It is kind of a mess isn't it. The initial steps document things on the first page. Then it went into a script to help others follow along so there would be less typed mistakes... Eventually, the script wasn't necessary as the acme.sh script evolved and the community developed a deploy hook script to handle the install/renewal. The wiki article https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
pulls the important parts from this thread.
If you are comfortable with letsencrypt, I would follow the wiki and go directly to the 'all in one method' at step 6 ... That is what I do now. The script works too and doesn't require you to be the zimbra user when you run acme.sh as the 'All in one method' does.
repeat until you Get verified certificate
have zimbra verify your certificate
have zimbra install your certificate
The scripts are there to protect you from trying to do something without having a valid certificate. If you like DNS, can follow directions and have a DNS provider that has an API then it's hard to beat the all in one method as the installation will even add the crontab entry to do the renewals for you. Less code to maintain since it's all acme.sh with the exception of the deployhook that you initially have to copy/paste into the deploy folder.
This is what you do after installing acme.sh and configuring ...
Code: Select all
% su - zimbra
% cd .acme.sh
% ./acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
You don't go to the deploy step until you have a valid certificate via the issue step. This also handles the renewal automatically because acme.sh runs every night from cron and checks to see if its time for renewal. If it is time, it does it and then calls that hook automatically...
If you are curious when the renewal will happen do this:
And it will tell you when acme.sh would renew at the earliest. (currently about 60 days unless you force it)
Pretty simple process but too much documentation and more is not better IMO.