SSL Certificate Renewal

griffin · July 2, 2021, 7:50pm

Finally!

A couple of things:

Why did your certbot version step back so far?
Please don't modify the files under /etc/letsencrypt going forward.

rg305 · July 2, 2021, 7:50pm

40 posts...
[starting to get interesting]

bilalasif89 · July 2, 2021, 7:51pm

how to deploy it Sir

bilalasif89 · July 2, 2021, 7:53pm

error is still same as i mention in my First Post

bilalasif89 · July 2, 2021, 7:54pm

zimbra@mail:/root$ cd /opt/zimbra/ssl/letsencrypt/
zimbra@mail:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
ERROR: Unable to validate certificate chain: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup: unable to get issuer certificate
error cert.pem: verification failed

rg305 · July 2, 2021, 8:10pm

May need to be:
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem CA.pem
[where CA.pem is not the intermediate chain, but the intermediate cert + the actual signing root]
Zimbra is a bit wonky.

griffin · July 2, 2021, 8:33pm

In the meantime during my lunch I wanted to say that your certificate should renew automatically. If it doesn't, this is how you should renew it:

sudo certbot renew

You currently have a brand new certificate, so no need to renew for about 60 days.

@rg305 has the right idea about how to fix the original (smaller) issue.

bilalasif89 · July 2, 2021, 8:37pm

I might be a beginner at this. need your guys help to deploy it

rg305 · July 3, 2021, 12:17am

Try this script for ZIMBRA cert renewal:

update.cert.sh

Summary

#!/bin/bash
cp /etc/letsencrypt/live/YOUR.DOMAIN/*.pem /opt/zimbra/ssl/letsencrypt/
cat "/opt/zimbra/ssl/letsencrypt/chain.pem" > "/CERTSTUFF/le_cert_chain.pem"
cat "/etc/ssl/certs/$(openssl x509 -in /etc/letsencrypt/live/YOUR.DOMAIN/chain.pem -noout -issuer_hash).0" >> "/CERTSTUFF/le_cert_chain.pem"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /CERTSTUFF/le_cert_chain.pem"
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /CERTSTUFF/le_cert_chain.pem"

[change YOUR.DOMAIN and create folder /CERTSTUFF or change path to any you prefer]

rahulp411 · July 3, 2021, 11:18am

If it works for Microsoft, it works or me! They had an outage on Teams earlier this year after a cert expired nand after that outage, one guy in your team creates a calendar event a few weeks before the cert expires he handles the renewals for a few years. he retires and everything goes to shit.

NunoM · July 15, 2021, 5:59pm

Hello LetsEncrypt
You guys are great.

@rg305 Your script was a life saver!
I had to run it line by line and:
Before the line:
cat "/etc/ssl/certs/$(openssl x509 -in /etc/letsencrypt/live/YOUR.DOMAIN/chain.pem -noout -issuer_hash).0" >> "/CERTSTUFF/le_cert_chain.pem"
I had to remove the second certificate from le_cert_chain.pem.
And before the line:
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/le_cert_chain.pem"
I had to chown /CERTSTUFF/* to zimbra:zimbra.

Thanks

system · August 14, 2021, 5:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.