Let's Ecrypt letsencrypt-zimbra github script

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.cna.md

I ran this command:

sudo -Hiu zimbra /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh -v

It produced this output:

letsencrypt-zimbra.sh: info: create csr config '/tmp/tmp.FoffL1L6z3/openssl.cnf'
letsencrypt-zimbra.sh: info: generate csr '/tmp/tmp.FoffL1L6z3/request.pem'
letsencrypt-zimbra.sh: info: stop nginx
letsencrypt-zimbra.sh: info: issue certificate; certbot_extra_args: --non-interactive --agree-tos --preferred-chain ISRG Root X1
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for mail.cna.md
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: mail.cna.md: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
letsencrypt-zimbra.sh: error: The certificate cannot be obtained with '/usr/bin/certbot' tool.
letsencrypt-zimbra.sh: info: start nginx

My web server is (include version):

zimbra-nginx/unknown,now 1.20.0-1zimbra8.8b2.18.04 amd64 [installed,automatic]

The operating system my web server runs on is (include version):

Distributor ID: Ubuntu
Description: Ubuntu 18.04.6 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

@mail:~$ /snap/bin/certbot --version
certbot 1.22.0

please help

Please use one of the 23 (!!!) previously issued, perfectly fine certificates.

You've been issuing A LOT OF certificates since the end of November: crt.sh | mail.cna.md

I believe you need to rethink your certificate strategy, because something is going very wrongly.. Let's Encrypt certificates are valid for 90 days, NOT just 90 hours! Please only renew the certificates 30 days before their expiry, i.e., 60 days after their issuance.

I see other cna.md hostname certificates do NOT have this rapid renewal problem: https://crt.sh/?Identity=cna.md&deduplicate=Y Howcome it's solely the mail.cna.md hostname having this issue?

2 Likes

Thank you Osiris. My english is not very goot, I will try to understand
Ok where I can find the last 23 previously issued certificate, and how to use it.. ? it is very important to solve for us this problem, thank you

1 Like

I don't know Zimbra and I don't know how the letsencrypt-zimbra.sh script works. Who issued those certificates the last month in the first place? Maybe that person knows what happened to them?

It seems that Zimbra Let's Encrypt script uses the --csr option of certbot, which dumps the certificate somewhere on the disk, but has the downside that certbot won't store the certificate where it recognises the certificate itself. So it's up to the zimbra script to keep track of it. The script also seems to be storing the certificate in a temporary directory, so chances are great that all previously issued certificates have been deleted after the script ran.. Which, of course, is a terrible way of using (or: abusing) the Let's Encrypt service if something goes wrong.

My advice: don't use the letsencrypt-zimbra.sh script: it's terrible.

Another advice: maybe you can recover one of the valid certificates from one of the temporary directories created by the script (it uses mktemp -d), maybe somewhere in /tmp/, and manually use zmcertmgr deploycrt

2 Likes

Osiris in the end I managed to befriend the certificate I downloaded from the link you shared me (crt.sh | 5862870697) and the email server.
I will leave it like this until the holidays are over so that we can solve it with the recommendations given by you. Thank you

1 Like

Have a look at the output of:
certbot certificates

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.