Upgrade to the new version of Certbot Zimbra 0.7.10


SystemMen - Upgrade to the new version of Certbot Zimbra. This is the content of this article.

If you’ve read the previous article that I wrote about how to use Certbot Zimbra to register Let’s Encrypt SSL for the new domain automatically. Tonight, I accidentally discovered that the script is no longer working.

Certbot Zimbra 0.7.10

What’s the difference between this new version 0.7.10? If with the older version, the -d option was used to represent the domain, then this new version represented --deloy-only.

upgrade-to-the-new-version-of-certbot-zimbra-0-7-10 Upgrade to the new version of Certbot Zimbra 0.7.10
Certbot Zimbra version 0.7.10.

That is why when I used exactly the same command as before used. But the new domain still has not applied ssl certificate.

# certbot_zimbra.sh -n -d mail.yourdomain.com -e mail.yourseconddomain.com

In the new version, to declare the main domain to register ssl, use the -H option, i.e. --hostname.

Upgrade Certbot Zimbra to version 0.7.10

The upgrade is quite simple. You just need to perform the following steps.

Step 1: Download the new certbot zimbra package to the server.

wget --content-disposition https://github.com/YetOpen/certbot-zimbra/archive/0.7.10.tar.gz

Step 2: Unzip the package and grant the execution permissions.

# tar -xzf certbot-zimbra-0.7.10.tar.gz
# cd certbot-zimbra-0.7.10
# chmod +x certbot_zimbra.sh

And step 3: Delete the old version certbot zimbra file and copy the new version to the server.

# rm -f /usr/local/bin/certbot_zimbra.sh
# mv certbot_zimbra.sh /usr/local/bin/

It is done. You can now type this command to see if the help of the displayed software has the -H option.

# certbot_zimbra --help

Using the Certbot Zimbra new version

After I upgraded it, I used to add some domains to my Zimbra server.

The process takes place relatively similar to the old version. Register ssl for domain and restart Zimbra service.

[root@mail ~]# certbot_zimbra.sh -n -H mail.yourdomain.com -e mail.yourseconddomain.com -e mail.yourthirddomain.com
certbot-zimbra v0.7.10 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies…
Detected Zimbra 8.x.x on RHEL7_64
Using domain mail.yourdomain.com (as certificate DN)
Got 2 domains to use as certificate SANs: mail.yourseconddomain.com mail.yourthirddomain.com
Checking zimbra-proxy is running and enabled
Detecting port from zimbraMailProxyPort
Checking if process is listening on port 80 with name "nginx" user "zimbra"
Nginx templates already patched.
Nginx includes already patched, skipping zmproxy restart.
Detecting certbot version…
Detected certbot 1.3.0
Running /usr/local/bin/certbot-auto certonly  --webroot -w /opt/zimbra/data/nginx/html --cert-name mail.yourdomain.com -d mail.yourdomain.com -d mail.yourseconddomain.com -d mail.yourthirddomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate mail.yourdomain.com to include new domain(s):
+ mail.yourseconddomain.com
+ mail.yourthirddomain.com

You are also removing previously included domain(s):
(None)

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: U
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
   Your cert will expire on 2020-06-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' against '/run/certbot-zimbra/certs-JPE5MG3p/privkey.pem'
Certificate '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' and private key '/run/certbot-zimbra/certs-JPE5MG3p/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' against '/run/certbot-zimbra/certs-JPE5MG3p/zimbra_chain.pem'
Valid certificate chain: /run/certbot-zimbra/certs-JPE5MG3p/cert.pem: OK
Deploying certificates.
** Verifying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' against '/run/certbot-zimbra/certs-JPE5MG3p/zimbra_chain.pem'
Valid certificate chain: /run/certbot-zimbra/certs-JPE5MG3p/cert.pem: OK
** Copying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/run/certbot-zimbra/certs-JPE5MG3p/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/run/certbot-zimbra/certs-JPE5MG3p/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.yourdomain.com…ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.yourdomain.com…ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/b8c8cdf8.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'b8c8cdf8.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Removing temporary files in /run/certbot-zimbra/certs-JPE5MG3p
Restarting Zimbra.
Host mail.yourdomain.com
        Stopping zmconfigd…Done.
        Stopping imapd…Done.
        Stopping zimlet webapp…Done.
        Stopping zimbraAdmin webapp…Done.
        Stopping zimbra webapp…Done.
        Stopping service webapp…Done.
        Stopping stats…Done.
        Stopping mta…Done.
        Stopping spell…Done.
        Stopping snmp…Done.
        Stopping cbpolicyd…Done.
        Stopping archiving…Done.
        Stopping opendkim…Done.
        Stopping amavis…Done.
        Stopping antivirus…Done.
        Stopping antispam…Done.
        Stopping proxy…Done.
        Stopping memcached…Done.
        Stopping mailbox…Done.
        Stopping logger…Done.
        Stopping dnscache…Done.
        Stopping ldap…Done.
Host mail.yourdomain.com
        Starting ldap…Done.
        Starting zmconfigd…Done.
        Starting logger…Done.
        Starting mailbox…Done.
        Starting memcached…Done.
        Starting proxy…Done.
        Starting amavis…Done.
        Starting antispam…Done.
        Starting antivirus…Done.
        Starting opendkim…Done.
        Starting snmp…Done.
        Starting spell…Done.
        Starting mta…Done.
        Starting stats…Done.
        Starting service webapp…Done.
        Starting zimbra webapp…Done.
        Starting zimbraAdmin webapp…Done.
        Starting zimlet webapp…Done.
        Starting imapd…Done.
[root@mail ~]#

But there is an additional point in this version, it will notify you whether to register or renew for any extended domain.

Conclusion

This article is an update to you who are using the Certbot Zimbra script for your mail server. It’s not a serious bug but needs to be done if you want to continue using it. Hope it helpful.

««
One Comment