Finally!
A couple of things:
- Why did your certbot version step back so far?
- Please don't modify the files under /etc/letsencrypt going forward.
Finally!
A couple of things:
40 posts...
[starting to get interesting]
how to deploy it Sir
error is still same as i mention in my First Post
zimbra@mail:/root$ cd /opt/zimbra/ssl/letsencrypt/
zimbra@mail:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup: unable to get issuer certificate
error cert.pem: verification failed
May need to be:
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem CA.pem
[where CA.pem is not the intermediate chain, but the intermediate cert + the actual signing root]
Zimbra is a bit wonky.
In the meantime during my lunch I wanted to say that your certificate should renew automatically. If it doesn't, this is how you should renew it:
sudo certbot renew
You currently have a brand new certificate, so no need to renew for about 60 days.
@rg305 has the right idea about how to fix the original (smaller) issue.
I might be a beginner at this. need your guys help to deploy it
Try this script for ZIMBRA cert renewal:
update.cert.sh
#!/bin/bash
cp /etc/letsencrypt/live/YOUR.DOMAIN/*.pem /opt/zimbra/ssl/letsencrypt/
cat "/opt/zimbra/ssl/letsencrypt/chain.pem" > "/CERTSTUFF/le_cert_chain.pem"
cat "/etc/ssl/certs/$(openssl x509 -in /etc/letsencrypt/live/YOUR.DOMAIN/chain.pem -noout -issuer_hash).0" >> "/CERTSTUFF/le_cert_chain.pem"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /CERTSTUFF/le_cert_chain.pem"
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /CERTSTUFF/le_cert_chain.pem"
[change YOUR.DOMAIN and create folder /CERTSTUFF or change path to any you prefer]
If it works for Microsoft, it works or me! They had an outage on Teams earlier this year after a cert expired nand after that outage, one guy in your team creates a calendar event a few weeks before the cert expires he handles the renewals for a few years. he retires and everything goes to shit.
Hello LetsEncrypt
You guys are great.
@rg305 Your script was a life saver!
I had to run it line by line and:
Before the line:
cat "/etc/ssl/certs/$(openssl x509 -in /etc/letsencrypt/live/YOUR.DOMAIN/chain.pem -noout -issuer_hash).0" >> "/CERTSTUFF/le_cert_chain.pem"
I had to remove the second certificate from le_cert_chain.pem.
And before the line:
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/le_cert_chain.pem"
I had to chown /CERTSTUFF/* to zimbra:zimbra.
Thanks
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.