I'm sorry, perhaps the question is silly, but I couldn't find any answers. Does Carbonio have the capability to request and automatically install Let's Encrypt certificates directly from the administration console, and does it also handle the automatic renewal since they expire every 90 days?
Looking for the same info myself. I just migrated from Zimbra OCS this week and to answer your first question, Bic, the Admin UI will certainly handle the certs for you. I was quite pleased with that.
Renewal is another question. I have a script I used on Zimbra to monitor and rotate my certs as needed. I was preparing to rewrite that to accommodate the zextras certbot and paths but found a renewal confg file and "renewal-hooks." as well. I don't see anything in the crontab to handle this though.
If it turns out we have to script it again, I'll be happy to share. Would love to hear that's it's a scheduled task somewhere though.
Hi, have you checked the documentation?
In case in that docs you find something not clear that we can improve, we are happy to take suggestions.
I wrote a tutorial about it yesterday... hope it helps
As promised here is a script to check your domain SSL certs and warn you via email if there are less than 15 days left. Ideally the certbot will renew your certs when <30 days remaining if you are using the crontab that @anahauc provided
Configure your crontab to run this is often as you like but keep in mind you'll get an email every time it runs. Better yet, use a real solution like zabbix or checkmk to monitor your certificates.
Requirements: openssl and mailx
#!/bin/bash
# Check for the number of days left before certificate expiration and restart Zimbra
# if there are less than 15 days remaining on the certificate
# Taken from
# https://sleeplessbeastie.eu/2017/04/03/how-to-display-days-till-certificate-expiration/
# temporary file to store certificate
certificate_file=$(mktemp)
host="mail.sampledomain.xyz"
sender="admin@sampledomain.xyz"
recipient="admin@sampledomain.xyz"
now=`/usr/bin/date`
# delete temporary file on exit
trap "unlink $certificate_file" EXIT
echo -n | /usr/bin/openssl s_client -servername "$host" -connect "$host":443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $certificate_file
certificate_size=$(stat -c "%s" $certificate_file)
if [ "$certificate_size" -gt "1" ]; then
date=$(openssl x509 -in $certificate_file -enddate -noout | sed "s/.*=\(.*\)/\1/")
date_s=$(date -d "${date}" +%s)
now_s=$(date -d now +%s)
date_diff=$(( (date_s - now_s) / 86400 ))
if [ "$date_diff" -lt "15" ]; then
echo "Certificate on $host has less than ${date_diff} days remaining, Check certbot renewal for errors" | /usr/bin/mail -a "From: $sender" -s "Domain Certificate Issue" $recipient # Certificate should have renewed by now
else
echo "SSL Certificate on $host has ${date_diff} days remaining, Nothing to do" | /usr/bin/mail -a "From: $sender" -s "Domain SSL Status OK" $recipient # ok
fi
else
echo "Error encountered processing certificate at ${now} on $host. Check Mailserver Status" | /usr/bin/mail -a "From: $sender" -s "Mailserver Certificate Problem" $recipient
fi
Hi,
I have following error regarding that script.
Virtual Hostnames set for all domains.
ERROR: account.NO_SUCH_SERVER (no such server: mail)
zimbraReverseProxyMailMode set to redirect.
Stopping proxy...done.
Starting proxy...done.
zmproxyctl restarted.
Saving debug log to removed link
Simulating a certificate request for mail.xxxxx.id
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mail.xxxxxxxid
Type: connection
Detail: 103.163.161.xx: Fetching removed link : Connection refused
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at removed link See the logfile removed link or re-run Certbot with -v for more details.
Certificate obtained for domain txxxxi.id
Saving debug log to removed link
Simulating a certificate request for mail.yyyyyyy.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mail.yyyyy.com
Type: connection
Detail: 103.163.161.xxx: Fetching removed link : Connection refused
Any advice to resolve this ?
Thank you in advanced.
You can automate the renewal of the Let's encrypt SSL certificate without any script. Please feel free to take a look at this segment of official documentation:
Let's Encrypt Automatic Renewal
Let us know how it goes!
Hi @sharif ,
Thank you for your feedback, here is the result :
root@mail:~# certbot renew
Saving debug log to removed link
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing removed link
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing removed link
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
removed link expires on 2025-08-18 (skipped)
removed link expires on 2025-08-18 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This is letsencrypt.log :
root@mail:~# cat removed link
2025-05-20 08:34:23,328:DEBUG:urllib3.connectionpool: http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP removed link " 200 97
2025-05-20 08:34:23,468:DEBUG:certbot._internal.main:certbot version: 3.3.0
2025-05-20 08:34:23,468:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/4482/bin/certbot
2025-05-20 08:34:23,468:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2025-05-20 08:34:23,468:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-05-20 08:34:23,480:DEBUG:certbot._internal.log:Root logging level set at 30
2025-05-20 08:34:23,481:DEBUG:certbot._internal.display.obj:Notifying user: Processing removed link
2025-05-20 08:34:23,482:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-05-20 08:34:23,489:INFO:certbot.ocsp:Cannot extract OCSP URI from removed link
2025-05-20 08:34:23,491:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2025-05-20 08:34:23,491:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2025-05-20 08:34:23,491:DEBUG:certbot._internal.display.obj:Notifying user: Processing removed link
2025-05-20 08:34:23,492:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-05-20 08:34:23,498:INFO:certbot.ocsp:Cannot extract OCSP URI from removed link
2025-05-20 08:34:23,499:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2025-05-20 08:34:23,499:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2025-05-20 08:34:23,499:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-05-20 08:34:23,499:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2025-05-20 08:34:23,500:DEBUG:certbot._internal.display.obj:Notifying user: removed link expires on 2025-08-18 (skipped)
removed link expires on 2025-08-18 (skipped)
2025-05-20 08:34:23,500:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2025-05-20 08:34:23,500:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-05-20 08:34:23,500:DEBUG:certbot._internal.renewal:no renewal failures
Thank you for your help.
Where can i get actual way for automatic renew due the switch to systemd since 25.3?