Automatic Renewal o...
 
Notifications
Clear all

Automatic Renewal of Let's Encrypt Certificates

7 Posts
5 Users
1 Reactions
1,171 Views
 Bic
(@bic)
Joined: 1 year ago
Posts: 7
Topic starter  

I'm sorry, perhaps the question is silly, but I couldn't find any answers. Does Carbonio have the capability to request and automatically install Let's Encrypt certificates directly from the administration console, and does it also handle the automatic renewal since they expire every 90 days?


   
Quote
(@0x3f8)
Joined: 1 year ago
Posts: 5
 

Looking for the same info myself.  I just migrated from Zimbra OCS this week and to answer your first question, Bic, the Admin UI will certainly handle the certs for you.  I was quite pleased with that. 

Renewal is another question.  I have a script I used on Zimbra to monitor and rotate my certs as needed.   I was preparing to rewrite that to accommodate the zextras certbot and paths but found a renewal confg file and "renewal-hooks." as well.  I don't see anything in the crontab to handle this though.

 

If it turns out we have to script it again, I'll be happy to share.  Would love to hear that's it's a scheduled task somewhere though.


   
ReplyQuote
(@stefanodavid)
Joined: 3 years ago
Posts: 227
 

Hi, have you checked the documentation? 

https://docs.zextras.com/carbonio-ce/html/adminpanel/domains.html#procedure-to-install-a-let-s-encrypt-certificate

In case in that docs you find something not clear that we can improve, we are happy to take suggestions. 


   
ReplyQuote
(@anahuac)
Joined: 2 years ago
Posts: 328
 

I wrote a tutorial about it yesterday... hope it helps

Let’s Encrypt on Carbonio – Easy as never before


   
ReplyQuote
 MAX
(@max)
Joined: 1 year ago
Posts: 82
 

@anahuac , great article and great job! Added to my bookmarks!


   
anahuac reacted
ReplyQuote
(@0x3f8)
Joined: 1 year ago
Posts: 5
 

As promised here is a script to check your domain SSL certs and warn you via email if there are less than 15 days left.  Ideally the certbot will renew your certs when <30 days remaining if you are using the crontab that @anahauc provided

Configure your crontab to run this is often as you like but keep in mind you'll get an email every time it runs.  Better yet, use a real solution like zabbix or checkmk to monitor your certificates. 

Requirements: openssl and mailx

 

#!/bin/bash
# Check for the number of days left before certificate expiration and restart Zimbra
# if there are less than 15 days remaining on the certificate
# Taken from
#  https://sleeplessbeastie.eu/2017/04/03/how-to-display-days-till-certificate-expiration/ 

# temporary file to store certificate
certificate_file=$(mktemp)
host="mail.sampledomain.xyz"
sender="admin@sampledomain.xyz"
recipient="admin@sampledomain.xyz"
now=`/usr/bin/date`

# delete temporary file on exit
trap "unlink $certificate_file" EXIT

echo -n | /usr/bin/openssl s_client -servername "$host" -connect "$host":443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $certificate_file
certificate_size=$(stat -c "%s" $certificate_file)
if [ "$certificate_size" -gt "1" ]; then
  date=$(openssl x509 -in $certificate_file -enddate -noout | sed "s/.*=\(.*\)/\1/")
  date_s=$(date -d "${date}" +%s)
  now_s=$(date -d now +%s)
  date_diff=$(( (date_s - now_s) / 86400 ))
  if [ "$date_diff" -lt "15" ]; then
    echo "Certificate on $host has less than ${date_diff} days remaining, Check certbot renewal for errors" | /usr/bin/mail -a "From: $sender" -s "Domain Certificate Issue" $recipient # Certificate should have renewed by now
  else
    echo "SSL Certificate on $host has ${date_diff} days remaining, Nothing to do" | /usr/bin/mail -a "From: $sender" -s "Domain SSL Status OK" $recipient # ok
  fi
else
  echo "Error encountered processing certificate at ${now} on $host. Check Mailserver Status"  | /usr/bin/mail -a "From: $sender" -s "Mailserver Certificate Problem" $recipient
fi


   
ReplyQuote
 Bic
(@bic)
Joined: 1 year ago
Posts: 7
Topic starter  

thanks anahuac and 0x3f8 great job!


   
ReplyQuote