Page 12 of 12

Re: Another Letsencrypt method

Posted: Sat Jul 06, 2019 5:13 pm
by xorcz
Hello, I am looking for a working Letsencrypt script for Zimbra. I am puzzled which way is the most current. This thread is huge with lot of changes. Which guideline is the latest? Should I follow ... ? Thanks

Re: Another Letsencrypt method

Posted: Sat Jul 06, 2019 5:57 pm
by JDunphy
It is kind of a mess isn't it. The initial steps document things on the first page. Then it went into a script to help others follow along so there would be less typed mistakes... Eventually, the script wasn't necessary as the script evolved and the community developed a deploy hook script to handle the install/renewal. The wiki article pulls the important parts from this thread.

If you are comfortable with letsencrypt, I would follow the wiki and go directly to the 'all in one method' at step 6 ... That is what I do now. The script works too and doesn't require you to be the zimbra user when you run as the 'All in one method' does.

repeat until you Get verified certificate
have zimbra verify your certificate
have zimbra install your certificate
restart zimbra

The scripts are there to protect you from trying to do something without having a valid certificate. If you like DNS, can follow directions and have a DNS provider that has an API then it's hard to beat the all in one method as the installation will even add the crontab entry to do the renewals for you. Less code to maintain since it's all with the exception of the deployhook that you initially have to copy/paste into the deploy folder.

This is what you do after installing and configuring ...

Code: Select all

% su - zimbra
% cd
% ./ --issue --dns dns_cf -d -d -d
% ./ --deploy --deploy-hook zimbra -d

You don't go to the deploy step until you have a valid certificate via the issue step. This also handles the renewal automatically because runs every night from cron and checks to see if its time for renewal. If it is time, it does it and then calls that hook automatically...

If you are curious when the renewal will happen do this:

Code: Select all

% ./ --list

And it will tell you when would renew at the earliest. (currently about 60 days unless you force it)

Pretty simple process but too much documentation and more is not better IMO.