yetopen / certbot-zimbra Goto Github PK

View Code? Open in Web Editor NEW

176.0 29.0 78.0 476 KB

Automated letsencrypt/certbot certificate request and deploy script for Zimbra hosts

License: GNU General Public License v3.0

Shell 89.42% Roff 10.58%

zimbra certbot letsencrypt

certbot-zimbra's People

Contributors

Stargazers

Watchers

Forkers

nynhex samjaninf cbepx monotok jameslinus lapterchow devent gvsurenderreddy orion1 afrimberger ezing rismalrv pulecp foood antonio-prado helitonmartins jasperki andredainez lorissantamaria syci en0rm arakdraja zimbra-community ziplex madebyframe sergiomb2 diffway romale faizal2007 chhabhaiya langitio paccyman stroobl hzdwang phosphoresi t0rik huongbn dedesundara macromindonline asotirov0 sonnt85 reolitic duynguyen1879 estella antonioneris aleksandrmetik mdshahjahanbd jvkassi spalekg arovietnam franmercedesg aleksandarstojkovski rl-akjaer pwpaing nunesvn jeimerson subzero77 meramsey alex-arzner-pro jakubadamiec sammlearning algyadamo bigio sr33rajv unoffices a-shkarlatov irwan-runtuwene alsyundawy joshin42 altinsoft frompani lsl-at erviker kanghadi07 ayupazamat imsilsa ceeedevops

certbot-zimbra's Issues

Which -> Broken Pipe / Could not bind TCP port 80 because it is already in use

Hi,

Still issues with the last version of certbot-zimbra. Bellow, real domain is replaced with "mydomain.com" for confidentiality purpose.

When proxy set to both, I get the following errors.

$ /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --renew-hook "/usr/local/bin/certbot_zimbra.sh -r -d $(/opt/zimbra/bin/zmhostname)"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.mydomain.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: /usr/local/bin/certbot_zimbra.sh -p
Error output from certbot_zimbra.sh:
/usr/bin/which: line 10: printf: write error: Broken pipe

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.mydomain.com
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/mail.mydomain.com.conf produced an unexpected error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

When proxy set to https only, no more Could not bind TCP port 80, instead a message of this kind :

The server could not connect to the client to verify the domain :: Fetching http://mail.mydomain.com/.well-known/acme-challenge/XXXXXXXXXXXX-XXXXX: Timeout. Skipping.

So, fails to run when http port 80 is already in use by Nginx, fails to work when http port 80 is not in use by NGinx.

Help welcome.

Thanks.

Doesn't work on 8.7.7

Don't work with 8.7.7 even by renaming the 8.7.6 to 8.7.7 in the patch directory:

Detected Zimbra 8.7.7
ERROR: zclient.IO_ERROR (invoke sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed, server: localhost) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed)
Patching /opt/zimbra/conf/nginx/includes/nginx.conf.web.http.default
/usr/bin/patch: **** Only garbage was found in the patch input.
Patching failed! File a bug with the output above

cannot bind port 443

what have I missed to do?
should I stop proxy and zmmailboxd?

/usr/bin/certbot renew --renew-hook "/usr/local/bin/certbot_zimbra.sh -r -d $(/opt/zimbra/bin/zmhostname)"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/xxxx.xxxxx.com.conf

Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxxx.xxxxx.com
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/xxxx.xxxxx.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xxxx.xxxxx.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Certificates are renewed but Zimbra services aren't restarted

Certificates expired so I tried running the script manually which told me that certificates are not close to expiring. So I selected option 1 which prompted Zimbra to reload and correct certificates were loaded. Why didn't it do this automatically, any ideas?

Timer status:

systemctl status renew-letsencrypt
* renew-letsencrypt.service - Renew Let's Encrypt certificates
   Loaded: loaded (/etc/systemd/system/renew-letsencrypt.service; static; vendor
   Active: inactive (dead) since Mon 2018-04-23 05:22:15 EEST; 4h 50min ago
  Process: 1868 ExecStart=/usr/bin/certbot renew --quiet --agree-tos --pre-hook
 Main PID: 1868 (code=exited, status=0/SUCCESS)

Apr 23 05:22:14 z systemd[1]: Starting Renew Let's Encrypt certificates...
Apr 23 05:22:15 z systemd[1]: Started Renew Let's Encrypt certificates.

Zimbra upgrades remove patches

Provide a convenient way to handle Zimbra upgrades, that would remove the patches.

Maybe the easiest way (for users) would be to provide a command line option to do patching only, and call it using --pre-hook option via cron

Patch seems to break Ca{l|rd}DAV autodiscovery

see 619f6e0

Doesn't work in https only mode either

This could be easily managed by running certbot in standalone mode

tested on zimbra 8.8.8 rhel7

hello..

this script work fine on rhel7 with zimbra 8.8.8

[zimbra@mail ~]$ zmcontrol -v
Release 8.8.8_GA_2009.RHEL7_64_20180322150747 RHEL7_64 FOSS edition.

many thanks 👍

Renewal doesn't work if -d isn't passed

root@domain:~/certbot-zimbra# ./certbot_zimbra.sh -r
Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.8.4
Detected domain.name as Zimbra domain: use this hostname for certificate request? y
cp: пропускается каталог '/etc/letsencrypt/live//domain.name' #skipping? path
cat: /etc/letsencrypt/live//chain.pem: Нет такого файла или каталога #no file or folder
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: CN = domain.name
error 20 at 0 depth lookup:unable to get local issuer certificate
Unable to verify cert!

Upd:
root@domain:~/certbot-zimbra# ./certbot_zimbra.sh -n
Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.8.4
Detected domain.name as Zimbra domain: use this hostname for certificate request? y
usage:
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
letsencrypt: error: unrecognized arguments: --preferred-challenges tls-sni-01,http
letsencrypt returned an error

root@domain:~/certbot-zimbra# letsencrypt --version
letsencrypt 0.4.1

Patching test failed!

./certbot_zimbra.sh -n
Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.7.11
Making a backup of nginx templates in /opt/zimbra/conf/nginx/templates.20171107_185805
checking file nginx.conf.web.http.default.template
/usr/bin/patch: **** malformed patch at line 13: diff -Naur templates_orig/nginx.conf.web.https.default.template templates/nginx.conf.web.https.default.template

Patching test failed! Please file a bug with the output above to https://github.com/YetOpen/certbot-zimbra/issues/new
root@mail:/opt# Patching test failed!

Need to stop Zimbra services before running the script.

The script by default will result in error when Zimbra was still running. The work around of course is to stop zimbra services, by stopping these services:

su - zimbra -c "/opt/zimbra/bin/zmproxyctl stop"
su - zimbra -c "/opt/zimbra/bin/zmmailboxdctl stop"

I tested this with Ubuntu 16.04 server and Zimbra 8.7.

Error to get the certificate

Hello!

I am facing the error below:
Detected zimbraReverseProxyMailMode in https only, requesting certificate in standalone mode. Make sure your firewall has port 80 open
The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.

My zimbra is 8.7.1.

Thanks.

8.6 patch applies with offset

Write a new one

Error to renew the cert

When zimbra templates are patched then certbot-zimbra asks about Reverse patch

On Ubuntu 16.04 server and ZCS 8.7.11_GA when script is re-runed (via cron or manually) it does not detect that zimbra proxy templates are already patched and asks to Reverse patch.

I have take a look and saw that problem is in this code:

    grep -Fxq 'acme-challenge' /opt/zimbra/conf/nginx/includes/nginx.conf.web.http.default
    if [ $? -eq 0 ]; then
            # No need to patch
            return
    fi

When I removed 'x' from grep command it works fine:

    grep -Fq 'acme-challenge' /opt/zimbra/conf/nginx/includes/nginx.conf.web.http.default
    if [ $? -eq 0 ]; then
            # No need to patch
            return
    fi

Can you please fix it?

Renewal fails if the certificate is not in /etc/letsencrypt/live/$DOMAIN

If the certificate has expired, it is unable to renew it using this script since it exits:

Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.6.0
ERROR: zclient.IO_ERROR (invoke sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed, server: localhost) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.secu
rity.cert.CertPathValidatorException: timestamp check failed)
** Verifying /opt/zimbra/ssl/letsencrypt/cert.pem against /opt/zimbra/ssl/letsencrypt/privkey.pem
Certificate (/opt/zimbra/ssl/letsencrypt/cert.pem) and private key (/opt/zimbra/ssl/letsencrypt/privkey.pem) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/ssl/letsencrypt/cert.pem: CN = zimbra.example.com
error 10 at 0 depth lookup:certificate has expired
OK
Unable to verify cert!

Error getting new cert with Zimbra 8.7.7

Not sure what to do here, no more patch directory:

Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.7.7
Making a backup of nginx templates in /opt/zimbra/conf/nginx/templates.20171211_185606
checking file nginx.conf.web.http.default.template
/usr/bin/patch: **** malformed patch at line 13: diff -Naur templates_orig/nginx.conf.web.https.default.template templates/nginx.conf.web.https.default.template

Jon

Handle $RENEWED_DOMAINS to obtain domain name

Instead of using the -d param, when possible

 --renew-hook RENEW_HOOK
                        Command to be run in a shell once for each
                        successfully renewed certificate. For this command,
                        the shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "example.com www.example.com" (default: None)

New Error - validating chain

Hi Everyone,

Just wanted to let you know that I was able to successfully use the latest version of the script on a new server. Trying it on an existing server running 8.7.7, I got an error when trying to validate the cert chain - specifically error 20 at 0 depth lookup:unable to get local issuer certificate

Please see below.

Many thanks for everyone's work!!!!

cespino@zimbra3:/usr/local/src/certbot-zimbra$ sudo ./certbot_zimbra.sh -n
Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.7.7
Making a backup of nginx templates in /opt/zimbra/conf/nginx/templates.20171017_113327
checking file nginx.conf.web.http.default.template
Reversed (or previously applied) patch detected! Assume -R? [n] y
checking file nginx.conf.web.https.default.template
Reversed (or previously applied) patch detected! Assume -R? [n] y
checking file nginx.conf.web.https.template
Reversed (or previously applied) patch detected! Assume -R? [n] y
checking file nginx.conf.web.http.template
Reversed (or previously applied) patch detected! Assume -R? [n] y
patching file nginx.conf.web.http.default.template
Reversed (or previously applied) patch detected! Assume -R? [n] y
patching file nginx.conf.web.https.default.template
Reversed (or previously applied) patch detected! Assume -R? [n] y
patching file nginx.conf.web.https.template
Reversed (or previously applied) patch detected! Assume -R? [n] y
patching file nginx.conf.web.http.template
Reversed (or previously applied) patch detected! Assume -R? [n] y
Stopping proxy...done.
Starting proxy...done.
Detected zimbra3.trinfocafe.org as Zimbra domain: use this hostname for certificate request? yes
Upgrading certbot-auto 0.18.2 to 0.19.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/zimbra3.trinfocafe.org.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for zimbra3.trinfocafe.org
Using the webroot path /opt/zimbra/data/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/zimbra3.trinfocafe.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/zimbra3.trinfocafe.org/privkey.pem
Your cert will expire on 2018-01-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
"certbot-auto renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

cp: omitting directory ‘/etc/letsencrypt/live//zimbra3.trinfocafe.org’
cat: /etc/letsencrypt/live//chain.pem: No such file or directory
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: CN = zimbra3.trinfocafe.org
error 20 at 0 depth lookup:unable to get local issuer certificate
Unable to verify cert!

Failed patching of nginx.conf.web.https.template zimbra 8.8.8

@jjakob
https://github.com/jjakob/certbot-zimbra

root@zimbra03-test:~/certbot-zimbra# ./certbot_zimbra.sh 
Certbot-Zimbra v0.3 - https://github.com/jjakob/certbot-zimbra
Detected Zimbra 8.8.8
Using zimbra03-test.copyleft.no ('zmhostname') as domain for certificate.
Making a backup of nginx templates in /opt/zimbra/conf/nginx/templates.20180531_124510
checking file nginx.conf.web.http.default.template
checking file nginx.conf.web.https.default.template
checking file nginx.conf.web.http.template
/usr/bin/patch: **** malformed patch at line 37: diff -Naur templates.20180530_213444/nginx.conf.web.https.template templates/nginx.conf.web.https.template

Patching test failed! Please file a bug with the output above to https://github.com/YetOpen/certbot-zimbra/issues/new

Handle renewal with --post-hook

As explained on the documentation zimbra could be restarted only when really needed.

Implement a renewal option for the script which deploys the new cert and automatically restart zimbra.

Add pre-hook and post-hook to configuration file

pre-hook and post-hook commands can be specified in LE's config file.

Adding them there would simplify command execution

Path to Letsencrypt live not valid

Hi,

When I ran your script, it consistently failed at lines 266 and 270

The error I got was:

cat: /etc/letsencrypt/live**//**chain.pem: No such file or directory
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
ERROR: Can't read file '/opt/zimbra/ssl/letsencrypt/privkey.pem'
ERROR: Can't read file '/opt/zimbra/ssl/letsencrypt/cert.pem'

Notice the double // marked in bold.

To work around I replaced the variable $CERTPATH with an exact path and was able to complete successfully.

Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.7.11

Check for Patch Command

Check for patch command and if it does not detect it, display message to user on installing it or install it automatically.

Zimbra 8.8.8 - malformed patch at line 13

./certbot_zimbra.sh -p
Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.8.8
Making a backup of nginx templates in /opt/zimbra/conf/nginx/templates.20180404_214459
checking file nginx.conf.web.http.default.template
/usr/bin/patch: **** malformed patch at line 13: diff -Naur templates_orig/nginx.conf.web.https.default.template templates/nginx.conf.web.https.default.template

Patching test failed! Please file a bug with the output above to https://github.com/YetOpen/certbot-zimbra/issues/new

No work on 8.7.6

Centos 7
./certbot_zimbra.sh -n
Detected Zimbra 8.7.6
which: no patch in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
No patch binary found. Please install OS 'patch' package

cat commands failed... Unable to verify cert!

DOMAIN variable seems to have been lost from CERTPATH in prepare_certificate()

just pulled tonight (August 5th, 2017) on CentOS 7, getting these issues:
cp: omitting directory ‘/etc/letsencrypt/live//zimbra.domain.com’
cat: /etc/letsencrypt/live//chain.pem: No such file or directory
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
ERROR: Can't read file '/opt/zimbra/ssl/letsencrypt/privkey.pem'
ERROR: Can't read file '/opt/zimbra/ssl/letsencrypt/cert.pem'
Unable to verify cert!

Here are the events leading up to this point:
[root@zimbra certbot-zimbra]# ./certbot_zimbra.sh -n
Detected Zimbra 8.7.11
which: no certbot-auto in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
Detected zimbraReverseProxyMailMode in https only, requesting certificate in standalone mode. Make sure your firewall has port 80 open
Detected zimbra.domain.com as Zimbra domain: use this hostname for certificate request? y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zimbra.domain.com

Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.

(R)etry/(C)ancel: R
At this point, I stopped zimbra, to allow the script to launch it's webserver, then retried
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/zimbra.domain.com/fullchain.pem.
(misc stuff removed)
cp: omitting directory ‘/etc/letsencrypt/live//zimbra.domain.com’
cat: /etc/letsencrypt/live//chain.pem: No such file or directory
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
ERROR: Can't read file '/opt/zimbra/ssl/letsencrypt/privkey.pem'
ERROR: Can't read file '/opt/zimbra/ssl/letsencrypt/cert.pem'
Unable to verify cert!

Thoughts:
Looking at the code (and the output) the script DOES seem to know the domain (zimbra.domain.com), but when trying to do that "cat" command, the domain is left out, thus failing.

/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem contains a single cert (DST Root CA X3)
Since the bulk of the work is done, I can just manually do the commands that failed in prepare_cert(), and then manually do the steps in deploy_cert. Will be interesting to see if the renew works.

the patch is applied but still scrpt does not recognize it

Running script againt a patched nginx files, patch is not detected and patch ask to reverse:
patching file nginx.conf.web.http.default.template Reversed (or previously applied) patch detected! Assume -R? [n]
I was able to fix this issue changing line 238 to check against 1 instead of 0
if [ $? -eq 1 ]; then

Problem binding to port 443: Could not bind to IPv4 or IPv6

I have got this error. Probably problem with stopping nginx.


./certbot-auto renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --renew-hook "/usr/local/bin/certbot_zimbra.sh -r -d $(/opt/zimbra/bin/zmhostname)"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.pl.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: /usr/local/bin/certbot_zimbra.sh -p
Output from certbot_zimbra.sh:
Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.7.11
Making a backup of nginx templates in /opt/zimbra/conf/nginx/templates.20180217_103421
patching file nginx.conf.web.http.default.template
patching file nginx.conf.web.https.default.template
patching file nginx.conf.web.https.template
patching file nginx.conf.web.http.template
patching file nginx.conf.web.http.default.template
patching file nginx.conf.web.https.default.template
patching file nginx.conf.web.https.template
patching file nginx.conf.web.http.template
Stopping proxy...done.
Starting proxy...done.

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for example.pl
Cleaning up challenges
Attempting to renew cert (example.pl) from /etc/letsencrypt/renewal/example.pl.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.pl/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.pl/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

With stopped zimbra everything worked just few errors


Error output from certbot_zimbra.sh:
[] INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused (Connection refused)
[] INFO: Retrying request
ERROR: zclient.IO_ERROR (invoke Connection refused (Connection refused), server: localhost) (cause: java.net.ConnectException Connection refused (Connection refused))
...
Host example.pl
	Starting ldap...Done.
	Starting zmconfigd...Done.
	Starting dnscache...Done.
	Starting logger...Done.
	Starting mailbox...Done.
	Starting memcached...Done.
	Starting proxy...Done.
	Starting amavis...Done.
	Starting antispam...Done.
	Starting opendkim...Done.
	Starting snmp...Done.
	Starting spell...Done.
	Starting mta...Done.
	Starting stats...Done.
	Starting service webapp...Done.
	Starting zimbra webapp...Done.
	Starting zimbraAdmin webapp...Done.
	Starting zimlet webapp...Done.

Error output from certbot_zimbra.sh:
[] INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused (Connection refused)
[] INFO: Retrying request
ERROR: zclient.IO_ERROR (invoke Connection refused (Connection refused), server: localhost) (cause: java.net.ConnectException Connection refused (Connection refused))


-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.pl/fullchain.pem

certbot package is needed

I have installed into CentOS7 Zimbra 8.7.+ with success, well done.
Only one issue: my box was lacking certbot
yum install certbot -y
is needed

Usage with mutlidomains certs

I'm basically generating multidomains certificates using certbot because my zimbra instance is refered by different domains (mail.domain.com, mail.domain.fr, imap.domain.io, ...)

certbot part works really well but the copy crash when locating the issued certificate path to copy to zimbra repo.
This little patch does the trick by splitting only the first domain from the list (method used by certbot):

diff --git a/certbot_zimbra.sh b/certbot_zimbra.sh
index 1247a9a..6303438 100755
--- a/certbot_zimbra.sh
+++ b/certbot_zimbra.sh
@@ -390,7 +390,7 @@ fi
 # If passed by --renew-hook, contains the path of the renewed cert which may differ from the default /etc/letsencrypt/live/$DOMAIN
 CERTPATH=$RENEWED_LINEAGE
 if [ -z "$CERTPATH" ]; then
-    CERTPATH="/etc/letsencrypt/live/$DOMAIN"
+    CERTPATH="/etc/letsencrypt/live/${DOMAIN%%,*}"
 fi
 
 # actions

Thanks.

Proxy with redirect

Hi,

When proxy is configured with http port redirect, the port 80 is in use and it seems to be a limitation: Could not bind TCP port 80 because it is already in use by another process on this system.

Cron log :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.******.com
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/mail.******.conf produced an unexpected error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.******.conf
-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed: 
  /etc/letsencrypt/live/mail.******.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

After I changed the proxy http port 80 to 81 and restarted the proxy, I get the following error: Hook command "/usr/local/bin/certbot_zimbra.sh -r -d mail.******.com" returned error code 1

$ /usr/bin/certbot renew --renew-hook "/usr/local/bin/certbot_zimbra.sh -r -d $(/opt/zimbra/bin/zmhostname)"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mail.******.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.******.com
Waiting for verification...
Cleaning up challenges
Running renew-hook command: /usr/local/bin/certbot_zimbra.sh -r -d mail.******.com
Hook command "/usr/local/bin/certbot_zimbra.sh -r -d mail.******.com" returned error code 1

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mail.******.com/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/mail.******.com/fullchain.pem (success)

The certificate is actually not renewed, even after restarting the proxy.

Last lines of /var/log/letsencrypt/letsencrypt.log (sensible content replaced with ******)

2017-10-01 08:54:49,709:DEBUG:acme.client:Storing nonce: ******
2017-10-01 08:54:49,935:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/issuer-cert.
2017-10-01 08:54:50,130:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/issuer-cert HTTP/1.1" 200 1174
2017-10-01 08:54:50,131:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/pkix-cert
Content-Length: 1174
Replay-Nonce: ******
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 01 Oct 2017 08:54:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 01 Oct 2017 08:54:50 GMT
Connection: keep-alive

******==
2017-10-01 08:54:50,167:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/mail.******.com/privkey2.pem.
2017-10-01 08:54:50,167:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/mail.******.com/cert2.pem.
2017-10-01 08:54:50,167:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/mail.******.com/chain2.pem.
2017-10-01 08:54:50,167:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/mail.******.com/fullchain2.pem.
2017-10-01 08:54:50,214:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/mail.******.com.conf.new.
2017-10-01 08:54:50,219:INFO:certbot.hooks:Running renew-hook command: /usr/local/bin/certbot_zimbra.sh -r -d mail.******.com
2017-10-01 08:54:54,760:ERROR:certbot.hooks:Hook command "/usr/local/bin/certbot_zimbra.sh -r -d mail.******.com" returned error code 1
2017-10-01 08:54:54,761:DEBUG:certbot.renewal:no renewal failures

Any clue about this? Is needed, I can provide the full /var/log/letsencrypt/letsencrypt.log in a private message.

Thanks. Regards.

Zimbra crashed after certificate update

Hi,

For some reason, Zimbra crashed after certbot shutdown and restarted zimbra.

Here is letsencrypt.log extract (sensitive data are replaced with ****):

** Creating CA hash symlink '3109****.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06****.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5a****.0' -> 'commercial_ca_2.crt'
Host mail.*****.com
        Stopping zmconfigd...Done.
        Stopping zimlet webapp...Done.
        Stopping zimbraAdmin webapp...Done.
        Stopping zimbra webapp...Done.
        Stopping service webapp...Done.
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping cbpolicyd...Done.
        Stopping archiving...Done.
        Stopping opendkim...Done.
        Stopping amavis...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping proxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping dnscache...Done.
        Stopping ldap...Done.
Host mail.*****.com
        Starting ldap...Done.
        Starting zmconfigd...Done.
        Starting logger...Done.
        Starting mailbox...Done.
        Starting memcached...Done.
        Starting proxy...Done.
        Starting amavis...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting opendkim...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
        Starting service webapp...Done.
        Starting zimbra webapp...Done.
        Starting zimbraAdmin webapp...Done.
        Starting zimlet webapp...Done.

2018-02-25 23:26:42,101:ERROR:certbot.hooks:Error output from certbot_zimbra.sh:
/usr/bin/which: line 10: printf: write error: Broken pipe

2018-02-25 23:26:42,101:DEBUG:certbot.renewal:no renewal failures

Here is zimbra.log extract (note: time is not the same, above is GMT, bellow is local - GMT+0100):

Feb 26 00:26:35 mail zimbramon[28815]: 28815:info: Starting opendkim via zmcontrol
Feb 26 00:26:35 mail opendkim[32535]: OpenDKIM Filter v2.10.3 starting (args: -x /opt/zimbra/conf/opendkim.conf -u zimbra)
Feb 26 00:26:37 mail zimbramon[28815]: 28815:info: Starting snmp via zmcontrol
Feb 26 00:26:37 mail zimbramon[28815]: 28815:info: Starting spell via zmcontrol
Feb 26 00:26:37 mail zimbramon[28815]: 28815:info: Starting mta via zmcontrol
Feb 26 00:26:38 mail saslauthd[32763]: detach_tty      : master pid is: 32763
Feb 26 00:26:38 mail saslauthd[32763]: ipc_init        : listening on socket: /opt/zimbra/data/sasl2/state/mux
Feb 26 00:26:39 mail /postfix-script[646]: starting the Postfix mail system
Feb 26 00:26:39 mail postfix/master[648]: daemon started -- version 3.1.1, configuration /opt/zimbra/common/conf
Feb 26 00:26:39 mail zimbramon[28815]: 28815:info: Starting stats via zmcontrol
Feb 26 00:26:39 mail zimbramon[28815]: 28815:info: Starting service via zmcontrol
Feb 26 00:26:40 mail zimbramon[28815]: 28815:info: Starting zimbra via zmcontrol
Feb 26 00:26:41 mail zimbramon[28815]: 28815:info: Starting zimbraAdmin via zmcontrol
Feb 26 00:26:41 mail zimbramon[28815]: 28815:info: Starting zimlet via zmcontrol
**Feb 26 00:26:42 mail slapd[29696]: daemon: shutdown requested and initiated.**
Feb 26 00:26:42 mail slapd[29696]: slapd shutdown: waiting for 0 operations/tasks to finish
Feb 26 00:26:42 mail amavis[32266]: Net::Server: 2018/02/26-00:26:42 Server closing!
Feb 26 00:26:42 mail saslauthd[32763]: server_exit     : master exited: 32763
Feb 26 00:26:42 mail postfix/master[648]: terminating on signal 15
Feb 26 00:26:42 mail zmmailboxdmgr[31558]: shutdown requested, sending TERM signal to 31559
Feb 26 00:26:42 mail amavis-services[32193]: Task 'childproc-minder' [32193] shutting down
Feb 26 00:26:42 mail amavis-services[32193]: childproc-minder closing inner socket
Feb 26 00:26:42 mail amavis-services[32193]: childproc-minder closing outer socket
Feb 26 00:26:42 mail amavis-services[32193]: childproc-minder closing context
Feb 26 00:26:42 mail amavis-services[32194]: Task 'snmp-responder' [32194] shutting down
Feb 26 00:26:42 mail amavis-services[32194]: snmp-responder closing outer socket
Feb 26 00:26:42 mail amavis-services[32194]: snmp-responder closing SNMP socket
Feb 26 00:26:42 mail amavis-services[32194]: snmp-responder closing context
Feb 26 00:26:42 mail amavis-mc[32188]: Master process shutting down
Feb 26 00:26:42 mail amavis-mc[32188]: Terminating process [32191] (/opt/zimbra/common/sbin/amavis-services msg-forwarder)
Feb 26 00:26:42 mail amavis-mc[32188]: Terminating process [32193] (/opt/zimbra/common/sbin/amavis-services childproc-minder)
Feb 26 00:26:42 mail amavis-mc[32188]: Terminating process [32194] (/opt/zimbra/common/sbin/amavis-services snmp-responder)
Feb 26 00:26:42 mail amavis-services[32191]: Task 'msg-forwarder' [32191] shutting down
Feb 26 00:26:42 mail amavis-services[32191]: msg-forwarder closing inner socket
Feb 26 00:26:42 mail amavis-services[32191]: msg-forwarder closing outer socket
Feb 26 00:26:42 mail amavis-services[32191]: msg-forwarder closing context
Feb 26 00:26:42 mail amavis-mc[32188]: Process [32193] exited (/opt/zimbra/common/sbin/amavis-services childproc-minder) after 25.2 s: TERMINATED, signal 15 (000f)
Feb 26 00:26:42 mail amavis-mc[32188]: Process [32194] exited (/opt/zimbra/common/sbin/amavis-services snmp-responder) after 25.2 s: TERMINATED, signal 15 (000f)
Feb 26 00:26:42 mail amavis-services[32191]: Task 'msg-forwarder' [32191] exiting: TERM
Feb 26 00:26:42 mail amavis-mc[32188]: Process [32191] exited (/opt/zimbra/common/sbin/amavis-services msg-forwarder) after 25.2 s: exit 0
Feb 26 00:26:42 mail slapd[29696]: slapd stopped.
Feb 26 00:26:42 mail slapd[29696]: DIGEST-MD5 common mech free
Feb 26 00:26:42 mail zmconfigd[29716]: Shutting down. Received signal 15
Feb 26 00:26:43 mail clamd[32517]: Pid file removed.
Feb 26 00:26:43 mail clamd[32517]: --- Stopped at Mon Feb 26 00:26:43 2018
Feb 26 00:26:43 mail clamd[32517]: Socket file removed.
Feb 26 00:26:43 mail amavis-mc[32188]: Master process exiting: TERM
Feb 26 00:26:45 mail zmmailboxdmgr[31558]: mailboxd/JVM process exited (waitpid expected 31559 got 31559)
Feb 26 00:26:45 mail zmmailboxdmgr[31558]: manager woke up from wait on mailboxd/JVM with pid 31559
Feb 26 00:26:45 mail opendkim[32535]: OpenDKIM Filter: mi_stop=1
Feb 26 00:26:45 mail opendkim[32535]: OpenDKIM Filter v2.10.3 terminating with status 0, errno = 0
Feb 26 00:28:04 mail zmmailboxdmgr[2272]: file /opt/zimbra/log/zmmailboxd_manager.pid does not exist
Feb 26 00:28:04 mail zmmailboxdmgr[2272]: assuming no other instance is running
Feb 26 00:28:04 mail zmmailboxdmgr[2272]: file /opt/zimbra/log/zmmailboxd.pid does not exist
Feb 26 00:28:04 mail zmmailboxdmgr[2272]: assuming no other instance is running

Noticed this:

Feb 26 00:26:42 mail slapd[29696]: daemon: shutdown requested and initiated.

Do you have any idea why slapd received a shutdown request?

The certificate was renewed the right way, but Zimbra was left stopped just after, even if certbot tried and seems to successfully restart Zimbra after certificate deployment.

If the certificate is still valid fails to use them

From 27: the script fails to find the certs on disk (see last failed cp)

Certbot-Zimbra v0.2 - https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.7.11
Detected mail.srv-home.fr as Zimbra domain: use this hostname for certificate request? y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.srv-home.fr.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

-------------------------------------------------------------------------------
Certificate not yet due for renewal; no action taken.
-------------------------------------------------------------------------------
cp: omitting directory '/etc/letsencrypt/live//mail.srv-home.fr'
cat: /etc/letsencrypt/live//chain.pem: No such file or directory

/usr/bin/which: line 10: printf: write error: Broken pipe

Hi,

Once more a broken pipe that caused Zimbra not to restart automatically once the certificate was renewed (even if the log below indicates the opposite).

ERROR:certbot.hooks:Error output from certbot_zimbra.sh
/usr/bin/which: line 10: printf: write error: Broken pipe

See https://superuser.com/questions/554855/how-can-i-fix-a-broken-pipe-error for clues.

Longer log to help identify when and where this issue occurs.

** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '310917a4.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Host mail.ex-nihilo-paris.com
	Stopping zmconfigd...Done.
	Stopping zimlet webapp...Done.
	Stopping zimbraAdmin webapp...Done.
	Stopping zimbra webapp...Done.
	Stopping service webapp...Done.
	Stopping stats...Done.
	Stopping mta...Done.
	Stopping spell...Done.
	Stopping snmp...Done.
	Stopping cbpolicyd...Done.
	Stopping archiving...Done.
	Stopping opendkim...Done.
	Stopping amavis...Done.
	Stopping antivirus...Done.
	Stopping antispam...Done.
	Stopping proxy...Done.
	Stopping memcached...Done.
	Stopping mailbox...Done.
	Stopping logger...Done.
	Stopping dnscache...Done.
	Stopping ldap...Done.
Host mail.ex-nihilo-paris.com
	Starting ldap...Done.
	Starting zmconfigd...Done.
	Starting logger...Done.
	Starting mailbox...Done.
	Starting memcached...Done.
	Starting proxy...Done.
	Starting amavis...Done.
	Starting antispam...Done.
	Starting antivirus...Done.
	Starting opendkim...Done.
	Starting snmp...Done.
	Starting spell...Done.
	Starting mta...Done.
	Starting stats...Done.
	Starting service webapp...Done.
	Starting zimbra webapp...Done.
	Starting zimbraAdmin webapp...Done.
	Starting zimlet webapp...Done.

2018-04-26 22:38:07,872:ERROR:certbot.hooks:Error output from certbot_zimbra.sh:
/usr/bin/which: line 10: printf: write error: Broken pipe

2018-04-26 22:38:07,872:DEBUG:certbot.renewal:no renewal failures

Obtain additional domains from zimbraPublicServiceHostname

Obtain additional domains by using:

for i in $(zmprov gad); do zmprov gd $i zimbraPublicServiceHostname ; done

Add a command line option to avoid this behavior.

Detected hostname list should be printed to the user as feedback, with prompt enabled or disabled.

Failed authorization procedure

Thanks for this script. Quite apart from the cost, I hate renewing the SSL certificate on my zimbra server, so I was looking forward to getting letsencrypt installed and working with your script ;)

I'm running Zimbra 8.6.0_GA_1153.FOSS on Ubuntu 14.04 with certbot 0.22.2.

However, I get the following error, which I'm not entirely sure how to resolve...

Log file entries...

2018-05-07 06:16:24,028:DEBUG:certbot.main:certbot version: 0.22.2
2018-05-07 06:16:24,029:DEBUG:certbot.main:Arguments: ['-a', 'webroot', '-w', '/opt/zimbra/data/nginx/html', '-d', 'zimbra.conquerthechaos.org']
2018-05-07 06:16:24,029:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-05-07 06:16:24,040:DEBUG:certbot.log:Root logging level set at 20
2018-05-07 06:16:24,041:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-05-07 06:16:24,042:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-05-07 06:16:24,043:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f97557f67b8>
Prep: True
2018-05-07 06:16:24,043:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f97557f67b8> and installer None
2018-05-07 06:16:24,044:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2018-05-07 06:16:24,050:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement='https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f97557cb358>)>), contact=('mailto:[email protected]',)), new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf', uri='https://acme-v01.api.letsencrypt.org/acme/reg/1232733'), bcb4e37deb0d2cf636f3b7155f2fb889, Meta(creation_host='zimbra.conquerthechaos.org', creation_dt=datetime.datetime(2016, 4, 15, 17, 43, 55, tzinfo=<UTC>)))>
2018-05-07 06:16:24,051:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-05-07 06:16:24,055:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-05-07 06:16:24,326:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2018-05-07 06:16:24,327:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: dD3hLdByN5eqgr8X9AYSOeA0uiYVEubyaPpDaGiErZM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 07 May 2018 06:16:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 May 2018 06:16:41 GMT
Connection: keep-alive

b'{\n  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n  "meta": {\n    "caaIdentities": [\n      "letsencrypt.org"\n    ],\n    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",\n    "website": "https://letsencrypt.org"\n  },\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",\n  "x6pmrTWEg1s": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"\n}'
2018-05-07 06:16:24,340:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2016-07-14 18:05:00 UTC.
2018-05-07 06:16:24,340:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2018-05-07 06:16:24,340:INFO:certbot.main:Renewing an existing certificate
2018-05-07 06:16:24,528:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2018-05-07 06:16:24,532:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2018-05-07 06:16:24,532:DEBUG:acme.client:Requesting fresh nonce
2018-05-07 06:16:24,533:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2018-05-07 06:16:24,719:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2018-05-07 06:16:24,720:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: gMybtfHbe1bY9QPBuMZPgFW26x-OxTH-CFOBhdv9hM8
Expires: Mon, 07 May 2018 06:16:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 May 2018 06:16:41 GMT
Connection: keep-alive

b''
2018-05-07 06:16:24,720:DEBUG:acme.client:Storing nonce: gMybtfHbe1bY9QPBuMZPgFW26x-OxTH-CFOBhdv9hM8
2018-05-07 06:16:24,720:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "new-authz",\n  "identifier": {\n    "value": "zimbra.conquerthechaos.org",\n    "type": "dns"\n  }\n}'
2018-05-07 06:16:24,726:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "signature": "CxMLqUa7DAVUcNArex5J60vRq0-50CoV6DWrqK2w_dVmFgeEjvb46PWM9kxwuV0ZYxYlMdtp0oMEWdTmuefbOhNc50kT7SL8mvp5QewQCi7fIjYY2l0KV8I37bEGJxhVC9cOPmDifnRFbz-sZJ2bj_XNHTAeuC_JIhiqzwdtahPVCELFzmSXK2le84TR1vJrcN9s6HtUY_dMp00vuaCzcMjv4icwtBNZrAgB3lFV2uDH00OgYeI668DJXAZkrJCfO1z7cu9FHrr8amWglElYOT6Z7ddBYR65Ao-EQwLAkEOW9kLgqf2pjqx1bRv1AP0kd58YIaZ5XasrJup2gYbFqA",
  "payload": "ewogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiLAogICJpZGVudGlmaWVyIjogewogICAgInZhbHVlIjogInppbWJyYS5jb25xdWVydGhlY2hhb3Mub3JnIiwKICAgICJ0eXBlIjogImRucyIKICB9Cn0",
  "protected": "eyJub25jZSI6ICJnTXlidGZIYmUxYlk5UVBCdU1aUGdGVzI2eC1PeFRILUNGT0JoZHY5aE04IiwgImp3ayI6IHsibiI6ICIxdkRqS0dwVXZzMnpXemk1Z0RKSW91THNGd2gyZXFjeGNkU2JjVWZRRkNSY3cxT2FGX1UwMHBIMENPN3c3Y0RnbExDcmI3Zl9zOWc2b01PRjNkZC02dTB5YVJHWHdJdDBJVXRYbDhERDdfZGEwU21VTi1FYVNmLXk4am8wa3Y3b0lhMmxWTy1URDQxWF8yTWpqVks4SEdFWU8yOFhOZXVoVExQWXZaRU5sRFprYzVIb2REcVpVcEZjWHE3OVN6bHNxMjdXak55TF9obktERGNMOTBmRHBTVEtuSTRFMlRaV015OHlpOU1WWHFvMmRDbmRUZkY0UjFIR2g4SU5NeEtpTmhWYmJoNnZMMGZqWWM2M3pucmpDcXlXRkdadzB3M3hRLUo1aTA1S2JyYmZVU19Pc3d0Vi1GTGUxNGdFV3liTFhMc191SWQ5dmlGZF82WlUyMHFpeHciLCAiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EifSwgImFsZyI6ICJSUzI1NiJ9"
}
2018-05-07 06:16:24,933:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1014
2018-05-07 06:16:24,934:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1014
Boulder-Requester: 1232733
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q
Replay-Nonce: cMTTGG6-Cz4_I4YrFG6h_Dlwx-zKmL4TSJVkrYwDw_Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 07 May 2018 06:16:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 May 2018 06:16:42 GMT
Connection: keep-alive

b'{\n  "identifier": {\n    "type": "dns",\n    "value": "zimbra.conquerthechaos.org"\n  },\n  "status": "pending",\n  "expires": "2018-05-14T06:16:41.933778233Z",\n  "challenges": [\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122651",\n      "token": "PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA"\n    },\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122652",\n      "token": "wwi0z52dT6QQ6vylxL-21xBhj8SxjZhoNmurmwrvm38"\n    },\n    {\n      "type": "tls-sni-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122653",\n      "token": "EMKyXPW9jWAV9YFHnjdfTo-CqE6ETEsiPqcByEAcWmg"\n    }\n  ],\n  "combinations": [\n    [\n      1\n    ],\n    [\n      2\n    ],\n    [\n      0\n    ]\n  ]\n}'
2018-05-07 06:16:24,934:DEBUG:acme.client:Storing nonce: cMTTGG6-Cz4_I4YrFG6h_Dlwx-zKmL4TSJVkrYwDw_Y
2018-05-07 06:16:24,935:INFO:certbot.auth_handler:Performing the following challenges:
2018-05-07 06:16:24,935:INFO:certbot.auth_handler:http-01 challenge for zimbra.conquerthechaos.org
2018-05-07 06:16:24,935:INFO:certbot.plugins.webroot:Using the webroot path /opt/zimbra/data/nginx/html for all unmatched domains.
2018-05-07 06:16:24,935:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /opt/zimbra/data/nginx/html/.well-known/acme-challenge
2018-05-07 06:16:24,939:DEBUG:certbot.plugins.webroot:Attempting to save validation to /opt/zimbra/data/nginx/html/.well-known/acme-challenge/PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA
2018-05-07 06:16:24,940:INFO:certbot.auth_handler:Waiting for verification...
2018-05-07 06:16:24,940:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "keyAuthorization": "PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA.3okljjWrTg2GJGDcPTxJi1AXpWOBdqeULuCDoe4vrpw",\n  "type": "http-01"\n}'
2018-05-07 06:16:24,944:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122651:
{
  "signature": "LA8anAWar7qEJmnOrHpMmvUTFeJTFMcgbSAm_RRmorhQ6ho9rpBLjkKLv_imo7pEnZezSiSj_F_l3_OjipE6wjR3tsVQ8xVGrB9tPHcEbmNnFYNEz-_kO14Z2mimmGbw0C_KChHO_KRIyqEGVrHHMJab5IYughbMmQG4mMggdm1Lcb9i0Ewb7K0_x6BsrLdWOIvzSCHlLwVDErpIlb0TWQWcXltvWKn_kRj5DjeZVplplBQhofsnWDMfi5ESCS4Tn59lCbI_g8seijxG75YeAZKMZrn-klQuBxqbTaYAVx92UC37pdkyDHafphfktBV6imo7Tc2qemii2iCJUjvJkQ",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIlBzZkdDaW9oVDEwNHY2WUJuUjg3T2U4b29FdmVNUmtCVGJDTDAtNWJNdkEuM29rbGpqV3JUZzJHSkdEY1BUeEppMUFYcFdPQmRxZVVMdUNEb2U0dnJwdyIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ",
  "protected": "eyJub25jZSI6ICJjTVRUR0c2LUN6NF9JNFlyRkc2aF9EbHd4LXpLbUw0VFNKVmtyWXdEd19ZIiwgImp3ayI6IHsibiI6ICIxdkRqS0dwVXZzMnpXemk1Z0RKSW91THNGd2gyZXFjeGNkU2JjVWZRRkNSY3cxT2FGX1UwMHBIMENPN3c3Y0RnbExDcmI3Zl9zOWc2b01PRjNkZC02dTB5YVJHWHdJdDBJVXRYbDhERDdfZGEwU21VTi1FYVNmLXk4am8wa3Y3b0lhMmxWTy1URDQxWF8yTWpqVks4SEdFWU8yOFhOZXVoVExQWXZaRU5sRFprYzVIb2REcVpVcEZjWHE3OVN6bHNxMjdXak55TF9obktERGNMOTBmRHBTVEtuSTRFMlRaV015OHlpOU1WWHFvMmRDbmRUZkY0UjFIR2g4SU5NeEtpTmhWYmJoNnZMMGZqWWM2M3pucmpDcXlXRkdadzB3M3hRLUo1aTA1S2JyYmZVU19Pc3d0Vi1GTGUxNGdFV3liTFhMc191SWQ5dmlGZF82WlUyMHFpeHciLCAiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EifSwgImFsZyI6ICJSUzI1NiJ9"
}
2018-05-07 06:16:25,142:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122651 HTTP/1.1" 202 336
2018-05-07 06:16:25,143:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Requester: 1232733
Link: <https://acme-v01.api.letsencrypt.org/acme/authz/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122651
Replay-Nonce: HZxE_oF7cwXKUBJjcRahVsJrHixoVuEy561Y9ceW5ug
Expires: Mon, 07 May 2018 06:16:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 May 2018 06:16:42 GMT
Connection: keep-alive

b'{\n  "type": "http-01",\n  "status": "pending",\n  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122651",\n  "token": "PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA",\n  "keyAuthorization": "PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA.3okljjWrTg2GJGDcPTxJi1AXpWOBdqeULuCDoe4vrpw"\n}'
2018-05-07 06:16:25,143:DEBUG:acme.client:Storing nonce: HZxE_oF7cwXKUBJjcRahVsJrHixoVuEy561Y9ceW5ug
2018-05-07 06:16:28,147:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q.
2018-05-07 06:16:28,335:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q HTTP/1.1" 200 1742
2018-05-07 06:16:28,336:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1742
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: OWhfW45zf_46cgjXTe9P_ruxfb-iCuzwSOaDoOxndKU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 07 May 2018 06:16:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 07 May 2018 06:16:45 GMT
Connection: keep-alive

b'{\n  "identifier": {\n    "type": "dns",\n    "value": "zimbra.conquerthechaos.org"\n  },\n  "status": "invalid",\n  "expires": "2018-05-14T06:16:41Z",\n  "challenges": [\n    {\n      "type": "http-01",\n      "status": "invalid",\n      "error": {\n        "type": "urn:acme:error:connection",\n        "detail": "Fetching http://zimbra.conquerthechaos.org/.well-known/acme-challenge/PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA: Connection refused",\n        "status": 400\n      },\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122651",\n      "token": "PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA",\n      "keyAuthorization": "PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA.3okljjWrTg2GJGDcPTxJi1AXpWOBdqeULuCDoe4vrpw",\n      "validationRecord": [\n        {\n          "url": "http://zimbra.conquerthechaos.org/.well-known/acme-challenge/PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA",\n          "hostname": "zimbra.conquerthechaos.org",\n          "port": "80",\n          "addressesResolved": [\n            "46.101.83.189"\n          ],\n          "addressUsed": "46.101.83.189"\n        }\n      ]\n    },\n    {\n      "type": "dns-01",\n      "status": "invalid",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122652",\n      "token": "wwi0z52dT6QQ6vylxL-21xBhj8SxjZhoNmurmwrvm38"\n    },\n    {\n      "type": "tls-sni-01",\n      "status": "invalid",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/UTabEQdv2hxnaNUiVc87ZwRCJKWc4mPb15LomRa596Q/4535122653",\n      "token": "EMKyXPW9jWAV9YFHnjdfTo-CqE6ETEsiPqcByEAcWmg"\n    }\n  ],\n  "combinations": [\n    [\n      1\n    ],\n    [\n      2\n    ],\n    [\n      0\n    ]\n  ]\n}'
2018-05-07 06:16:28,337:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: zimbra.conquerthechaos.org
Type:   connection
Detail: Fetching http://zimbra.conquerthechaos.org/.well-known/acme-challenge/PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA: Connection refused

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-05-07 06:16:28,337:INFO:certbot.auth_handler:Cleaning up challenges
2018-05-07 06:16:28,337:DEBUG:certbot.plugins.webroot:Removing /opt/zimbra/data/nginx/html/.well-known/acme-challenge/PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA
2018-05-07 06:16:28,338:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2018-05-07 06:16:28,338:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.22.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1266, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1157, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 113, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 297, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 294, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 330, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 79, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 154, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 220, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. zimbra.conquerthechaos.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zimbra.conquerthechaos.org/.well-known/acme-challenge/PsfGCiohT104v6YBnR87Oe8ooEveMRkBTbCL0-5bMvA: Connection refused

Check, if the current cert is still valid

Is it not possible to check, if the current cert is still valid? Normally certbot will do this for my websites automatically. Is that also possible for zimbra? Then it wouldn't be necessary to install a cert and restart the server every day, when your script is running.

Nothing ever listens on port 80

It does not matter if zimbra is running or not (zmcontrol stop).
Firewall log says that a connection to port 80 is made and forwarded. However nothing ever listens on port 80. Zimbra proxy itself is operating on HTTPS, 443, not on HTTP 80 and I have no problems with external access over HTTPS/443.

Zimbra 8.7.11 GA - all fresh/default (incl. proxy), Ubuntu 16.04 LTS.

` - The following errors were reported by the server:

Domain: z.mydomain.com
Type: connection
Detail: Fetching
http://z.mydomain.com/.well-known/acme-challenge/reeoCGfsdcrs0bh1Fdu4EfaPgasdfVDS4N7lgBAXc:
Connection refused
`

Willing to share the log file but not publicly.

if zimbraReverseProxyMailMode in https only request cert via zimbra instead of using standalone

Hello!

I am getting the error below to renew the cert:

./certbot_zimbra.sh -n
Detected Zimbra 8.7.11
Detected zimbraReverseProxyMailMode in https only, requesting certificate in standalone mode. Make sure your firewall has port 80 open
Detected zimbra.valecloud.com.br as Zimbra domain: use this hostname for certificate request? y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zimbra.valecloud.com.br
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
letsencrypt returned an error

./certbot_zimbra.sh --renew --no-nginx
Detected Zimbra 8.7.11
Detected zimbra.valecloud.com.br as Zimbra domain: use this hostname for certificate request? Y
cp: omitting directory '/etc/letsencrypt/live//zimbra.valecloud.com.br'
cat: /etc/letsencrypt/live//chain.pem: No such file or directory
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: CN = zimbra.valecloud.com.br
error 20 at 0 depth lookup:unable to get local issuer certificate
Unable to verify cert!

Could you please help me on that?

Thank you.

Version comparison doesn't work

Your Zimbra version is not currently supported

Hi,
After upgrade Zimbra to 8.7.11 and certbot too, i cannot renew my certificate.

./certbot_zimbra.sh -n
Detected Zimbra 8.7.11
Your Zimbra version is not currently supported (or patch subdir was not copied)

And another:

/certbot_zimbra.sh -r -d test.test
Detected Zimbra 8.7.11
Your Zimbra version is not currently supported (or patch subdir was not copied)

How to renew certificate?
Tom

DOMAIN env variable not in Ubuntu 16.04

Was getting this error when trying to run the script for a new cert:

cp: omitting directory '/etc/letsencrypt/live//zimbra.XXX.com'
cat: /etc/letsencrypt/live//chain.pem: No such file or directory
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
ERROR: Can't read file '/opt/zimbra/ssl/letsencrypt/privkey.pem'
ERROR: Can't read file '/opt/zimbra/ssl/letsencrypt/cert.pem'
Unable to verify cert!

Changed this part of the script:

# If passed by --renew-hook, contains the path of the renewed cert which may differ from the default /etc/letsencrypt/live/$DOMAIN
CERTPATH=$RENEWED_LINEAGE
if [ -z "$CERTPATH" ]; then
    CERTPATH="/etc/letsencrypt/live/${DOMAIN%%,*}"
fi

To:

# If passed by --renew-hook, contains the path of the renewed cert which may differ from the default /etc/letsencrypt/live/$DOMAIN
CERTPATH=$RENEWED_LINEAGE
if [ -z "$CERTPATH" ]; then
    ZMDOMAIN=$(/opt/zimbra/bin/zmhostname)
    CERTPATH="/etc/letsencrypt/live/$ZMDOMAIN"
fi

This fixed the issue.

.well-known location doesn't work when in redirect mode

The

include /opt/zimbra/conf/nginx/includes/nginx.conf.web.http.mode-redirect

statement in /opt/zimbra/conf/nginx/includes/nginx.conf.web.http.default forces redirect to https, failing host verification

No patch binary found. Please install OS 'patch' package

I have Zimbra 8.7.1 on Centos6 64-bit.

After:
cd /usr/local/src
git clone https://github.com/YetOpen/certbot-zimbra.git
cd certbot-zimbra

I get an error:

[root@host certbot-zimbra]# ./certbot_zimbra.sh -n
Detected Zimbra 8.7.1
which: no patch in (/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/user/bin)
No patch binary found. Please install OS 'patch' package

Use $RENEWED_LINEAGE and $RENEWED_DOMAINS from --renew-hooks

I'm having some problem getting this to work on my 8.6 server.
The whole flow appears to be working, it is properly requesting/renewing a certificate at LetsEncrypt and claims to be replacing files but in the end it is still using the old certificate. I have tested both HTTPS and IMAPS but both show that the certificate will expire within the next 3 weeks.

The output of the script:

Detected Zimbra 8.6.0
Detected zimbraReverseProxyMailMode in https only, requesting certificate in standalone mode. Make sure your firewall has port 80 open
Detected zimbra.example.com as Zimbra domain: use this hostname for certificate request? yes
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/zimbra.example.com-0001.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

-------------------------------------------------------------------------------
Certificate not yet due for renewal; no action taken.
-------------------------------------------------------------------------------
** Verifying /opt/zimbra/ssl/letsencrypt/cert.pem against /opt/zimbra/ssl/letsencrypt/privkey.pem
Certificate (/opt/zimbra/ssl/letsencrypt/cert.pem) and private key (/opt/zimbra/ssl/letsencrypt/privkey.pem) match.
Valid Certificate: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
** Verifying /opt/zimbra/ssl/letsencrypt/cert.pem against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/letsencrypt/cert.pem) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
** Copying /opt/zimbra/ssl/letsencrypt/cert.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Host zimbra.example.com
        Stopping vmware-ha...skipped.
                /opt/zimbra/bin/zmhactl missing or not executable.
        Stopping zmconfigd...Done.
        Stopping zimlet webapp...Done.
        Stopping zimbraAdmin webapp...Done.
        Stopping zimbra webapp...Done.
        Stopping service webapp...Done.
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping cbpolicyd...Done.
        Stopping archiving...Done.
        Stopping opendkim...Done.
        Stopping amavis...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping proxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping dnscache...Done.
        Stopping ldap...Done.
Host zimbra.example.com
        Starting ldap...Done.
        Starting zmconfigd...Done.
        Starting dnscache...Done.
        Starting logger...Done.
        Starting mailbox...Done.
        Starting proxy...Done.
        Starting amavis...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting opendkim...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
        Starting service webapp...Done.
        Starting zimbra webapp...Done.
        Starting zimbraAdmin webapp...Done.
        Starting zimlet webapp...Done.

The /opt/zimbra/ssl/zimbra/commercial/commercial.crt file is updated:

  File: 'commercial.crt'
  Size: 5885            Blocks: 16         IO Block: 4096   regular file
Device: 19h/25d Inode: 62401771    Links: 1
Access: (0644/-rw-r--r--)  Uid: (  999/  zimbra)   Gid: (  999/  zimbra)
Access: 2017-07-25 08:12:53.564230180 +0200
Modify: 2017-07-25 08:12:53.230226352 +0200
Change: 2017-07-25 08:12:53.560230132 +0200
 Birth: -

Same for /opt/zimbra/ssl/letsencrypt/cert.pem:

  File: 'cert.pem'
  Size: 1838            Blocks: 8          IO Block: 4096   regular file
Device: 19h/25d Inode: 63309728    Links: 1
Access: (0644/-rw-r--r--)  Uid: (  999/  zimbra)   Gid: (  999/  zimbra)
Access: 2017-07-25 08:12:52.825221709 +0200
Modify: 2017-07-25 08:12:52.818221629 +0200
Change: 2017-07-25 08:12:52.818221629 +0200
 Birth: -

However according to OpenSSL this is still the old file.

If you need any further information, please let me know!

Support multiple domains via SNI

Does your script support multilpe domains (SNI) like descreibed here?

https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS

Patching with sed/awk

eN0Rm#1

Error patch

Detected Zimbra 8.7.11
Making a backup of nginx templates in /opt/zimbra/conf/nginx/templates.20171002_134407
checking file nginx.conf.web.http.default.template
Hunk #1 FAILED at 65.
1 out of 1 hunk FAILED
checking file nginx.conf.web.https.default.template
Hunk #1 FAILED at 94.
1 out of 1 hunk FAILED
checking file nginx.conf.web.https.template
checking file nginx.conf.web.http.template
Patching test failed! Please file a bug with the output above to https://github.com/YetOpen/certbot-zimbra/issues/new

Can you help me please ?

Unable to verify cert

Zimbra 8.7.11 running on CentOS 7

I get the following error:

cp: omitting directory ‘/etc/letsencrypt/live//domain.example.org’
cat: /etc/letsencrypt/live//chain.pem: No such file or directory
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: CN = zcs.wecinternational.org
error 20 at 0 depth lookup:unable to get local issuer certificate
Unable to verify cert!

The problem seems to be that the $CERTPATH variable in lines 265 and 269 adds an extra / to the path when running the cp command and the cat command - see message path /etc/letsencrypt/live//domain.example.org

If I edit the script and change $CERTPATH on those lines to "hard coding" the actual correct path then the script works perfectly. Do you have any ideas how to get CERTPATH working?

yetopen / certbot-zimbra Goto Github PK

certbot-zimbra's People

Contributors

Stargazers

Watchers

Forkers

certbot-zimbra's Issues

Processing /etc/letsencrypt/renewal/xxxx.xxxxx.com.conf

What would you like to do?

1: Keep the existing certificate for now 2: Renew & replace the cert (limit ~5 per 7 days)

Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

Recommend Projects

Recommend Topics

Recommend Org

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.