My domain is: ****.gov
I ran this command: letsencrypt-auto renew
It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/*****.gov/fullchain.pem expires on 2020-03-15 (skipped)
No renewals were attempted.
**** Fixing newlines in 'combined.pem'** Can't rename combined.pem to combined.pem.bak: Permission denied, skipping file at /opt/zimbra/bin/zmcertmgr line 1239.
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'combined.pem'
Valid certificate chain: cert.pem: OK
It is clear that there is a permissions problem but I can't tell in what directory is the problem so I can change the perms to zimbra:zimbra (I have to run is as user 'zimbra') because I don't know what the "letsencrypt-auto renew" is trying to do...
Is it the /etc/letsencrypt/live/****.gov dir? Is there a way for me to find out? If so, is there a reason not to change this dir (currently with root:root permissions to zimbra:zimbra)? It contains:
root@:/etc/letsencrypt/live/.gov# ls -al
total 32
drwxr-xr-x 2 root root 4096 Dec 16 12:19 .
drwx------ 3 root root 4096 Dec 16 11:25 ..
lrwxrwxrwx 1 root root 43 Dec 16 11:25 cert.pem -> ../../archive/.gov/cert1.pem
lrwxrwxrwx 1 root root 44 Dec 16 11:25 chain.pem -> ../../archive/.gov/chain1.pem
-rw-r--r-- 1 root root 7280 Dec 16 12:18 combined.pem
lrwxrwxrwx 1 root root 48 Dec 16 11:25 fullchain.pem -> ../../archive/.gov/fullchain1.pem
-rw-r--r-- 1 root root 1970 Dec 16 11:34 isrgrootx1.pem.txt
-rw-r--r-- 1 root root 2016 Dec 16 12:15 letsencryptauthorityx3.pem.txt
-rw-r--r-- 1 root root 1647 Dec 16 11:49 lets-encrypt-x3-cross-signed.pem.txt
lrwxrwxrwx 1 root root 46 Dec 16 11:25 privkey.pem -> ../../archive/.gov/privkey1.pem
-rw-r--r-- 1 root root 692 Dec 16 11:25 README
You are either running a modified version or some additional command(s).
In either case, the cert is fine (expires 2020-03-15).
The problem is within Zimbra and updating it to use the new cert.
Zimbra commands (like: /opt/zimbra/bin/zmcertmgr) are required to be run as user zimbra.
More on this can be found on their site: Installing a LetsEncrypt SSL Certificate - Zimbra :: Tech Center
Thank you, my concern is not with the cert expiration but what happens when it is about to be renewed. I am not running modified version, only what came "out of the box".
Is the letsencrypt-auto renew expected to run as 'zimbra' user as well?
I am worried that this permissions error will cause problems.
I am already running the deployment command as the 'zimbra' user:
su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
I guess my question is, what is the letsencrypt-auto renew doing and which directory is it referring to so I can change its permissions to zimbra:zimbra if that is the problem...
This is the LIVE directory (from above) sorted by date/time.
Notice how there is a 53 minute time gap between the regular .PEM files and the combined.pem file:
Yes, this was the time difference between the original fails that came with letsencrypt and the āfirstā construction of the combined.pem after doing the proper key-CA-intermediate combination.
For some reason my previous message with my steps did not show up. Here is my script end-to end:
su - zimbra -c āzmcontrol stopā
/root/letsencrypt/letsencrypt-auto renew
cp /etc/letsencrypt/live/x.gov/privkey.pem /opt/zimbra/ssl/letsencrypt/
cp /etc/letsencrypt/live/x.gov/cert.pem /opt/zimbra/ssl/letsencrypt/
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
su - zimbra -c ācd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pemā
su - zimbra -c āzmcontrol startā
Thanks for the complete script.
[now things are making more sense]
I donāt see why you should have to stop zimbra (right at the start) as most of those steps can happen while zimbra runs.
That said, I donāt see why this script would fail - other than possibly overlooking the āare you sure Y/n?ā prompts that may be introduced while overwriting files.
So, has this script been tested to work?
Does it work if you walk through the script manually?
If not, which step(s) fail(s)?
Thank you for all your help.
The script seems to work correctly (no renewal yet as expected) except from this line:
**** Fixing newlines in ācombined.pemā** Canāt rename combined.pem to combined.pem.bak: Permission denied, skipping file at /opt/zimbra/bin/zmcertmgr line 1239.
which worries me that when it does perform the actual renewal, it will choke in some directory permissions. But I can't tell:
what directory is this referring to,
what the perms should be (I suspect they are root:root but should be zimbra:zimbra), and,
if there would be and adverse impact if I do make the perm changes...
A1. That is a Zimbra question.
[but you might be able to FIND it with: find / -name combined.pem ]
A2. That is a Zimbra question too.
A3. Sorry but that is also a Zimbra question.
I would look through their documentation first.
If nothing solves your problem and you want to go at it yourself, I would find the ācombined.pem.bakā file and insert a line to your script that deletes that bak file before it needs to be overwritten.
For whatever itās worth, the version of Zimbra I have seen has a backup folder within commercial: /opt/zimbra/ssl/zimbra/commercial/backup/
It doesnāt copy any files with ā.bakā extensions.
Maybe you need to update/upgrade the version?
ls -l /opt/zimbra/ssl/zimbra/commercial/ shows:
drwxr-xr-x 2 root root 4096 May 13 2017 backup
-rw-r----- 1 zimbra zimbra 2843 Dec 19 16:18 commercial_ca.crt
-rw-r----- 1 zimbra zimbra 5107 Dec 19 16:18 commercial.crt
-rw-r----- 1 zimbra zimbra 3272 Dec 19 16:18 commercial.key
