Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
zimico
Posts: 13
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.7.5
Contact:

Re: Another Letsencrypt method

Postby zimico » Mon Dec 19, 2016 4:27 pm

Dear, I get stuck at this step:

Code: Select all

root@mail:/home/example/.acme.sh/mail.zimilab.com# su zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm mail.example.com.key mail.example.com.cer fullchain.cer"
** Verifying 'mail.zimilab.com.cer' against 'mail.example.com.key'
Certificate 'mail.zimilab.com.cer' and private key 'mail.example.com.key' match.
** Verifying 'mail.zimilab.com.cer' against 'fullchain.cer'
ERROR: Unable to validate certificate chain: mail.example.com.cer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

I'm running OSS 8.7.1 on Ubuntu 16.
Could you please advise?
Thank you,
Minh.


User avatar
JDunphy
Advanced member
Advanced member
Posts: 133
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.9_GA_1794.RHEL6_64_2017
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Mon Dec 19, 2016 4:53 pm

It kind of looks like IdentTrust.pem wasn't added to the end of your fullchain.cer ... I tend to create the IdentTrust.pem and then cat it.

If you did some cut/paste... watch for new lines and other oddities, etc. You should see 3 certs in that fullchain

Code: Select all

cd wherever_your_certs_are
grep BEGIN fullchain.cer
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
User avatar
zimico
Posts: 13
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.7.5
Contact:

Re: Another Letsencrypt method

Postby zimico » Mon Dec 19, 2016 5:13 pm

Dear, thank you very much. You are super! Just a tiny mistake when copy and paste. My output is:

Code: Select all

grep BEGIN fullchain.cer
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
----BEGIN CERTIFICATE-----

It's lack of one "-" at the beginning of the third cert.

Regards, Minh
User avatar
zimico
Posts: 13
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.7.5
Contact:

Re: Another Letsencrypt method

Postby zimico » Tue Dec 20, 2016 4:33 am

Dear JDunphy,
In case of multi server as well as multi-domain could you please describe the general steps?
Thanks,
Minh.
User avatar
JDunphy
Advanced member
Advanced member
Posts: 133
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.9_GA_1794.RHEL6_64_2017
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Tue Dec 20, 2016 3:26 pm

That is a loaded question. :D

For multiple-domain, You have some options but because letsencrypt doesn't do wildcard certs, this may not be the best CA depending on complexity with some environments. If you have a few, then the current limit is 100 domain aliases per certificate so you would need to generate 6 certs for 600 domains for example. Use the -d to create these domains per cert. You also have rate limits of 500 per ip address and 20 different certs per week I believe. see: https://letsencrypt.org/docs/rate-limits/

In the original example in this thread, it shows:

Code: Select all

cd ..
source $home/.acme.sh/acme.sh.csh or simply login/logout first time if you are not sure. I just source .cshrc myself.
acme.sh --issue --dns -d mail.example.com -d mail.example.net -d mail.example.org -d tmail.example.com


One of my zimbra servers has multiple domains and aliases... I specified them with -d X -d Y -d Z, etc.

What I found useful about 8.7+ and using a proxy in general is that I added a tmail.example.com cert entry to my test server and without any other changes other than deploying that cert, the users could test this new multiple domain cert and verify they work with their browsers and email clients on a staging/test server with 8.7+. I had restricted the ciphers so I was able to verify the user base before scp -r that .acme.sh directory to the production server and doing this for real. I could also verify that 8.7+ wasn't going to break some complex user accounts. I renew the cert from the production machine going forward using the method I outline in this thread. WARNING: that acme.sh script doesn't handle multiple certs very well so I tend to move the directory (mail.example.com) with the cert out of the way before using the same environment to generate a new certificate for another machine on my test server. There may have been an option to get around this limitation but I didn't use it. The larger point I am trying to make is that free CA's with 5-10 second creation times do open up some additional possibilities that may not have existed previously given the time/cost associated to renew or create certs with some commercial CAs.

Back to your question about a multi-server in a multiple-domain configuration... I can think of 2 ways but have never tested nor have these configurations. It would be valuable if someone with experience could comment on this. Zimbra has a few documents which I reference below that describe a few methodologies.

Method 1:
Same as single server instance and generate them on one server accounting for all the domains, create the full chain and scp just what you need or the directory to each server. From there verify and deploy them.

Method 2:
Create them on each machine and only for that machine and deploy them directly. That method allows for extra layering of security so that a compromised cert keeps other certs intact perhaps.

These are good starting points as are previous answers in this forum to multiple server and certs environments.

Ref: https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS
Ref: http://info.zimbra.com/hubfs/landing-pages/whitepapers/Zimbra_SSL_SNI_Whitepaper.pdf
Ref: https://s3.amazonaws.com/files.zimbra.com/website/docs/8.7/Zimbra%20Multi-Server%20Installation%20Guide%20Network%20Edition%208.7.pdf
kenedy
Posts: 1
Joined: Tue Dec 20, 2016 6:29 pm

Re: Another Letsencrypt method

Postby kenedy » Tue Dec 20, 2016 6:33 pm

I think now it works very properly...
User avatar
zimico
Posts: 13
Joined: Mon Nov 14, 2016 8:03 am
Location: Vietnam
ZCS/ZD Version: 8.7.5
Contact:

Re: Another Letsencrypt method

Postby zimico » Mon Dec 26, 2016 7:02 am

Wow, thank JDunphy for your time and effort. Wish you a happy new year! :)
I used to use method 2 for multi server environment.
Minh.
lytledd
Outstanding Member
Outstanding Member
Posts: 467
Joined: Sat Sep 13, 2014 12:54 am
ZCS/ZD Version: Release 8.7.11.GA.1854.UBUNTU14.64

Re: Another Letsencrypt method

Postby lytledd » Sat Jan 21, 2017 3:30 pm

Two comments on this thread, now that I've had time to implement it.

1.) Please make note that the certificate that needs to be created (IdentTrust.pem) is the LetsEncrypt Root certificate, that bit of understanding would have prevented a lot of head scratching on my part, and please fix the entry where the first BEGIN CERTIFICATE should have 5 dashes, not 4, this hung me up until I reviewed the link to the wiki article that this is based off of.

2.) I'm sure others here were aware, but I wasn't, that the certificates issued by LetsEncrypt are only good for 3 months, after which, they will need to be renewed)

Thanks!

Doug
User avatar
JDunphy
Advanced member
Advanced member
Posts: 133
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.9_GA_1794.RHEL6_64_2017
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Sat Jan 21, 2017 4:35 pm

lytledd wrote:Two comments on this thread, now that I've had time to implement it.

1.) Please make note that the certificate that needs to be created (IdentTrust.pem) is the LetsEncrypt Root certificate, that bit of understanding would have prevented a lot of head scratching on my part, and please fix the entry where the first BEGIN CERTIFICATE should have 5 dashes, not 4, this hung me up until I reviewed the link to the wiki article that this is based off of.

2.) I'm sure others here were aware, but I wasn't, that the certificates issued by LetsEncrypt are only good for 3 months, after which, they will need to be renewed)

Thanks!

Doug


Thanks Doug... made the change. Can't believe that has been there all along.That IdentTrust.pem comes from here: https://www.identrust.com/certificates/trustid/root-download-x3.html

More specifically:
Our intermediate is signed by ISRG Root X1. However, since we are a very new certificate authority, ISRG Root X1 is not yet trusted in most browsers. In order to be broadly trusted right away, our intermediate is also cross-signed by another certificate authority, IdenTrust, whose root is already trusted in all major browsers. Specifically, IdenTrust has cross-signed our intermediate using their DST Root CA X3.
Do you have some specific recommendations on how to word that original phrase to be less confusing? It isn't exactly the LetsEncrypt root CA which can be found here: https://letsencrypt.org/certificates/

As for 3 months, that is unique about letsencrypt at this time. The thread discusses this a little bit including the limitations of how many you can do etc. After observing the problems with forged signatures this past year, I am becoming a big fan of the 3 months and less camp. Initially, I viewed an expired cert as extra work... now I view it as an opportunity to close a window of vulnerability. Funny how mindsets change. :-)
lytledd
Outstanding Member
Outstanding Member
Posts: 467
Joined: Sat Sep 13, 2014 12:54 am
ZCS/ZD Version: Release 8.7.11.GA.1854.UBUNTU14.64

Re: Another Letsencrypt method

Postby lytledd » Sat Jan 21, 2017 5:19 pm

Do you have some specific recommendations on how to word that original phrase to be less confusing?


Actually,

The bit you just posted would be perfect!

Doug

Return to “Administrators”

Who is online

Users browsing this forum: Bing [Bot] and 33 guests