👉 👉 ⚠️ UPDATE 2017.09.11: the script got updates, see all the blog posts here or GitHub project page for the latest information ⚠️
There’s an extensive guide on Zimbra’s Wiki on how to (manually) set up a Letsencrypt certificate in Zimbra Collboration Server.
There’s a bash script to request and deploy a cert. There’s another method explained on Zimbra’s bug#99549 with mixed scripts.
But would you like to simply type:
certbot_zimbra.sh -nand deploy the certificate?
The script I developed takes a different approach than the previous ones: it patches Zimbra’s nginx to allow the bypass of /.well-known webserver location to certbot executable.
Requirements
certbot, the letsencrypt automated script. Version >=0.7.0 is highly recommended, mainly because of the ability to execute a command when the certificate is renewed.
zimbra-proxy package must be installed (but shouldn’t be a big issue, since it’s a compulsory requirement since 8.6).
Installation
To obtain Certbot I’d suggest to use the EFF way:
wget https://dl.eff.org/certbot-auto -P /usr/local/bin
chmod a+x /usr/local/bin/certbot-autoThe certbot-zimbra can be cloned from GitHub:
cd /usr/local/src
git clone https://github.com/YetOpen/certbot-zimbra.git
cd certbot-zimbraAt this point to obtain and install the letsencrypt certificate in Zimbra just run (as root):
./certbot_zimbra.sh -nthe script will
- patch nginx;
- request the certificate (for the host defined by zmhostname);
- verify the certificate;
- install the letsencrypt certificate in Zimbra;
- restart Zimbra.
That’s it!
Now what about renewal? In your favorite cron place add the following line:
55 4 * * * root /usr/bin/certbot renew --post-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -r -d $(zmhostname)"The certbot will check if there’s an update needed daily, and when the certificate is renewed the script is called to deploy the new cert in Zimbra (and Zimbra is restarted).
Sources
The script is published on GitHub. Suggestion, feedback and pull requests are welcome at: https://github.com/yetopen/certbot-zimbra
Thank you very much for this script. I really appreciated you taking the time to write this in English. It worked perfectly! Molte Grazie!
Lorenzo,
Does the renewal happen on the final day of the 90 days of the original certificate? I ask because 19 days before the expiration, I got an email from LetsEncrypt that the certificate will expire soon and to renew..
Thoughts?
Carlos
I don’t really know exactly when it’s done, but should be within the expiring week
Grazie!!!! For the updates to the script!
Hello, I have a litle problem .. but corrected … the problem it was that not get the correct path/domain to copy de letsencrypt files and break in that point …
The issue it was in “function prepare_certificate”
..
The # it is the line with the problem and -> it the line that working for me…
#cp $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
-> cp $CERTPATH/$ZMHOSTNAME/* /opt/zimbra/ssl/letsencrypt/
….
#cat $CERTPATH/chain.pem > /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
-> cat $CERTPATH/$ZMHOSTNAME/chain.pem > /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
After that work perfectly. Many that for the script …
my info is server Ubuntu 14.04 and zimbra 8.7.11
Thanks Juan, there’s an issue on GitHub, I still have to make a proper fix.
https://github.com/YetOpen/certbot-zimbra/issues/28
Thank you MAXXER for the nice tool and
JUAN LUIS for the fix to make it work.
Hi,
thank you for the script, but I get error when trying to issue certificate:
The server could not connect to the client to verify the domain :: Fetching http://my.server.com/.well-known/acme-challenge/….
Seems like port 80 http must be enabled. But on my server it is not.
Can you adjust the script to workaround this situation?
How strange, by default it should use port 443. Is this a first issue or a renewal?
Hi Maxxer, this http issue is upon first deployment of the script. This was error when I installed it, so it did not deploy LE SSL certificate.
I can enable port 80 temporary, but I did not to see, if you can resolve the bug somehow.
Hi there,
Thx for the tuto. I’m getting an error, something about a patch not found. Here’s the output:
Certbot-Zimbra v0.2 – https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.8.8
which: no patch in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
No patch binary found. Please install OS ‘patch’ package
Hi. As the last message says install system ‘patch’ package. I.E. on Ubuntu apt-get install patch
The previous issue is simply resolved by installing patch:
yum install patch
Now the following error comes up :
Domain: mail.example.ma
Type: connection
Detail: Fetching
http://mail.example.ma/.well-known/acme-challenge/3o1zK3beIX244GN80gFgYshs9BORaKXuSv78WmNcsNc:
Connection refused
FYI, I have no firewall rules or iptables actif.
Port 80 must be open and Zimbra (proxy) must be listening also on http
hi,
i have this error ( zimbra 8.8.9 – ubuntu16.04)
help 🙂
——————————-ithe script ends with this:
….
Creating virtual environment…
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/virtualenv.py”, line 2363, in
main()
File “/usr/lib/python3/dist-packages/virtualenv.py”, line 719, in main
symlink=options.symlink)
File “/usr/lib/python3/dist-packages/virtualenv.py”, line 988, in create_environment
download=download,
File “/usr/lib/python3/dist-packages/virtualenv.py”, line 918, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
File “/usr/lib/python3/dist-packages/virtualenv.py”, line 812, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 – setuptools pkg_resources pip wheel failed with error code 1
letsencrypt returned an error
Looks like a problem with your locale:
https://github.com/certbot/certbot/issues/3104
Hello there,
I have same problem with Andrej.
I have tested to telnet to port 80 (http), it worked, I also tested with browser to connect to port 80 it was promptly redirected to port 443 and it also worked, but when I try to connect to this particular directory, e.g. http://mail.myserver.com/.well-known/acme-challenge/xyz – I got “Connection reset by peer”
Any suggestion is appreciated.
Mille grazie
are you sure zimbra’s nginx is listening on port 80 and not something else?
help screen mentions ‘-u’ as beeing –no-public-hostname-detection, examination of the script reveals that is is actually -h (which normally would bring up a help screen).
fixed, thanks
hi
i hope you are good . i am facing this error can you plesae help me in this .
Failed authorization procedure. zmail.cubexsweatherly.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zmail.cubexsweatherly.com/.well-known/acme-challenge/882zG0-i5-oIjKp5s3f6aCwW8ApndRzd_UO__Zbi4ks: Connection refused
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: zmail.cubexsweatherly.com
Type: connection
Detail: Fetching
http://zmail.cubexsweatherly.com/.well-known/acme-challenge/882zG0-i5-oIjKp5s3f6aCwW8ApndRzd_UO__Zbi4ks:
Connection refused
Do you have port 80 open on the firewall? Or forwarded from your modem/router to the Zimbra server? http://zmail.cubexsweatherly.com/ must be accessible from outside for the script to work
Hi,
is there any way to run the script without port 80 being opened? This is very stupid auth request from LE, I know…can we somehow only work on port 443 or some permanent DNS verification record?
Thanx, Andrej
There are other auth methods, but the script currently supports only http. For your other error I’d suggest to install certbot from packages, because it looks like you’re missing a Python package.
For further support I suggest you to use GitHub which is better suited for help.
And one more error on Zimbra 8.8.10:
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 10, in
import josepy as jose
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/__init__.py”, line 41, in
from josepy.interfaces import JSONDeSerializable
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/interfaces.py”, line 8, in
from josepy import errors, util
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/util.py”, line 4, in
import OpenSSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/__init__.py”, line 8, in
from OpenSSL import rand, crypto, SSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py”, line 1, in
import datetime
ImportError: No module named datetime
letsencrypt returned an error
Well, thank you for express hints – I sucessfully managed to install on Zimbra 8.8.10 and Ubuntu 16.04 using the following:
1.) Installed certbot via pip, but first install pip:
# apt install python-pip
# rm -rf /opt/eff.org/*
# pip install -U certbot
2.) Then I make sure all other domains are really pointing to my server, AND that port 80 is opened on firewall AND Zimbra is listening on port 80, too (as Zimbra user):
# zmprov getServer my.host.name zimbraReverseProxyMailMode
If the answer is “both”, then Cerbot will work.
If not, you may swithch to “both”:
# zmprov ms my.host.name zimbraReverseProxyMailMode both
3.) Then I run:
# cd /usr/local/src/certbot-zimbra
# ./certbot_zimbra.sh -n
SUCCESS! 🙂
hi team
i have renew my certficate with your given above command . but its not reflected with my zimbra.
[root@zmail ~]# certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /etc/letsencrypt/renewal/zmail.onegig.com.pk.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Cert not yet due for renewal
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
The following certs are not due for renewal yet:
/etc/letsencrypt/live/zmail.onegig.com.pk/fullchain.pem expires on 2019-04-30 (skipped)
No renewals were attempted.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
[root@zmail ~]# certbot certificates | grep -Ei ‘expiry|domain’
-bash: certbot: command not found
[root@zmail ~]# certbot-auto certificates | grep -Ei ‘expiry|domain’
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Domains: zmail.onegig.com.pk
Expiry Date: 2019-04-30 10:23:55+00:00 (VALID: 89 days)
[root@zmail ~]#
Which command above? Anyway if you renewed manually you have to run the “post-nenew” hook manually. See the README
hi
i run this command .
certbot renew –post-hook “/usr/local/src/certbot-zimbra/certbot_zimbra.sh -r -d $(zmhostname)”
no, you have to run just the post hook part, that is certbot_zimbra.sh with -r
hi
i am facing this issue can you help me on this matter.
[root@mail certbot-zimbra]# ./certbot_zimbra.sh -n
Certbot-Zimbra v0.5 – https://github.com/YetOpen/certbot-zimbra
Detected Zimbra 8.8.10
Detected mail.hbfc.com.pk as Zimbra hostname
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/mail.hbfc.com.pk.conf)
What would you like to do?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Certificate not yet due for renewal; no action taken.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
** Verifying ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ against ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’
Certificate ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ and private key ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’ match.
** Verifying ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ against ‘/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem’
Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
ERROR: Can’t read file ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Host mail.hbfc.com.pk
[root@mail certbot-zimbra]# ls -lh /opt/zimbra/ssl/zimbra/commercial/commercial.key
-rw——- 1 root root 1.7K Jan 31 02:02 /opt/zimbra/ssl/zimbra/commercial/commercial.key
[root@mail certbot-zimbra]#
hi
my all issue have been resolved. thanks for your superb script .just add one line in your script :
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key # add this line in your script please .
Error on commercial key:
Result:
** Verifying ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ against ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’
Certificate ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ and private key ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’ match.
** Verifying ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ against ‘/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem’
Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
ERROR: Can’t read file ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Fix perms with chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/ .
It has been fixed in a recent release
PERFECT! I just installed it on Zimbra 8.8.12
Before start everything, I have just change the behavior of zimbra proxy with the following command:
zmprov ms YourMailHostHere.com zimbraReverseProxyMailMode redirect
In this way, when any challange is made against the server (to get the server information) it is going to work, by default, in Zimbra 8.8.12 is only listening on port 443 (not in port 80), in my case, I guess that is always best practice redirect all the traffic in port 80 to a secure port 443 (HTTP to HTTPS)
I got the following error:
Detecting port from zimbraMailProxyPort
Checking if process is listening on port 80 with name “nginx” user “zimbra”
Error: port check failed. If you have overridden the port with –port, a web ser ver to use for letsencrypt authentication of the domain mail2.stbanklaos.la must be listening on it.
An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https:/ /github.com/YetOpen/certbot-zimbra.
Could you help me with this.
You’d better report this kind of problems on GitHub, but are you using the latest versions? We’ve fixed some issues like this in the latest weeks.
If you’re sure your setup is ok you can pass -j to skip port check
Well maxxer i was having the same issue as sounay and the -j did the job, everything ran smootly and now my zimbra has ssl enable 🙂 tyvm
This should be the issue: https://github.com/YetOpen/certbot-zimbra/issues/91
Hi,
seems like even latest script 0.77 does not RENEW properly. Maybe there’s incompatibility with EFF and GITHUB method, but in my case (GitHub method) certificate gets properly issued by LE…
….but scrypt copies WRONG CERT to zimbra:
Should use path:
/etc/letsencrypt/live/-0001/ (seemsl ike -0001 is increased with each renewal)
But instead it uses path:
/run/certbot-zimbra/certs-McigMQS7/ (seems like 2nd part of name is random)
So I end up with all OK, no errors…but SSL is the same as before renewal.
I need to manually copy over files.
hi, I use this guide to install zimbra and letsencrypt. Now, the SSL has expired, and could you tell me how manually renew letsencypt?
I tried this one certbot_zimbra.sh -n but it is not working?
shall i stop Zimbra first?
Follow the instructions here https://github.com/YetOpen/certbot-zimbra#renewal-using-crontab
Il tuo commento deve ancora venire moderato.
hi, I am trying to renew the certificate by running “./certbot_zimbra.sh -n -j”
And I got stuck on this stage “Nginx templates already patched.” and nothing is progressing at all.
I googled and found someone is also facing this issue too https://github.com/YetOpen/certbot-zimbra/issues/99
Could you kindly help?
Regards,
Sounay
Please comment on the issue so we can help others with the same problem
I’m getting this kind of error on about half of the domains on my zimbra server when running the install script. Not entirely sure what I’m doing wrong here….
Domain: zimbra.blueheronlake.org
Type: unauthorized
Detail: Invalid response from
http://zimbra.blueheronlake.org/.well-known/acme-challenge/GThl_7a7i9L9WAfp76as6SVO4P9-yAcgbliHnRNulnE
[199.47.174.179]: “\n\n500 Internal Server
Error\n\nInter”
Check your zimbra nginx.access.log and mailbox.log to see what’s going on. Otherwise ask help on Zimbra forum which is a better place for getting help 🙂
Muchas muchas gracias, saludos desde Colombia
I had an error this morning because my certbot wasn’t renewing properly.
“ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /run/certbot-zimbra/certs-v9mE7HRs/cert.pem: verification failed”
I upgraded from 0.7.11 to 0.7.12 of this script by using these commands.
$ sudo su
$ cd /usr/local/src
$ mv certbot-zimbra certbot-zimbra.old
$ git clone https://github.com/YetOpen/certbot-zimbra.git
$ /usr/local/src/certbot-zimbra/certbot_zimbra.sh -n -c -L “–force-renewal”
After upgrading from 0.7.11 to 0.7.12, the script ran successfully and I was able to restart my zimbra server without any issue.