Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
JDunphy
Advanced member
Advanced member
Posts: 124
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.9_GA_1794.RHEL6_64_2017
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Apr 27, 2017 3:14 pm

myriad wrote:Will I be allowed to replace the certs before expiry?

Yes... acme.sh now uses 60 days as does letsencrypt I believe since I first began this thread last fall, but if you want to do it sooner... just add the --force option to acme.sh when you issue/renew them. This free cert thing is hard to get use to because they want you to generate them more often. The longer certs exist, the longer the window for potential abuse via PKI. If I didn't have to take any zimbra outage to replace my certs, I would replace them more frequently so its a trade off vs outages for me.


User avatar
myriad
Advanced member
Advanced member
Posts: 74
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 8.7.0_GA_1659.FOSS

Success with Another Letsencrypt method

Postby myriad » Fri Apr 28, 2017 1:05 am

Ok. So I got it going successfully and I just wanted to post how I did it in case others are having problems like I did with the certificates not creating properly. I have learned WAY more about acme.sh than I ever needed to and I found one really cool thing which helped me tremendously!

1. To create or issue new or broken certificates I used acme's DNS API which can be found at: https://github.com/Neilpang/acme.sh/tree/master/dnsapi (I use Linode), which is THE WAY to create certs using the --dns method if you are using one of their supported DNS providers. Acme supports many cloud/VPS providers and all you really need to do is get an API key from one of your providers on the list and enter the key in the acme.conf file. Then call the issue like so (substituting your remote DNS name) as a non-root user:

Code: Select all

acme.sh --issue --dns dns_linode --dnssleep 900 d mail.example.com mail.example.net -d tmail.example.com

That's it! It will upload the keys to your remote DNS server, wait 15 minutes and verify and then delete the keys off of the remote DNS server and your done creating the certs.

2. I then added two cron jobs. The first job is step one's --issue code which runs every night as the non_root_user. The second cron job calls Jim's deploy-zimbra-letsencrypt.sh script which is run as the zimbra user.

That's it!
Last edited by myriad on Fri Apr 28, 2017 2:29 pm, edited 1 time in total.
User avatar
JDunphy
Advanced member
Advanced member
Posts: 124
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.9_GA_1794.RHEL6_64_2017
Contact:

Re: Success with Another Letsencrypt method

Postby JDunphy » Fri Apr 28, 2017 1:44 pm

myriad wrote:2. Now you need to copy the: /home/your_non_root_user/.acme.sh folder with your new certs to your: /opt/letsencrypt directory. I added the following two lines to Jim's deploy-zimbra-letsencrypt.sh script:

Code: Select all

cd /opt/letsencrypt
/bin/cp -rf /home/your_non_root_user/.acme.sh .


Very nice! I will include this in the recipes on github.

PS. I am experimenting with the stateless method. Super simple. You generate a key:

Code: Select all

acme.sh --register-account
Thu Apr 17 12:23:09 PDT 2017] Registering account
[Thu Apr 17 12:23:09 PDT 2017] Already registered
[Thu Apr 17 12:23:09 PDT 2017] Update success.
[Thu Apr 17 12:23:09 PDT 2017] ACCOUNT_THUMBPRINT='6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd'


take this key and add it to one of the nginx files with an entry like this:
http {
...
server {
...
  location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$" {
    default_type text/plain;
    return 200 "6fXAG9VyG0IahirPEU2ZerUtItW2DHzDzD9wZaEKpqd";
  }
...
}
}


Once I figure the best way to insert this key, this might be the method for zimbra to work out of the box with letsencrypt because it could be available as a template and zmconfigd could configure it based if this variable was set with the key. Given the small foot print that acme.sh has it seems to be the least intrusive option for letsencrypt certificate issue/renewal that would universally work. One still needs to add the cron entry to issue/renew the certs and one entry to deploy them but the issue/renewal would always work. Everything would run as the zimbra user so in theory it could be done automatically and not require any interaction to make letsencrypt certificates the default vs self-signed. This stateless method requires that you have the latest acme.sh software.

Hint:

Code: Select all

acme.sh --upgrade

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 69 guests