Zimbra auto renewal problem with permissions

My domain is: ****.gov
I ran this command: letsencrypt-auto renew

It produced this output:

The following certs are not due for renewal yet:
/etc/letsencrypt/live/*****.gov/fullchain.pem expires on 2020-03-15 (skipped)
No renewals were attempted.


**** Fixing newlines in ‘combined.pem’**
Can’t rename combined.pem to combined.pem.bak: Permission denied, skipping file at /opt/zimbra/bin/zmcertmgr line 1239.
** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘cert.pem’ against ‘combined.pem’
Valid certificate chain: cert.pem: OK

It is clear that there is a permissions problem but I can’t tell in what directory is the problem so I can change the perms to zimbra:zimbra (I have to run is as user ‘zimbra’) because I don’t know what the “letsencrypt-auto renew” is trying to do…

Is it the /etc/letsencrypt/live/****.gov dir? Is there a way for me to find out? If so, is there a reason not to change this dir (currently with root:root permissions to zimbra:zimbra)? It contains:

root@:/etc/letsencrypt/live/.gov# ls -al
total 32
drwxr-xr-x 2 root root 4096 Dec 16 12:19 .
drwx------ 3 root root 4096 Dec 16 11:25 …
lrwxrwxrwx 1 root root 43 Dec 16 11:25 cert.pem -> …/…/archive/.gov/cert1.pem
lrwxrwxrwx 1 root root 44 Dec 16 11:25 chain.pem -> …/…/archive/
.gov/chain1.pem
-rw-r–r-- 1 root root 7280 Dec 16 12:18 combined.pem
lrwxrwxrwx 1 root root 48 Dec 16 11:25 fullchain.pem -> …/…/archive/.gov/fullchain1.pem
-rw-r–r-- 1 root root 1970 Dec 16 11:34 isrgrootx1.pem.txt
-rw-r–r-- 1 root root 2016 Dec 16 12:15 letsencryptauthorityx3.pem.txt
-rw-r–r-- 1 root root 1647 Dec 16 11:49 lets-encrypt-x3-cross-signed.pem.txt
lrwxrwxrwx 1 root root 46 Dec 16 11:25 privkey.pem -> …/…/archive/
.gov/privkey1.pem
-rw-r–r-- 1 root root 692 Dec 16 11:25 README

Thank you!

1 Like

Those are not normal procedures for:

You are either running a modified version or some additional command(s).
In either case, the cert is fine (expires 2020-03-15).
The problem is within Zimbra and updating it to use the new cert.
Zimbra commands (like: /opt/zimbra/bin/zmcertmgr) are required to be run as user zimbra.
More on this can be found on their site: Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center

1 Like

Thank you, my concern is not with the cert expiration but what happens when it is about to be renewed. I am not running modified version, only what came “out of the box”.

Is the letsencrypt-auto renew expected to run as ‘zimbra’ user as well?

I am worried that this permissions error will cause problems.
I am already running the deployment command as the ‘zimbra’ user:

su - zimbra -c “cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem”

I guess my question is, what is the letsencrypt-auto renew doing and which directory is it referring to so I can change its permissions to zimbra:zimbra if that is the problem…

Thank you!

No.

It should only renew the cert.

It "should" be putting everything in "/etc/letsencrypt/{live|renewal|etc.}

There seems to be a step missing.
Between LE renewing and Zimbra deploying.
How/When/Where is the "combined.pem" created?

1 Like

It “should” be putting everything in "/etc/letsencrypt/{live|renewal|etc.}

Should this have zimbra:zimbra perms? Right now is root:root

There seems to be a step missing.
Between LE renewing and Zimbra deploying.
How/When/Where is the “combined.pem” created?

Not sure I understand, these are my commands (end-to-end):
su - zimbra -c “zmcontrol stop”
echo “-- Zimbra services stopped, running letsencrypt-auto renew …”
/root/letsencrypt/letsencrypt-auto renew
echo “-- Copying updated files …”
cp /etc/letsencrypt/live/.gov/privkey.pem /opt/zimbra/ssl/letsencrypt/
cp /etc/letsencrypt/live/
.gov/cert.pem /opt/zimbra/ssl/letsencrypt/
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
echo “-- Ensure correct permissions…”
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
echo “-- Deploying certificate (zmcertmgr)”
su - zimbra -c “cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem”
echo “-- Restart Zimbra …”"
su - zimbra -c “zmcontrol start”

1 Like

This is the LIVE directory (from above) sorted by date/time.
Notice how there is a 53 minute time gap between the regular .PEM files and the combined.pem file:

1 Like

Yes, this was the time difference between the original fails that came with letsencrypt and the “first” construction of the combined.pem after doing the proper key-CA-intermediate combination.

For some reason my previous message with my steps did not show up. Here is my script end-to end:

su - zimbra -c “zmcontrol stop”
/root/letsencrypt/letsencrypt-auto renew
cp /etc/letsencrypt/live/x.gov/privkey.pem /opt/zimbra/ssl/letsencrypt/
cp /etc/letsencrypt/live/x.gov/cert.pem /opt/zimbra/ssl/letsencrypt/
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
su - zimbra -c “cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem”
su - zimbra -c “zmcontrol start”

Thanks for the complete script.
[now things are making more sense]

I don’t see why you should have to stop zimbra (right at the start) as most of those steps can happen while zimbra runs.

That said, I don’t see why this script would fail - other than possibly overlooking the “are you sure Y/n?” prompts that may be introduced while overwriting files.

So, has this script been tested to work?
Does it work if you walk through the script manually?
If not, which step(s) fail(s)?

Thank you for all your help.
The script seems to work correctly (no renewal yet as expected) except from this line:

**** Fixing newlines in ‘combined.pem’**
Can’t rename combined.pem to combined.pem.bak: Permission denied, skipping file at /opt/zimbra/bin/zmcertmgr line 1239.

which worries me that when it does perform the actual renewal, it will choke in some directory permissions. But I can’t tell:

  1. what directory is this referring to,
  2. what the perms should be (I suspect they are root:root but should be zimbra:zimbra), and,
  3. if there would be and adverse impact if I do make the perm changes…
1 Like

A1. That is a Zimbra question.
[but you might be able to FIND it with: find / -name combined.pem ]

A2. That is a Zimbra question too.

A3. Sorry but that is also a Zimbra question.

I would look through their documentation first.
If nothing solves your problem and you want to go at it yourself, I would find the “combined.pem.bak” file and insert a line to your script that deletes that bak file before it needs to be overwritten.

1 Like

The forum's anti-spam software is very, um, enthusiastic. It's too late to help, but your post is visible now. :grimacing:

1 Like

No worries, thank you!

1 Like

Thank you for all your help, I will try this and see if I get the answers. Zimbra is finicky…

2 Likes

For whatever it’s worth, the version of Zimbra I have seen has a backup folder within commercial:
/opt/zimbra/ssl/zimbra/commercial/backup/
It doesn’t copy any files with “.bak” extensions.
Maybe you need to update/upgrade the version?

ls -l /opt/zimbra/ssl/zimbra/commercial/ shows:
drwxr-xr-x 2 root root 4096 May 13 2017 backup
-rw-r----- 1 zimbra zimbra 2843 Dec 19 16:18 commercial_ca.crt
-rw-r----- 1 zimbra zimbra 5107 Dec 19 16:18 commercial.crt
-rw-r----- 1 zimbra zimbra 3272 Dec 19 16:18 commercial.key

ls -l /opt/zimbra/ssl/zimbra/commercial/backup/ shows:
-rw-r----- 1 root root 2843 May 13 2017 commercial_ca.crt
-rw-r----- 1 root root 3789 Sep 17 2017 commercial.crt
-rw-r----- 1 root root 3272 May 13 2017 commercial.key

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.