Renewall Success but the expiry date still the same

Help
21

The last certificate i ran is by manual, i did not succed by auto

22

I don't sorry, I'm usually the wrong person to ask for Certbot stuff. @bmw, @schoen Do you have any thoughts about this?

23

Sorry @cpu, got confused with your other three letter name colleague :stuck_out_tongue:

1 Like
24

The command certbot certonly --nginx is equivalent to certbot certonly --authenticator nginx --installer nginx. The installer wonā€™t be used because you used the subcommand certonly, but the selection of the installer is still parsed by Certbot.

One side effect of this though is that the selected installer is remembered for renewal so if you obtain a certificate with this command, nginx will automatically be reloaded for you when the certificate is renewed through certbot renew.

2 Likes
25

Please help, where do i look for the solution ?

I havenā€™t success to make auto renewal since the first time i installed lets encrypt, but i able to do it for manually for the 2nd and 3rd.

1 Like
26

Zimbra makes it difficult to automate.
Zimbra requires additional steps (after cerbot renew); Like:

su zimbra
/opt/zimbra/bin/zmcertmgr verifycrt comm private.key public.key
cp private.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm public.key CA.key
zmcontrol restart

And at this point, we canā€™t even figure out where the certs are and who/what is obtaining themā€¦

1 Like
27

I will try to the steps and carefully read through the wiki again and fix the part /run/nginx.pid

Yesterday i read an article that there are bugs for nginx https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864

1 Like
28

I don't think that is relevant.
It is probably a different PID because it runs from a different instance/location of nginx.
Recall that you found more than one nginx.

1 Like
29

You were right, yesterday i found out the nginx that already started belong to zimbra, not the nginx system ( Ubuntu Server )

I want to stop the nginx system but i think that zimbra web mail will be unavailable, so i didnā€™t do it.

Yesterday, i restart the server and found out that the apache that run below the nginx system is the one who got certificate update -> extend for 3 month ( expired in march 2020 )

While the apache still running for about 5 minutes, the zimbra web mail is not accessible, after 5 minutes the zimbra nginx ( Zimbra web mail ) is Up again and the certificate still expired jan 1, 2020

How did this happen ?

Can i copy the certificate in the apache folder and paste on to the zimbra nginx ?

1 Like
30

Zimbra starts various services (depending on the role(s) the server has) and their startup order is not all in parallel. So it may take a few minutes before all services are running.

Services like:

zmcontrol status
        amavis                  Running
        antispam                Running
        antivirus               Running
        dnscache                Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        opendkim                Running
        proxy                   Running
        service webapp          Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zimbra webapp           Running
        zimbraAdmin webapp      Running
        zimlet webapp           Running
        zmconfigd               Running

Yes, your "update/renew script" should use the apache updated files.
[and be sure that the apache files are auto-updating]

1 Like
31

Where can i find the location for the apache ssl certificate ?
i already google it but still did not find the correct path.

32

Suddenly the company webmail certificate already renewed and valid for march 2020. But it didnā€™t make please, cause i want to know what happened.

And i try to find the ceriticated that valid before Dec 18 and not after march 17

zimbra@root:/etc/letsencrypt/live/mail.bankvictoriasyariah.co.id$ ls -al
total 12
drwxr-xr-x 2 zimbra zimbra 4096 Dec 24 16:50 .
drwx------ 3 zimbra zimbra 4096 Dec 24 16:48 ā€¦
-rw-rā€“r-- 1 zimbra zimbra 692 Dec 18 13:47 README
lrwxrwxrwx 1 root root 54 Dec 24 16:50 cert.pem -> ā€¦/ā€¦/archive/mail.bankvictoriasyariah.co.id/cert2.pem
lrwxrwxrwx 1 root root 55 Dec 24 16:50 chain.pem -> ā€¦/ā€¦/archive/mail.bankvictoriasyariah.co.id/chain2.pem
lrwxrwxrwx 1 root root 59 Dec 24 16:50 fullchain.pem -> ā€¦/ā€¦/archive/mail.bankvictoriasyariah.co.id/fullchain2.pem
lrwxrwxrwx 1 root root 57 Dec 24 16:50 privkey.pem -> ā€¦/ā€¦/archive/mail.bankvictoriasyariah.co.id/privkey2.pem
zimbra@root:/etc/letsencrypt/live/mail.bankvictoriasyariah.co.id$ cd /etc/letsencrypt/archive/mail.bankvictoriasyariah.co.id/

And i found it in archive

zimbra@root:/etc/letsencrypt/archive/mail.bankvictoriasyariah.co.id$ ls -al
total 40
drwxr-xr-x 2 zimbra zimbra 4096 Dec 24 16:20 .
drwx------ 3 zimbra zimbra 4096 Dec 24 16:47 ā€¦
-rw-rā€“r-- 1 zimbra zimbra 1952 Dec 18 13:47 cert1.pem
-rw-rā€“r-- 1 zimbra zimbra 1948 Dec 19 10:00 cert2.pem
-rw-rā€“r-- 1 zimbra zimbra 1647 Dec 18 13:47 chain1.pem
-rw-rā€“r-- 1 zimbra zimbra 2847 Dec 24 16:20 chain2.pem
-rw-rā€“r-- 1 zimbra zimbra 3599 Dec 18 13:47 fullchain1.pem
-rw-rā€“r-- 1 zimbra zimbra 3595 Dec 19 10:00 fullchain2.pem
-rw------- 1 zimbra zimbra 1704 Dec 18 13:47 privkey1.pem
-rw------- 1 zimbra zimbra 1704 Dec 19 10:00 privkey2.pem

But it is different then the certificate found in

zimbra@root:cd /opt/zimbra/ssl/letsencrypt$ ls -al
total 28
drwxr-xr-x 2 zimbra zimbra 4096 Oct 4 00:33 .
drwxr-xr-x 11 zimbra zimbra 4096 Dec 20 16:42 ā€¦
-rw-r----- 1 zimbra zimbra 692 Oct 4 00:32 README
-rw-r----- 1 zimbra zimbra 1996 Oct 4 00:32 cert.pem
-rw-r----- 1 zimbra zimbra 2847 Oct 4 00:33 chain.pem
-rw-r----- 1 zimbra zimbra 3643 Oct 4 00:32 fullchain.pem
-rw-r----- 1 zimbra zimbra 1704 Oct 4 00:32 privkey.pem

1 Like
33

was the mail server restarted? file updated but mail server doesnā€™t ordered to recheck new config so keep using old certificate?

1 Like
34

i havenā€™t restart the server today, but i stop zimbra proxy and zimbra mailbox also start it againā€¦ but that was about 4-5 hours ago

1 Like
35

you did restart the webmail, so it finally checked new certificate. add restart of it on renew hook of certbot.
--deploy-hook do that for only successful renewal

1 Like
36

as my previous post , can you tell me where are the certificate stored ?

37

Do you mean, i should do --deploy-hook now ?

38

zimbra already looking at right path, as itā€™s seeing new certificate by just restarting it.
itā€™s a lazy why but add a cron to restart your zimbra every week will do the job.

1 Like
39

But, before it wasnā€™t

Now iā€™m trying to figure what in the heck just happened.

Also i found this

root@VicSyar:/opt/zimbra/ssl/letsencrypt# nginx -t | grep ssl_cert
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/mail.bankvictoriasyariah.co.id-0001/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(ā€™/etc/letsencrypt/live/mail.bankvictoriasyariah.co.id-0001/fullchain.pemā€™,ā€˜rā€™) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

how to fix it ?

40

ā€œ/etc/letsencrypt/live/mail.bankvictoriasyariah.co.id -0001/fullchain.pemā€
this path doesnā€™t look right: /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id is right folder. remove -0001 part.

1 Like