Problem renew certificate with Zimbra

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
imagen

My domain is:zimbra.calfnet.com.ar

I ran this command:

It produced this output:
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: zimbra.calfnet.com.ar: see Rate Limits - Let's Encrypt

My web server is (include version):zimbra community 8.15

The operating system my web server runs on is (include version):Oracle Linux Server 8.4

My hosting provider, if applicable, is:no, local

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.14.0

The certificate expired on 11/16/2021 and with a script in the cron, it had to be updated automatically ... it seems that according to the server logs and the URL https://crt.sh, it was successfully renewed, but not I understand why the problem. I am a newbie with letsencript and with certificates in gral. Download the renewal script from the link GitHub - VojtechMyslivec/letsencrypt-zimbra: Files to automate the deploy of letsencrypt certificates to Zimbra
I also tried "certbot renew" and the result was the same error
In case you help me solve this problem, I would like to be able to test the automatic renewal, I don't know if the script I'm using is correct, but I would need to be able to create a certificate with an expiration date of less than 3 months, in order to carry out renewal tests, before going up to production.

Best regards,

Hi @soft_calf and welcome to the LE community forum :slight_smile:

It seems that there is a job that is forcibly renewed that cert almost daily.
Please show the outputs of:
crontab -l
systemctl list-timers | grep certb

There is only one size certificate = 90 days.
They can be renewed sooner - how depends on the ACME client used.
For certbot you must edit the cli.ini file and change the default 30 days to a larger number to renew sooner.

Hi rg305, thanks for answering.
zimbra user tasks I have this one that I copy and I just commented on it

# ZIMBRASTART -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRAEND
SHELL=/bin/bash
#
# Log pruning
#
30 2 * * * find /opt/zimbra/log/ ! -name 'zmsetup*.log' -type f -name '*.log?*' -mtime +8 -exec rm {} \; > /dev/null 2>&1
35 2 * * * find /opt/zimbra/log/ -type f -name '*.out.????????????' -mtime +8 -exec rm {} \; > /dev/null 2>&1
#
# compress logs manually to avoid application pauses when
# handled through the log4j thread
#
50 2 * * * /opt/zimbra/libexec/zmcompresslogs > /dev/null 2>&1
#
# tmp dir cleaning
#
40 2 * * * /opt/zimbra/libexec/zmcleantmp
#
# Status logging
#
*/2 * * * * /opt/zimbra/libexec/zmstatuslog > /dev/null 2>&1
#*/10 * * * * /opt/zimbra/libexec/zmdisklog > /dev/null 2>&1
#
# SSL Certificate Expiration Checks
#
0 0 1 * * /opt/zimbra/libexec/zmcheckexpiredcerts -days 30 -email
#
# Backups
#
# BACKUP BEGIN
# BACKUP END
#
# crontab.ldap
#
# Monitor MDB database size
*/30 * * * * /opt/zimbra/libexec/zmldapmonitordb > /dev/null 2>&1
#
#
# crontab.store
#
# Log pruning
#
30 2 * * * find /opt/zimbra/mailboxd/logs/ -type f -name \*log\* -mtime +8 -exec rm {} \; > /dev/null 2>&1
30 2 * * * find /opt/zimbra/log/ -type f -name stacktrace.\* -mtime +8 -exec rm {} \; > /dev/null 2>&1
#
# Report on any database inconsistencies
#
0 23 * * 7 /opt/zimbra/libexec/zmdbintegrityreport -m
#
# Monitor for multiple mysqld to prevent corruption
#
#*/5 * * * * /opt/zimbra/libexec/zmcheckduplicatemysqld -e > /dev/null 2>&1
#
# Check zimbraVersionCheckURL for new update.
# Only runs if this server matches zimbraVersionCheckServer
# Only executes on zimbraVersionCheckInterval. min 2h interval
#
18 */2 * * * /opt/zimbra/libexec/zmcheckversion -c >> /dev/null 2>&1
#
# Invoke "ComputeAggregateQuotaUsageRequest" periodically
#
15 2 * * *      /opt/zimbra/libexec/zmcomputequotausage > /dev/null 2>&1
#
# Invoke "client_usage_report.py" periodically to process /opt/zimbra/log/access_log* files
#
55 1 * * *      /opt/zimbra/libexec/client_usage_report.py > /dev/null 2>&1
#
# Run zmgsaupdate util to trickeSync galsync accounts
#
49 0 * * 7      /opt/zimbra/libexec/zmgsaupdate > /dev/null 2>&1
#
# crontab.logger
#
# process logs
#
00,10,20,30,40,50 * * * * /opt/zimbra/libexec/zmlogprocess > /tmp/logprocess.out 2>&1
#
# Graph generation
#
#10 * * * * /opt/zimbra/libexec/zmgengraphs >> /tmp/gengraphs.out 2>&1
#
# Daily reports
#
30 23 * * * /opt/zimbra/libexec/zmdailyreport -m
#
# crontab.mta
#
#
# Queue logging
#
0,10,20,30,40,50 * * * * /opt/zimbra/libexec/zmqueuelog
#
# Spam training
#
0 22 * * * /opt/zimbra/bin/zmtrainsa >> /opt/zimbra/log/spamtrain.log 2>&1
#
# Spam training cleanup
#
45 23 * * * /opt/zimbra/bin/zmtrainsa --cleanup >> /opt/zimbra/log/spamtrain.log 2>&1
#
# Spam rule updates
#
45 0 * * * . /opt/zimbra/.bashrc; /opt/zimbra/libexec/zmsaupdate
#
# Spam Bayes auto-expiry
#
20 23 * * * /opt/zimbra/common/bin/sa-learn --dbpath /opt/zimbra/data/amavisd/.spamassassin --force-expire --sync > /dev/null 2>&1
#
# Clean up amavisd/tmp
#
15 5,20 * * * find /opt/zimbra/data/amavisd/tmp -maxdepth 1 -type d -name 'amavis-*' -mtime +1 -exec rm -rf {} \; > /dev/null 2>&1
#
# Clean up the quarantine dir
#
0 1 * * * find /opt/zimbra/data/amavisd/quarantine -type f -mtime +7 -exec rm -f {} \; > /dev/null 2>&1
#
#
#
35 3 * * * /opt/zimbra/bin/zmcbpadmin --cleanup >/dev/null 2>&1

and root user tasks is empty....

the command output "systemctl list-timers | grep certb" is empty...

remember that my server runs on oracle linux

best regards,

1 Like

I'm not familiar with that flavor.

How/where are certs being automatically renewed?

rg305....
I downloaded from the following link (Cómo instalar Let’s Encrypt para Zimbra en Ubuntu Server – Blog personal de Guido Cutipa) the renewal script, the developer documentation indicated configure the same in the etc / cron.d / ....

Please show the cron job you added.
cat /etc/cron.d/letsencrypt-zimbra
cat /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh

1 Like

Hi rg305, Thanks for answering and sorry I didn't write before. I paste output from both commands:

cat /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh

## letsencrypt-zimbra.cfg
#
# A configuration file - shell script - with variables
# this file is sourced by main script

# letsencrypt-zimbra parameters ============================
# Email to use for LE registration and to send the notifications
email="admin@calfnet.com.ar"

# Syslog facility. Default: "local6"
# Set to "none" if you want to disable syslog logging
#log_facility="local6"

# One or more FQDNS names to use as common name (or as
# alternative names more precisely) in the certificate.
#
# The letsencrypt won't let you to obtain wildcard certificate
# so use all your needed (and used) DNS names for the server.
#
# Please note that this variable is a bash array, so do not forget to
# use parantheses
#
# example: one CN
common_names=( "zimbra.calfnet.com.ar")
# "zimbra.cooperativacalf.com.ar" )
# example: several CNs
#common_names=( "example.com" "mail.example.com" "example.cz" )

# letsencrypt tool =========================================
letsencrypt="/usr/bin/certbot"
# if you clone the certbot from Github, use following line instead
#letsencrypt="/opt/certbot/certbot-auto"

# zimbra files =============================================
zimbra_dir="/opt/zimbra"

# following values are zimbra defaults; change it if you need to
#zimbra_ssl_dir="${zimbra_dir}/ssl/zimbra/commercial"
#zimbra_key="${zimbra_ssl_dir}/commercial.key"
#zimbra_cert="${zimbra_ssl_dir}/commercial.crt"
========================================================================================================================================

cat /etc/cron.d/letsencrypt-zimbra

## crontab
# Define MAILTO variable to reflect your local mail delivery configuration
#MAILTO=admin

# renew the certificate
#42 0 * * * zimbra /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh -q**(commented line, so you don't keep trying to renew)**

========================================================================================================================================

"cat /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh"

#!/bin/bash
## letsencrypt-zimbra
#
# Author:   Vojtech Myslivec <vojtech@xmyslivec.cz>
#           and others
# License:  GPLv3
# Web:      https://github.com/VojtechMyslivec/letsencrypt-zimbra
#
# --------------------------------------------------------------------
set -o nounset
set -o errexit

SCRIPTNAME=${0##*/}
USAGE="USAGE
    $SCRIPTNAME -h|-V
    $SCRIPTNAME [-q|-v] [-t] [-f|-d days]

DESCRIPTION
    This script is used to issue or renew zimbra (so-called)
    commercial certificate by Let's Encrypt certification authority.

    It reads its configuration file 'letsencrypt-zimbra.cfg' which
    must be located in the same directory as this script.

    The script will stop zimbra services for a while and restart
    them once the certificate is extended and deployed. If the
    obtained certificate isn't valid after all, Zimbra will start
    with the old certificate unchanged.

    Friendly notice: restarting Zimbra take a while.

OPTIONS
    -h      Prints this message and exits
    -V      Prints version of the script

    -d num  Do not renew the cert if it exists and will be valid
            for next 'num' days (default 30)
    -f      Force renew the certificate
    -q      Quiet mode, suitable for cron (overrides '-v')
    -v      Verbose mode, useful for testing (overrides '-q')
    -t      Use staging Let's Encrypt URL; will issue not-trusted
            certificate, but useful for testing"

# script version: major.minor(.patch)
VERSION='0.5.1'

# --------------------------------------------------------------------
# -- Functions -------------------------------------------------------
# --------------------------------------------------------------------
# common message format, called by error, warning, information, ...
#  $1 - level
#  $2 - message
message() {
    echo "$SCRIPTNAME: $1: $2" >&2
}

# common function to log via syslog
#  $1 - level
#  $2 - message
log() {
    if [[ "$log_facility" != "none" ]]; then
        logger -t "$log_tag" -p "${log_facility}.${1}" "$2"
    fi
}

error() {
    message "error" "$*"
    log "err" "$*"
}

warning() {
    message "warning" "$*"
    log "warning" "$*"
}

information() {
    if [ "$VERBOSE" == 'true' ]; then
        message "info" "$*"
    fi
    log "info" "$*"
}

# is $1 a readable ordinary file?
readable_file() {
    [ -f "$1" -a -r "$1" ]
}

# is $1 a executable ordinary file?
executable_file() {
    [ -f "$1" -a -x "$1" ]
}

# is $1 a writable directory?
writable_directory() {
    [ -d "$1" -a -w "$1" ]
}

cleanup() {
    information "cleanup temp files"

    [ -d "$temp_dir" ] && {
        rm -rf "$temp_dir" || {
            warning "Cannot remove temporary directory '$temp_dir'. You should check it for private data."
        }
    }
}

# just a kindly message how to fix stopped nginx
fix_nginx_message() {
    cat >&2 <<EOF
        You must probably fix it with:
          \`zmproxyctl start; zmmailboxdctl start\`
        command or something.
EOF
}

# this function will stop Zimbra's nginx
stop_nginx() {
    information "stop nginx"

    zmproxyctl stop > /dev/null && \
      zmmailboxdctl stop > /dev/null || {
        error "There were some error during stopping the Zimbra' nginx."
        fix_nginx_message
        return 3
    }
}

# and another one to start it
start_nginx() {
    information "start nginx"

    zmproxyctl start > /dev/null && \
      zmmailboxdctl start > /dev/null || {
        error "There were some error during starting the Zimbra' nginx."
        fix_nginx_message
        return 3
    }
}

# Restart all zimbra services (run in subshell due to env variables)
restart_zimbra() (
    information "restart zimbra"

    # set env for perl (for zmwatch)
    if declare -v PERLLIB &> /dev/null; then
        PERLLIB="${zimbra_perllib}:${PERLLIB}"
    else
        PERLLIB="${zimbra_perllib}"
    fi
    export PERLLIB

    zmcontrol restart > /dev/null || {
        error "Restarting zimbra failed."
        return 5
    }
)

# this function will constructs openssl csr config to stdout
# arguments are used as SAN
assemble_csr_config() {
    local i=1
    typeset -i i

    echo "$openssl_config"

    for arg; do
        echo "DNS.${i} = ${arg}"
        i+=1
    done
}

# --------------------------------------------------------------------
# -- Variables -------------------------------------------------------
# --------------------------------------------------------------------
letsencrypt_zimbra_dir="${0%/*}"
letsencrypt_zimbra_config="${letsencrypt_zimbra_dir}/letsencrypt-zimbra.cfg"
source "$letsencrypt_zimbra_config" || {
    error "Can not source config file '$letsencrypt_zimbra_config'"
    exit 1
}

# a lot of binaries in zimbra bin dir
PATH="${zimbra_dir}/bin:$PATH"

perl_archname=$(perl -MConfig -e 'print $Config{archname}')
zimbra_perllib="${zimbra_dir}/common/lib/perl5/${perl_archname}:${zimbra_dir}/common/lib/perl5"

# Logging parameters
log_tag="letsencrypt-zimbra"
# default value for facility (if not set in config file)
log_facility="${log_facility:-local6}"

# zimbra keys paths (with default values)
zimbra_ssl_dir="${zimbra_ssl_dir:-${zimbra_dir}/ssl/zimbra/commercial}"
zimbra_key="${zimbra_key:-${zimbra_ssl_dir}/commercial.key}"
zimbra_cert="${zimbra_cert:-${zimbra_ssl_dir}/commercial.crt}"


# openssl config skeleton
#  it is important to have an alt_names section there!
openssl_config="
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]"


# the name of file which letsencrypt will generate
letsencrypt_issued_cert_file="0000_cert.pem"
# intermediate CA
letsencrypt_issued_intermediate_CA_file="0000_chain.pem"

certbot_extra_args=("--non-interactive" "--agree-tos")
TESTING='false'
VERBOSE='false'
FORCE='false'
DAYS='30'

# --------------------------------------------------------------------
# -- Usage -----------------------------------------------------------
# --------------------------------------------------------------------
while getopts ':hVd:fqtv' OPT; do
    case "$OPT" in
        h)
            echo "$USAGE"
            exit 0
            ;;

        V)
            echo "letsencrypt-zimbra version $VERSION"
            exit 0
            ;;

        d)
            DAYS="$OPTARG"
            [[ "$DAYS" =~ ^[0-9]+$ ]] || {
                error "Specified number of days '$days' is not a Integer"
                exit 1
            }
            ;;

        f)
            FORCE='true'
            ;;

        q)
            certbot_extra_args+=("--quiet")
            VERBOSE='false'
            ;;

        t)
            certbot_extra_args+=("--staging")
            TESTING='true'
            ;;

        v)
            VERBOSE='true'
            ;;

        \?)
            error "Illegal option '-$OPTARG'"
            exit 1
            ;;
    esac
done
shift $(( OPTIND-1 ))

# extra args?
[ $# -eq 0 ] || {
    echo "$USAGE" >&2
    exit 1
}

# root CA certificate - zimbra needs it
if [ "$TESTING" == 'false' ]; then
    root_CA_file="${letsencrypt_zimbra_dir}/root_certs/DSTRootCAX3.pem"
else
    root_CA_file="${letsencrypt_zimbra_dir}/root_certs/fakelerootx1.pem"
fi


# --------------------------------------------------------------------
# -- Renew? ----------------------------------------------------------
# --------------------------------------------------------------------
# check the need to renew if the cert is present an force mode is off
if ! readable_file "$zimbra_cert"; then
    information "Zimbra certificate does not exist. New cert will be deployed."
else
    if [ "$FORCE" == 'true' ]; then
        information "Running in force mode, certificate will be renewed."
    else
        if openssl x509 -checkend $(( DAYS*24*60*60 )) -in "$zimbra_cert" &> /dev/null; then
            information "Certificate will be valid for next $DAYS days, exiting (Run with '-f' to force-renew)."
            exit 0
        else
            information "Certificate will expire in $DAYS, certificate will be renewed."
        fi
    fi
fi


# --------------------------------------------------------------------
# -- Tests -----------------------------------------------------------
# --------------------------------------------------------------------
# check simple email format
[[ "$email" =~ ^[^[:space:]]+@[^[:space:]]+\.[^[:space:]]+$ ]] || {
    error "email '$email' is in wrong format - use user@domain.tld"
    exit 2
}

# check that common_names is an array
declare -p common_names 2> /dev/null \
  | grep -q '^declare -a ' || {
    error "parameter common_names must be an array"
    exit 2
}
# check that common_names have at least 1 item
[ ${#common_names[@]} -gt 0 ] || {
    error "array common_names must have at least 1 item"
    exit 2
}

executable_file "$letsencrypt" || {
    error "Letsencrypt tool '$letsencrypt' isn't executable file."
    exit 2
}

for bin in zmcertmgr zmcontrol zmmailboxdctl zmproxyctl; do
    type "$bin" &> /dev/null || {
        error "Zimbra executable '$bin' not found"
        exit 2
    }
done

readable_file "$root_CA_file" || {
    error "The root CA certificate '$root_CA_file' isn't readable file."
    exit 2
}

writable_directory "$zimbra_ssl_dir" || {
    error "Zimbra SSL directory '$zimbra_ssl_dir' is not writable"
    exit 2
}

# Check and generate private-key if not present
if ! readable_file "$zimbra_key"; then
    information "Generating RSA private key '$zimbra_key'"
    openssl genrsa -out "$zimbra_key" 4096 &> /dev/null || {
        error "Can not generate RSA private key '$zimbra_key'"
        information "Try to generate it in Zimbra web interface or with following command:
        openssl genrsa -out '$zimbra_key' 4096"
        exit 3
    }
fi


# --------------------------------------------------------------------
# -- Temporary files -------------------------------------------------
# --------------------------------------------------------------------
temp_dir=$( mktemp -d ) || {
    error "Cannot create temporary directory."
    exit 2
}
openssl_config_file="${temp_dir}/openssl.cnf"
request_file="${temp_dir}/request.pem"

information "create csr config '$openssl_config_file'"
# create the openssl config file from common_names array
assemble_csr_config "${common_names[@]}" > "$openssl_config_file"

# --------------------------------------------------------------------
# -- Obtaining the certificate ---------------------------------------
# --------------------------------------------------------------------
information "generate csr '$request_file'"
# create the certificate signing request [csr]
openssl req -new -nodes -sha256 -outform der \
  -config "$openssl_config_file" \
  -subj '/' \
  -key "$zimbra_key" \
  -out "$request_file" || {
    error "Cannot create the certificate signing request."
    exit 3
}

# release the 443 port -- stop Zimbra' nginx
stop_nginx

# ----------------------------------------------------------
information "issue certificate; certbot_extra_args: ${certbot_extra_args[@]}"
(
    # run in subshell due to working directory and umask change

    # letsencrypt utility stores the obtained certificates in PWD
    # so we must cd in the temp directory
    cd "$temp_dir"
    # ensure generated certificate would be readable for zimbra user
    umask 0022

    sudo "$letsencrypt" certonly \
      --standalone \
      "${certbot_extra_args[@]}" \
      --email "$email" --csr "$request_file" || {
        error "The certificate cannot be obtained with '$letsencrypt' tool."
        start_nginx
        exit 4
    }

)
# ----------------------------------------------------------

# start Zimbra' nginx again
start_nginx


# --------------------------------------------------------------------
# -- Deploying the certificate ---------------------------------------
# --------------------------------------------------------------------
information "assemble cert files"
cert_file="${temp_dir}/${letsencrypt_issued_cert_file}"
intermediate_CA_file="${temp_dir}/${letsencrypt_issued_intermediate_CA_file}"
chain_file="${temp_dir}/chain.pem"

touch "$chain_file" || {
    error "Cannot create a chain file '$chain_file'."
    exit 4
}

# change ownership to zimbra user
readable_file "$cert_file" || {
    error "The issued certificate file '$cert_file' isn't readable file. Maybe it was created with different name?"
    exit 4
}

readable_file "$intermediate_CA_file" || {
    error "The issued intermediate CA file '$intermediate_CA_file' isn't readable file. Maybe it was created with different name?"
    exit 4
}

# create one CA chain file
cat "$intermediate_CA_file" "$root_CA_file" > "$chain_file"

# verify it with Zimbra tool
information "test and deploy certificates"
zmcertmgr verifycrt comm "$zimbra_key" "$cert_file" "$chain_file" > /dev/null || {
    error "Verification of the issued certificate failed."
    exit 4
}

# install the certificate to Zimbra
zmcertmgr deploycrt comm "$cert_file" "$chain_file" > /dev/null || {
    error "Installation of the issued certificate failed."
    exit 4
}


# finally, restart the Zimbra
restart_zimbra


# --------------------------------------------------------------------
# -- Cleanup ---------------------------------------------------------
# --------------------------------------------------------------------

This is where the cert gets created.
But it might not be using the certbot 1.14.0 you have installed.

Not clearly defined variables:
temp_dir
letsencrypt

Please show the output of:
echo $temp_dir
echo $letsencrypt
cat /opt/letsencrypt-zimbra/letsencrypt-zimbra.cfg

1 Like

[administrator@zimbra /]# echo $temp_dir

[administrator@zimbra /]# echo $letsencrypt

[administrator@zimbra /]# cat /opt/letsencrypt-zimbra/letsencrypt-zimbra.cfg

## letsencrypt-zimbra.cfg
#
# A configuration file - shell script - with variables
# this file is sourced by main script

# letsencrypt-zimbra parameters ============================
# Email to use for LE registration and to send the notifications
email="admin@calfnet.com.ar"

# Syslog facility. Default: "local6"
# Set to "none" if you want to disable syslog logging
#log_facility="local6"

# One or more FQDNS names to use as common name (or as
# alternative names more precisely) in the certificate.
#
# The letsencrypt won't let you to obtain wildcard certificate
# so use all your needed (and used) DNS names for the server.
#
# Please note that this variable is a bash array, so do not forget to
# use parantheses
#
# example: one CN
common_names=( "zimbra.calfnet.com.ar")
# "zimbra.cooperativacalf.com.ar" )
# example: several CNs
#common_names=( "example.com" "mail.example.com" "example.cz" )

# letsencrypt tool =========================================
letsencrypt="/usr/bin/certbot"
# if you clone the certbot from Github, use following line instead
#letsencrypt="/opt/certbot/certbot-auto"

# zimbra files =============================================
zimbra_dir="/opt/zimbra"

# following values are zimbra defaults; change it if you need to
#zimbra_ssl_dir="${zimbra_dir}/ssl/zimbra/commercial"
#zimbra_key="${zimbra_ssl_dir}/commercial.key"
#zimbra_cert="${zimbra_ssl_dir}/commercial.crt"

Please show:
ls -l /usr/bin/certbot

1 Like

rg305,

command output...

[administrator@zimbra /]# ls -l /usr/bin/certbot
lrwxrwxrwx. 1 root root 18 Apr 8 2021 /usr/bin/certbot -> /usr/bin/certbot-3

ls -l /usr/bin/certbot-3

1 Like

[administrator@zimbra /]# ls -l /usr/bin/certbot-3
-rwxrwxrwx. 1 root root 387 Apr 8 2021 /usr/bin/certbot-3

rg305, This is the last error when wanting to renew the certificates, there is a way to cancel these requests and generate a manual for 1 week, and then verify that the automatic renewal process functions? ... surely you have to review the automatic renewal process ...

Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: zimbra.calfnet.com.ar: see Rate Limits - Let's Encrypt
2021-11-18 12:56:54,856:ERROR:certbot._internal.log:An unexpected error occurred:
2021-11-18 12:56:54,856:ERROR:certbot._internal.log:There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: zimbra.calfnet.com.ar: see Rate Limits - Let's Encrypt

I would also like to know how the letsencript renewal process is, since in the logs it appears that on 11/16/21, the result was correct until 02/13/22

Hi rg305, I add the result of progress regarding my problem, I generated the zimbra own certificates again, and then started the process of creating letsencryp certificates from the beginning .....

[zimbra@zimbra letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
[zimbra@zimbra letsencrypt]$ cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp: overwrite '/opt/zimbra/ssl/zimbra/commercial/commercial.key'?
[zimbra@zimbra letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
ERROR: Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.
[zimbra@zimbra letsencrypt]$

This command requires some interaction:

Seems to be asking for "y/n".

1 Like