Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
xorcz
Posts: 6
Joined: Fri Nov 20, 2015 6:48 am

Re: Another Letsencrypt method

Postby xorcz » Sat Jul 06, 2019 5:13 pm

Hello, I am looking for a working Letsencrypt script for Zimbra. I am puzzled which way is the most current. This thread is huge with lot of changes. Which guideline is the latest? Should I follow https://github.com/JimDunphy/deploy-zim ... encrypt.sh ? Thanks


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 475
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Sat Jul 06, 2019 5:57 pm

It is kind of a mess isn't it. The initial steps document things on the first page. Then it went into a script to help others follow along so there would be less typed mistakes... Eventually, the script wasn't necessary as the acme.sh script evolved and the community developed a deploy hook script to handle the install/renewal. The wiki article https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt pulls the important parts from this thread.

If you are comfortable with letsencrypt, I would follow the wiki and go directly to the 'all in one method' at step 6 ... That is what I do now. The script works too and doesn't require you to be the zimbra user when you run acme.sh as the 'All in one method' does.

Steps:
repeat until you Get verified certificate
have zimbra verify your certificate
have zimbra install your certificate
restart zimbra

The scripts are there to protect you from trying to do something without having a valid certificate. If you like DNS, can follow directions and have a DNS provider that has an API then it's hard to beat the all in one method as the installation will even add the crontab entry to do the renewals for you. Less code to maintain since it's all acme.sh with the exception of the deployhook that you initially have to copy/paste into the deploy folder.

This is what you do after installing acme.sh and configuring ...

Code: Select all

% su - zimbra
% cd .acme.sh
% ./acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com

You don't go to the deploy step until you have a valid certificate via the issue step. This also handles the renewal automatically because acme.sh runs every night from cron and checks to see if its time for renewal. If it is time, it does it and then calls that hook automatically...

If you are curious when the renewal will happen do this:

Code: Select all

% ./acme.sh --list

And it will tell you when acme.sh would renew at the earliest. (currently about 60 days unless you force it)

Pretty simple process but too much documentation and more is not better IMO.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests