I'm sorry, perhaps the question is silly, but I couldn't find any answers. Does Carbonio have the capability to request and automatically install Let's Encrypt certificates directly from the administration console, and does it also handle the automatic renewal since they expire every 90 days?
Looking for the same info myself. I just migrated from Zimbra OCS this week and to answer your first question, Bic, the Admin UI will certainly handle the certs for you. I was quite pleased with that.
Renewal is another question. I have a script I used on Zimbra to monitor and rotate my certs as needed. I was preparing to rewrite that to accommodate the zextras certbot and paths but found a renewal confg file and "renewal-hooks." as well. I don't see anything in the crontab to handle this though.
If it turns out we have to script it again, I'll be happy to share. Would love to hear that's it's a scheduled task somewhere though.
Hi, have you checked the documentation?
In case in that docs you find something not clear that we can improve, we are happy to take suggestions.
I wrote a tutorial about it yesterday... hope it helps
As promised here is a script to check your domain SSL certs and warn you via email if there are less than 15 days left. Ideally the certbot will renew your certs when <30 days remaining if you are using the crontab that @anahauc provided
Configure your crontab to run this is often as you like but keep in mind you'll get an email every time it runs. Better yet, use a real solution like zabbix or checkmk to monitor your certificates.
Requirements: openssl and mailx
#!/bin/bash
# Check for the number of days left before certificate expiration and restart Zimbra
# if there are less than 15 days remaining on the certificate
# Taken from
# https://sleeplessbeastie.eu/2017/04/03/how-to-display-days-till-certificate-expiration/
# temporary file to store certificate
certificate_file=$(mktemp)
host="mail.sampledomain.xyz"
sender="admin@sampledomain.xyz"
recipient="admin@sampledomain.xyz"
now=`/usr/bin/date`
# delete temporary file on exit
trap "unlink $certificate_file" EXIT
echo -n | /usr/bin/openssl s_client -servername "$host" -connect "$host":443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $certificate_file
certificate_size=$(stat -c "%s" $certificate_file)
if [ "$certificate_size" -gt "1" ]; then
date=$(openssl x509 -in $certificate_file -enddate -noout | sed "s/.*=\(.*\)/\1/")
date_s=$(date -d "${date}" +%s)
now_s=$(date -d now +%s)
date_diff=$(( (date_s - now_s) / 86400 ))
if [ "$date_diff" -lt "15" ]; then
echo "Certificate on $host has less than ${date_diff} days remaining, Check certbot renewal for errors" | /usr/bin/mail -a "From: $sender" -s "Domain Certificate Issue" $recipient # Certificate should have renewed by now
else
echo "SSL Certificate on $host has ${date_diff} days remaining, Nothing to do" | /usr/bin/mail -a "From: $sender" -s "Domain SSL Status OK" $recipient # ok
fi
else
echo "Error encountered processing certificate at ${now} on $host. Check Mailserver Status" | /usr/bin/mail -a "From: $sender" -s "Mailserver Certificate Problem" $recipient
fi