I always try to test on the latest version, so this time it was 23.9.
What Carbonio does afterwards I have no idea 🙂 The procedure written in the docs is complete as is, I do not think there's something more to do. The change in the docs, compared to the previous version, are in the requirements: step 7 and the reload commands at the end of the box.
@rwebb616 We have updated last week the guidelines on the docs, testing them successfully in the process. Can you please check if it works for you and report back if you still have any issues?
I followed these instructions and get the same error. My issue is really SSH related though - not sure what the system is trying to do with SSH - it's a single server install. From the error it looks like it's trying to SSH to itself as the zextras user.
@rwebb616 I can only inform our developers, because this is beyond my experience. Sorry for the problems 🙁
I'm seeing a similar issue here on Zimbra - it's old but possibly relevant - I'm going to work through this thread and see if I can fix it. https://forums.zimbra.org/viewtopic.php?t=36426
It shows a command to test the SSH auth.
Should the Zextras linux account have a password? I don't remember seeing anywhere about setting or changing that? I just always su to it from root.
@rwebb616 no zextras account should not have a password
Ok so I tried to ssh back to the server using the zimbra_identity file and saw in the /var/log/auth.log that the zextras account was locked. Went to do a passwd -u zextras it tells me that there is no password set for the account. To unlock the account set a password using usermod -p .
So just to try it I set a password, unlocked the account and corrected the authorized_keys file so that I could ssh in with putty and once I could do that then the ssh command worked. I then tried my certificate and it got further but still failed.
@stefanodavid I see...
Well.... on a regular manner, when we deploy those certificate manually, after certobot runs we get the certificate, those are the steps:
1 - concatenate Let's Encrypt root AC chain into chain.pem file
2 - concatenate cert.pem and chain.pem into cert.bundle file
3 - fix permissions (ofc)
4 - use the command below to actually save the certificates in LDAP and in /opt/zextras/conf/domaincerts/
zmdomaincertmgr savecrt your_domain cert.bundle privkey.pem
5 - deploy new certificate running
zmdomaincertmgr deploycrts
Only after that is when you run zmproxyconfgen and zmproxyctl
So, as you can see there are few steps Carbonio UI is doing to get that certificate setup
In 23.9.0 all is done and is working as expected... but not in 23.7.0... that's why I'm asking
Now when I generate the certificate I'm getting an error back from the CA stating that it can't download the challenge response. I checked in the .well_known/acme-challenge directory and it's empty.
This is very odd - I figured getting the SSH part working would resolve the other issues. This was a clean install of Carbonio so I don't know why all these issues are cropping up. Only thing I can think of is I am using multiple domains on this machine where maybe others are not but seems like that would have all been tested as well.
@rwebb616 take a look at this tutorial.... maybe it helps
I did look at this the first time you posted it. I am following all the steps - making sure the mode is redirect etc. I haven't had time to dig deeper to see if I can figure it out.
Here is the error this time:
STARTCMD: mail.example.com /opt/zextras/libexec/certbot certonly --agree-tos --email zextras@example.com -n --keep --webroot -w /opt/zextras --cert-name example.com -d mail.example.com -d mail.example.com Account registered. Simulating a certificate request for mail.example.com Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: mail.example.com Type: connection Detail: 1.1.1.1: Fetching http://mail.example.com/.well-known/acme-challenge/VxQAjkPqQRX0WvAxkc8TtThe_TAA5LOwqC9BW7GpN_I: Connection refused
This is seeming like an incoming connection issue but all the ports are open. I have 25,80,443,143,993,587,465 all open. In checking the acme-challenge directory there is nothing in there. I don't know if it generated the challenge and then deleted it. Also owner of the directory is zextras:zextras so shouldn't be a permissions issue.
Run it manually in --dry-run mode... it's faster ans easier to follow the errors:
/opt/zextras/libexec/certbot certonly --agree-tos --email zextras@example.com -n --keep --webroot -w /opt/zextras --cert-name example.com -d mail.example.com -d mail.example.com --dry-run
and at the same time
tail -f /opt/zextras/log/nginx.access.log
Anahuac
Telegram: https://t.me/CarbonioMail
Hello friends,
2 strange situations:
1)
checking "zmcertmgr viewdeployedcrt" I have
- ldap: /opt/zextras/conf/slapd.crt
- mta: /opt/zextras/conf/smtpd.crt
- proxy: /opt/zextras/conf/nginx.crt
certificates with dates
notBefore=Jul 20 20:23:53 2023 GMT
notAfter=Oct 18 20:23:52 2023 GMT
This was installed in Carbonio previous version via command line.
Checking with "certbot certificates" I get:
Expiry Date: 2023-12-17 19:48:51+00:00 (VALID: 66 days)
why? what is the correct one?
2)
I have a multi server installation, behind a IPTables/NAT firewall running a private network, and I don't have ssh direct access to nodes. only possible via a dummy front-end machine inside the same local network. my external ssh port is not 22
when I try to run the new certificate option in admin I get the RemoteManager error
system failure: exception executing command certbot certonly.......RemoteManager: ..... org.apache.sshd.common.SshException: DefaultConnectFuture....
and showing user and my public ip acess to port 22
Ideas to solve/overcome this?
Thank you and best regards
António
Hello @antonio,
So... the thing about certificates is that Carbonio uses two layers of certificates. The 1st layer is generated and installed when Carbonio is installed. I like to call it "the root certificate".
You can use "zmcertmgr deploycrt comm" command to deploy a Let's Encrypt or Commercial certificate to Carbonio and that will be the default certificate for all services, all communication between nodes and for all domains.
The second layer is the proxy certificate. When you ask Carbonio to create and deploy a Let's Encrypt certificate it is done but deployed on Nginx setup, not Carbonio's core.
That's how each domain uses it's own certificate separately.
Knowing that:
zmcertmgr viewdeployedcrt
Will show you the root certificate, and
certbot certificates
Will show you those certificates done to be used by the Proxy.
--------------------------------
About topic 2, try to run this command on each node of your multi-server setup:
zmupdateauthkeys
And try again.
Telegram: https://t.me/CarbonioMail
@anahuac Hi, perfect the first explanation. is there any docs about this? what about this cert renewal process?
about second question, already thought about that but not I haven't done yet because the error message: ....zextras@connect.yobi365.com/<public-ip-address>:22.....
there is no way to connect to <public-ip-address>:22
now, after your suggestion I did the zmupdateauthkeys but the issue continues.
A.