook options. Then you would set up a cron job or systemd timer to run /path/to/certbot-auto renew twice a day.

Or you could just follow the whole procedure manually if you don't mind repeating it every few months...

Your screenshot and username provided enough clues to find your old cert in https://crt.sh :wink:

I don't see anything obviously wrong with the file btw, so I still don't know why it's not parsing.

I think Java is listening to port 443. could that be the reason?

That’s probably the reason Certbot isn’t working, yes. I believe some versions of Zimbra use Jetty, a Java webserver.

Oooooh, and I bet I know why certbot is failing to parse the files too. If the person who set up the certificate originally followed the instructions in that wiki … they might have concatenated the Identrust root to the chain.pem file, and when certbot tries to parse it, it notices that the cert+chain no longer matches the fullchain and bails out.

What version of Zimbra are you using? If you don’t know, it looks like it can be found by typing zmcontrol -v

it’s version 8.5.0_GA_3042.FOSS

Okay, so … I’m trusting the wiki here as I’m not a Zimbra user myself …

The general procedure will be something along the lines of:

  1. Stop Zimbra
  2. Get your certificate
  3. Install the certificate
  4. Restart Zimbra

The wiki provides instructions on how to complete each of these steps, individually, manually.

Ideally, you want automated renewals. The way this would work is: you run a certbot command and pass it some options to run other commands before and after it tries to obtain your certificate. Then it will remember those commands and automatically run them again when it renews.

I don’t use Zimbra and I haven’t tested this procedure so try it out at your own risk. If you’re not comfortable with that then stick with the wiki I guess.

First you need the root certificate (you shouldn’t really need this but apparently it’s a quirk of Zimbra that it’s required). The link in the wiki seems stale but you can download it from crt.sh by running this command:

curl https://crt.sh/?d=8395 -o /root/identrust.pem

Next, the process to install the certificate is quite complicated so create a script for it. Create a file named, say, /root/zimbra-deploy.sh and add the following contents to it:

#!/bin/bash -e

# Combine the intermediate and root certificates as required by Zimbra:
cat "$RENEWED_LINEAGE/chain.pem" /root/identrust.pem > "$RENEWED_LINEAGE/zimbrachain.pem"

# Backup the existing cert:
cp -a /opt/zimbra/ssl/zimbra "/opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")"

# Copy the private key to the required location:
umask 037
cp "$RENEWED_LINEAGE/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key

# Deploy the certificate to Zimbra:
/opt/zimbra/bin/zmcertmgr deploycrt comm "$RENEWED_LINEAGE/cert.pem" "$RENEWED_LINEAGE/zimbrachain.pem"

Save the file, then make it executable with chmod +x /root/zimbra-deploy.sh

Now everything should be ready to run Certbot:

./certbot-auto certonly --standalone -d mailserver.yourdomain.ca --pre-hook "zmproxyctl stop; zmmailboxdctl stop" --post-hook "zmcontrol restart" --deploy-hook /root/zimbra-deploy.sh

Remember to change mailserver.yourdomain.ca to your actual domain :wink:

If that all works, you can then set up a cron job to run /root/certbot-auto -q renew twice a day. It will do nothing until your cert is 30 days from expiry, then it will run those hook commands again to stop Zimbra, renew your cert, install it, and restart.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.