Hi everyone, I'm having a problem with renewing a let's encrypt certificate on a zimbra server:
the certbot renew command worked fine, returning the renewal to me, but on the zimbra server, it still does not see the renewed one but always the expired one; in a guide that I am following, at the command / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem I get the error:
root @ zimbra: ~ # / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
zmcertmgr: ERROR: no longer runs as root!
root @ zimbra: ~ # su zimbra
zimbra @ zimbra: / root $ / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
ERROR: Can't read file 'privkey.pem'
ERROR: Can't read file 'cert.pem'
What can I check to correct this error? thank you all for your availability
You probably need to run the commands as root or by using sudo.
hello and thanks for the reply ... that command can only be started by the zimbra user
Weird, because the error message: [quote="vettalex, post:1, topic:161512"]
ERROR: no longer runs as root!
..suggests the zmcertmgr expects to be run as root.
Anything else I don't know. No experience with Zimbra luckily.
You made me doubt, and then I ran the command both as zimbra and as root and as sudo ... but nothing unfortunately
It seems you were trying to run the command
zimbra@zimbra:/root$ which doesn't work of course. Probably a copy/paste error from the line above the
Hi @vettalex welcome to the LE community forum
Zimbra is a very... unique beast.
You will need to leave the original files untouched so that the ACME client can proceed with future renewals unaffected.
So you must copy the needed files to another location.
chown them to the zimbra user.
Run all zmcertmgr commands as
zimbra user referencing only the file copies (not their originals).
You can read more about this process here:
Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center
Thanks rg for the answer, I have also seen other threads where you have solved several problems with zim ra .. we hope you can give me an amno on this problem too: D
Having said that, in the folder /etc/letsencrypt/archive/zimbra.adm-srl.it I have various certificates numbered with the number of renewals carried out, the new ones only the numbers 3. In this case, I copy ONLY the numbers 3 and insert them in a new folder giving it zimbra permissions via chown? then the next command will be / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem but how can I tell it to "check" the files copied to the new folder just created?
If it helps, I changed the permissions on the "links" of cert chain fullchain and privkey cp with the command chown -R zimbra: zimbra.
This way I noticed that the error has changed (I believe that for some strange reason, zimbra wants the connections to have the privileges of the zimbra user as well. Place the new error:
Please put those back - that will break renewals.
Where did you copy those files to?
Use that path.
Ok, the files to be copied will be the files with the 3 at the end anyway? let's say I create a folder under / opt = / opt / cert
the command will be:
opt/zimbra/bin/zmcertmgr verifycrt comm /opt/cert/privkey3.pem cert3.pem chain3.pem
No that isn't the ideal way to do this.
Next renewal will be #4 and it will keep increasing each time.
(re)Read my instructions.
Ok, I created a new folder / opt / cert I copied the links chain.pem cert.pem and privkey.pem from / etc / letsencrypt / archive /zimbra.adm-srl.it to / opt / cert
I gave zimbra permissions with the command chown -R / opt / cert / *
I redid the command correctly, but an error always comes out:
Now the O/S needs to be updated to know about the root cert "ISRG Root X1"
sudo apt update
sudo apt-get update
sudo apt install ca-certificates
I've done it all, but the problem persists:
I can't understand where the mistake can actually be ...
Now also place the inside of each file ... I would not like there to be known errors in the code: