@antonio There is no documentation about this certificates thing. I taight myself over the years and when I had to teach my students about Zimbra.
Renewal process is always done by had or scripts in cron service.
-------------------------
About the second topic: you don't need external ssh connection to do the certificate thing. Looking to it closely is seems your multi-server deployment is looking for the main server using DNS resolution and then targeting your external IP.
So, that's what I would try:
1 - set /etc/hosts with IP's and names of all servers, in all nodes of your muti-server setup;
2 - Run the commands above as zextras user:
zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native zmcontrol restart
This will "force" Carbonio do resolve names 1st using /etc/hosts
3 - Run it again on each node:
zmupdateauthkeys
And try again!
Telegram: https://t.me/CarbonioMail
Run it manually in --dry-run mode... it's faster ans easier to follow the errors:
It's giving me a connection error - it doesn't look like it's spinning up a temporary web server for connection so I'm wondering if the Carbonio one is supposed to be serving that location (.well-known/acme-challenge directory).. or do I have to stop the proxy so the certbot temporary server can bind to port 80? I wish I knew a little more of the mechanics of how it is supposed to work - makes troubleshooting much easier!
Rich
Hi
due to health problems at home I couldn't try this yet.
your suggestion makes all sense.
I'll give you a feedback asap.
Regards
@rwebb616 You must setup your proxy to redirect as I explain in my tutorial
@anahuac I mentioned in this post that I had read your blog posting and followed all instructions including setting the mode to redirect. I have port 80 and 443 on my public IP address forwarded to the Carbonio server - no proxy in-between other than the Carbonio proxy.
Do you know if the Carbonio proxy / web server is supposed to respond to the Let's Encrypt challenges and serve up the content in the .well-known/acme-challenge directory?
Do you know if the Carbonio proxy / web server is supposed to respond to the Let's Encrypt challenges and serve up the content in the .well-known/acme-challenge directory?
I just tried putting a .txt file in that folder and tried to get to it with https://mail.example.com/.well-known/acme-challenge/file.txt and I was successful so I'm not sure why it's not working with the certificate.
I just realized that it is NOT redirecting even though the setting is set to redirect. Is there anywhere else this needs to be changed?
@rwebb616 Yes it does and it works great... just today I did it twice.. so I'm pretty impressed you're having issues.... maybe some FW blocking it?
run this to get the setup you have now:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
and this to fix it
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
@anahuac, Hi this worked like a charm, thanks. You are the man.
I'm still a bit lost with multiserver conf: Do we need to change zimbraMtaLmtpHostLookup value and restarted all nodes?
or should I have done it in only in specific nodes? which ones?
Understood the 2 layers certificates.
"zmcertmgr viewdeployedcrt" gives me the information from 1st layer certificate - (created via cli and installed with su - zextras -c 'zmcertmgr deploycrt comm.....') what shall we do with this? what happend when expired? it has to be be updated like before with Zimbra, right?
Nice job.
run this to get the setup you have now:
zmprov gs `zmhostname` zimbraReverseProxyMailModeand this to fix it
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
Well even though I KNOW I changed the setting it was still showing https when I ran the gs command. Switched to redirect - and this time verified that it changed, re-ran the certificate request and it worked. I also ran it for the second domain on the box and that worked as well. I would call this one solved! Thanks @anahuac for your help!
I am unable to get ssl to work using any of the methods shown above and in this forum in general. The only thing that worked for me was copying the LetsEncrypt files off of my old server and running the zmcertmgr commands on Carbonio using the Zimbra generated certs. My Carbonio server is a duplicate of my Zimbra one, with 'mail' as the sub domain of 'mail.example.ca'. I also run other domains as well but until I can get LE to work, Carbonio is dead in the water for me. One error I get (that might be related to this problem) when restarting the proxy after redirect is:
Starting proxy...nginx: [warn] conflicting server name "mail.example.ca" on 0.0.0.0:443, ignored
And when I look at the error message returned in the LE failure email I see:
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. ENDCMD: mail.example.ca /opt/zextras/libexec/certbot certonly --agree-tos --email zextras@example.ca -n --keep --webroot -w /opt/zextras --cert-name example.ca -d mail.example..ca -d mail.example..ca
Seems like there are two '-d mail.example.ca' strings in the command line which is possibly caused by the proxy error above? In Zimbra I use John Dunphy's excellent, "Using Acme.sh to generate certs" with his automated script. Can this be adapted to work with Carbonio? I hope John can chime in here.
Give this one a try Let’s Encrypt on Carbonio – System Root with ACME.sh
it might be exactly what you're looking for