Another Letsencrypt method

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
xorcz
Posts: 6
Joined: Fri Nov 20, 2015 6:48 am

Re: Another Letsencrypt method

Postby xorcz » Sat Jul 06, 2019 5:13 pm

Hello, I am looking for a working Letsencrypt script for Zimbra. I am puzzled which way is the most current. This thread is huge with lot of changes. Which guideline is the latest? Should I follow https://github.com/JimDunphy/deploy-zim ... encrypt.sh ? Thanks


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 538
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P16 RHEL6 Network Edition
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Sat Jul 06, 2019 5:57 pm

It is kind of a mess isn't it. The initial steps document things on the first page. Then it went into a script to help others follow along so there would be less typed mistakes... Eventually, the script wasn't necessary as the acme.sh script evolved and the community developed a deploy hook script to handle the install/renewal. The wiki article https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt pulls the important parts from this thread.

If you are comfortable with letsencrypt, I would follow the wiki and go directly to the 'all in one method' at step 6 ... That is what I do now. The script works too and doesn't require you to be the zimbra user when you run acme.sh as the 'All in one method' does.

Steps:
repeat until you Get verified certificate
have zimbra verify your certificate
have zimbra install your certificate
restart zimbra

The scripts are there to protect you from trying to do something without having a valid certificate. If you like DNS, can follow directions and have a DNS provider that has an API then it's hard to beat the all in one method as the installation will even add the crontab entry to do the renewals for you. Less code to maintain since it's all acme.sh with the exception of the deployhook that you initially have to copy/paste into the deploy folder.

This is what you do after installing acme.sh and configuring ...

Code: Select all

% su - zimbra
% cd .acme.sh
% ./acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com

You don't go to the deploy step until you have a valid certificate via the issue step. This also handles the renewal automatically because acme.sh runs every night from cron and checks to see if its time for renewal. If it is time, it does it and then calls that hook automatically...

If you are curious when the renewal will happen do this:

Code: Select all

% ./acme.sh --list

And it will tell you when acme.sh would renew at the earliest. (currently about 60 days unless you force it)

Pretty simple process but too much documentation and more is not better IMO.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 538
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P16 RHEL6 Network Edition
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Thu Dec 24, 2020 7:35 pm

With letsencrypt signing their own certificates beginning Jan 11, here is a link to a new feature that was added for acme.sh to support the preferred chain should anyone need to revert back to IdentTrust intermediate signed (very old android clients) or test early with the ISRG Root X1 signed before Jan 11. You could also renew before Jan 11 to obtain a few more months.

ref: https://github.com/acmesh-official/acme ... rred-Chain
ref: https://letsencrypt.org/2019/04/15/tran ... -root.html

Note: if you are using the deploy/zimbra.sh with acme.sh, this can be commented out eventually as the new chain doesn't require the IdentTrust intermediate.

Code: Select all

   # Zimbra's javastore still needs DST Root CA X3 to verify on some versions
   _IdentTrust="$(dirname "$_cca")/../IdentTrust.pem"
   _debug _IdentTrust "$_IdentTrust"

   # grab it if we don't have it
   if [ ! -f "$_IdentTrust" ]; then
      _debug No "$_IdentTrust"
      wget -q "https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem" -O "$_IdentTrust" || return 1
   fi

   # append Intermediate
   cat "$_cfullchain" "$(dirname "$_cca")/../IdentTrust.pem" > "${_cca}.real"

You also need to use the $_cfullchain instead of ${_cca}.real so the simplest method would be to replace the last line above with something like this as ${_cca}.real is referenced in a few places:

Code: Select all

# no Intermediate required
   cat "$_cfullchain"  > "${_cca}.real"

I'll fix it so it uses $_cfullchain instead of ${_cca}.real after Jan 11 but wanted to provide a work around in case anyone will be trying the new chain early.

I will force a renew on my zimbra letscrentypt certs before Jan 11 and then update this script given IdentTrust will no longer be necessary and should you pull the older signed chain that will stop working by March 2021 as that intermediate will also expire. Read the transition link above for the explanation of why.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 538
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P16 RHEL6 Network Edition
Contact:

Re: Another Letsencrypt method

Postby JDunphy » Mon Jan 11, 2021 8:07 pm

It doesn't appear we have to do anything and they have backed off Jan 11 switch and have found a novel method to continue to support old android clients.

Nutshell: A new intermediate will indirectly sign the current Let’s Encrypt intermediate certificate (R3). This ensures that clients that know the Let’s Encrypt ISRG root certificate and that check the expiration dates of root certificates will still accept the certificate chain. The downside of this approach is that the chain will contain two certificates, creating additional traffic overhead. Note: The new intermediate will not directly sign end-entity certificates. Better explained in the links below.

Ref: https://letsencrypt.org/2020/12/21/exte ... ility.html
Ref: https://www.feistyduck.com/bulletproof- ... ld_android

I haven't tested the new chain with zimbra yet.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 15 guests