Carbonio 23.9.0 adm...
 
Notifications
Clear all

[Solved] Carbonio 23.9.0 admin panel trying to get a Let's Encrypt Certificate

45 Posts
6 Users
2 Likes
1,598 Views
(@anahuac)
Joined: 10 months ago
Posts: 304
 

@antonio There is no documentation about this certificates thing. I taight myself over the years and when I had to teach my students about Zimbra.

Renewal process is always done by had or scripts in cron service.

-------------------------

About the second topic: you don't need external ssh connection to do the certificate thing. Looking to it closely is seems your multi-server deployment is looking for the main server using DNS resolution and then targeting your external IP.

So, that's what I would try:

1 - set /etc/hosts with IP's and names of all servers, in all nodes of your muti-server setup;

2 - Run the commands above as zextras user:

zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native
zmcontrol restart

This will "force" Carbonio do resolve names 1st using /etc/hosts

3 - Run it again on each node:

zmupdateauthkeys

And try again!

Telegram: https://t.me/CarbonioMail

 


   
ReplyQuote
(@rwebb616)
Joined: 8 years ago
Posts: 56
Topic starter  

Posted by: @anahuac

Run it manually in --dry-run mode... it's faster ans easier to follow the errors:

It's giving me a connection error - it doesn't look like it's spinning up a temporary web server for connection so I'm wondering if the Carbonio one is supposed to be serving that location (.well-known/acme-challenge directory).. or do I have to stop the proxy so the certbot temporary server can bind to port 80?  I wish I knew a little more of the mechanics of how it is supposed to work - makes troubleshooting much easier! 

Rich

 


   
ReplyQuote
antonio
(@antonio)
Joined: 7 months ago
Posts: 43
 

@anahuac

Hi

due to health problems at home I couldn't try this yet.

your suggestion makes all sense.

I'll give you a feedback asap.

Regards


   
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
 

@antonio take your time ofc and wish you fast recovery


   
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
 

@rwebb616 You must setup your proxy to redirect as I explain in my tutorial

Let’s Encrypt on Carbonio – Easy as never before


   
ReplyQuote
(@rwebb616)
Joined: 8 years ago
Posts: 56
Topic starter  

Posted by: @anahuac

@rwebb616 You must setup your proxy to redirect as I explain in my tutorial

Let’s Encrypt on Carbonio – Easy as never before

@anahuac I mentioned in this post that I had read your blog posting and followed all instructions including setting the mode to redirect.  I have port 80 and 443 on my public IP address forwarded to the Carbonio server - no proxy in-between other than the Carbonio proxy.  

Do you know if the Carbonio proxy / web server is supposed to respond to the Let's Encrypt challenges and serve up the content in the .well-known/acme-challenge directory?

 


   
ReplyQuote
(@rwebb616)
Joined: 8 years ago
Posts: 56
Topic starter  

Posted by: @rwebb616

Do you know if the Carbonio proxy / web server is supposed to respond to the Let's Encrypt challenges and serve up the content in the .well-known/acme-challenge directory?

I just tried putting a .txt file in that folder and tried to get to it with https://mail.example.com/.well-known/acme-challenge/file.txt   and I was successful so I'm not sure why it's not working with the certificate.

 

This post was modified 6 months ago by rwebb616

   
ReplyQuote
(@rwebb616)
Joined: 8 years ago
Posts: 56
Topic starter  

I just realized that it is NOT redirecting even though the setting is set to redirect.  Is there anywhere else this needs to be changed?  


   
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
 

@rwebb616 Yes it does and it works great... just today I did it twice.. so I'm pretty impressed you're having issues.... maybe some FW blocking it?


   
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
 

@rwebb616 

run this to get the setup you have now:

zmprov gs `zmhostname` zimbraReverseProxyMailMode

and this to fix it

zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect

 


   
ReplyQuote
antonio
(@antonio)
Joined: 7 months ago
Posts: 43
 

@anahuac, Hi this worked like a charm, thanks. You are the man.

I'm still a bit lost with multiserver conf: Do we need to change zimbraMtaLmtpHostLookup value and restarted all nodes?
or should I have done it in only in specific nodes? which ones?

Understood the 2 layers certificates.

"zmcertmgr viewdeployedcrt" gives me the information from 1st layer certificate - (created via cli and installed with su - zextras -c 'zmcertmgr deploycrt comm.....') what shall we do with this? what happend when expired? it has to be be updated like before with Zimbra, right?

Nice job.


   
ReplyQuote
(@rwebb616)
Joined: 8 years ago
Posts: 56
Topic starter  

Posted by: @anahuac

@rwebb616 

run this to get the setup you have now:

zmprov gs `zmhostname` zimbraReverseProxyMailMode

and this to fix it

zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect

 

Well even though I KNOW I changed the setting it was still showing https when I ran the gs command.  Switched to redirect - and this time verified that it changed, re-ran the certificate request and it worked.  I also ran it for the second domain on the box and that worked as well. I would call this one solved!  Thanks @anahuac for your help!  

 


   
anahuac reacted
ReplyQuote
Myriad
(@myriad)
Joined: 12 years ago
Posts: 28
 

I am unable to get ssl to work using any of the methods shown above and in this forum in general.  The only thing that worked for me was copying the LetsEncrypt files off of my old server and running the zmcertmgr commands on Carbonio using the Zimbra generated certs. My Carbonio server is a duplicate of my Zimbra one, with 'mail' as the sub domain of 'mail.example.ca'. I also run other domains as well but until I can get LE to work, Carbonio is dead in the water for me. One error I get (that might be related to this problem) when restarting the proxy after redirect is:

Starting proxy...nginx: [warn] conflicting server name "mail.example.ca" on 0.0.0.0:443, ignored

And when I look at the error message returned in the LE failure email I see:

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

ENDCMD: mail.example.ca /opt/zextras/libexec/certbot certonly --agree-tos --email zextras@example.ca -n --keep --webroot -w /opt/zextras --cert-name example.ca -d mail.example..ca -d mail.example..ca

Seems like there are two '-d mail.example.ca' strings in the command line which is possibly caused by the proxy error above? In Zimbra I use John Dunphy's excellent, "Using Acme.sh to generate certs" with his automated script. Can this be adapted to work with Carbonio? I hope John can chime in here.


   
Trelawny reacted
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
 

Give this one a try Let’s Encrypt on Carbonio – System Root with ACME.sh

it might be exactly what you're looking for


   
ReplyQuote
Myriad
(@myriad)
Joined: 12 years ago
Posts: 28
 

@anahuac Nope, that was the article I was referencing from the beginning.


   
ReplyQuote
Page 3 / 3