Firstly, what a joy to be able to retrieve and deploy a letsencrypt cert from the admin console 😎 , great job! (although not yet working for me).
I followed Shariful Islam's useful article https://community.zextras.com/how-to-configure-lets-encrypt-ssl-certificate-for-multiple-domains-in-multi-tenant-carbonio-using-admin-ui-carbonio-ce/
and I change zimbraReverseProxyMailMode to redirect, however certbot tries to download http://my.domain.com/.well-known/acme-challenge/zcmhlMpnWUmK........ Â and (with UFW & fail2ban disabled) the Connection is refused.
In fact any url that is not https is blocked not redirected.
Could anyone tell me what I have missed
It is awesome indeed... but there are some considerations... I wrote two articles about it that you may find interesting:
Let’s Encrypt on Carbonio – System Root with ACME.sh
and
Let’s Encrypt on Carbonio – Easy as never before
Â
Enjoy
Â
@anahuac I have read your articles but whilst used acme.sh on my zimbra server, I wanted to use the Admin UI.
Also, I imagine that the acme challenge would still have the same problem
any ideas as to why Ubuntu is rejecting http?Â
As I explain on my article the problem with certificates generated on Admin UI is that they don't apply to Carbonio's core parts, meaning most e-mail clients will fail to connect complaining about the sefl-signed certificate.
The Admin UI Certificate is handy to virtualdomains and even then you must set a cronjob to renew it.
About port 80 being blocked, I don't think is has nothing todo with Ubuntu but with with Carbonio only enable 443 by default.
try this
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect zmcontrol restart
Â
Â
Â
About port 80 being blocked, I don't think is has nothing todo with Ubuntu but with with Carbonio only enable 443 by default.
try this
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect zmcontrol restart
This command is also present in the howto written oin the docs: https://docs.zextras.com/carbonio-ce/html/adminpanel/domains.html#procedure-to-install-a-let-s-encrypt-certificate and it is a strict requirement because certbot communicates over port 80, AFAIK.
As a side note, please do not use the bacticks (`zmhostname`) mechanism to retrieve/use the output of a command, but the $(zmhostname) form, because the former may lead to unwanted side-effects itf there are uncommon characters in the hostname (unlikely in the case of a hostname, but you'll never know!).
Â
Â
Â
As I said in the origial post, I had set the zimbraReverseProxyMailMode to redirect as I was following the article you referred to above, the problem I think was that I did not notice the output from /opt/zextras/libexec/zmproxyconfgen;
2023-12-11 09:45:03,895 [main] WARN : Invalid value found in 'zimbraReverseProxy AvailableLookupTargets': myhostname
Do you think that zmproxyconfgen is picking up myhostname when it should be picking up myhostname.com(FQDN)?
No idea, sorry... 😕 I'm going to make some tests as soon as I find some time... it may take a while.
In general the command that you find on the docs have always been tested by me or by my colleagues, so it may be a bit difficult to understand why they fail. And in case the problem is reproducible, we'll add a new troubleshooting element in the docs.
Â
Hi,
Sorry to hear about your trouble.
If I check my test server, I found below configuration and the SSL is working:
zextras@mail:~$ zmprov gs `zmhostname` zimbraReverseProxyAvailableLookupTargets # name mail.latestserver.xyz zimbraReverseProxyAvailableLookupTargets: mail.latestserver.xyz zextras@mail:~$
Could you please share a summarized version of what you have done to install the Let's Encrypt, including your OS version, and Carbonio CE version?
Basically what we do is:
1. Set Virtual Hostname
2. Restart the proxy service
3. Setting the reverse proxy mail mode to redirect by carbonio prov ms $(hostname) zimbraReverseProxyMailMode redirect
4. Upload and verify the certificate
5. Restart proxy service.
Â
Reload the browser.
Let's dig into this issue.
Thanks and regards,
Sharif
Â
Hi,
Sorry to hear about your trouble.
If I check my test server, I found below configuration and the SSL is working:
zextras@mail:~$ zmprov gs `zmhostname` zimbraReverseProxyAvailableLookupTargets # name mail.latestserver.xyz zimbraReverseProxyAvailableLookupTargets: mail.latestserver.xyz zextras@mail:~$
Could you please share a summarized version of what you have done to install the Let's Encrypt, including your OS version, and Carbonio CE version?
Basically what we do is:
1. Set Virtual Hostname
2. Restart the proxy service
3. Setting the reverse proxy mail mode to redirect by carbonio prov ms $(hostname) zimbraReverseProxyMailMode redirect
4. Upload and verify the certificate
5. Restart proxy service.
Â
Reload the browser.
Let's dig into this issue.
Thanks and regards,
Sharif
Â
@sharif I have the latest version of carbonio which includes letsencrypt and certbot.
Â
Here is the output, somewhat confirming my theory;
zextras@mydomain:~$ zmprov gs `zmhostname` zimbraReverseProxyAvailableLookupTargets
# name mydomain.com
zimbraReverseProxyAvailableLookupTargets: mydomain (not FQDN)
Hi,
You can change the value of zimbraReverseProxyAvailableLookupTargets by
zextras@mail:~$ carbonio prov ms `zmhostname` zimbraReverseProxyAvailableLookupTargets mail.latestserver.xyz zextras@mail:~$
But frankly, it should be set automatically, so we must understand what we missed. Also, the server hostname (FQDN) is set as a value to a few other fields like:
zextras@mail:~$ carbonio prov gs `zmhostname` | grep -i mail.zextras.xyz # name mail.zextras.xyz cn: mail.zextras.xyz zimbraReverseProxyUpstreamEwsServers: mail.zextras.xyz zimbraServiceHostname: mail.zextras.xyz zextras@mail:~$ zextras@mail:~$ carbonio prov gacf | grep -i mail.zextras.xyz zimbraPublicServiceHostname: mail.zextras.xyz zimbraReverseProxyAvailableLookupTargets: mail.zextras.xyz zimbraReverseProxyUpstreamEwsServers: mail.zextras.xyz zextras@mail:~$
So, changing it manually is not the best way.
Is it a fresh installation or degradation?
Â
Thanks and regards,
Sharif
Fresh install;
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
Carbonio Release 23.11.0
OK the output of carbonio prov gs `zmhostname` | grep -i mail.zextras.xyz looks good
# name mail.zextras.xyz
cn: mail.zextras.xyz
zimbraServiceHostname: mail.zextras.xyz
Â
however carbonio prov gacf | grep -i mail.zextras.xyz returns just one line
zimbraPublicServiceHostname: mail.zextras.xyz
wheras yours had three
zimbraPublicServiceHostname: mail.zextras.xyz zimbraReverseProxyAvailableLookupTargets: mail.zextras.xyz zimbraReverseProxyUpstreamEwsServers: mail.zextras.xyz
Hi,
Could you please look at this video and try to understand what we missed?
Carbonio CE 23.11.0 Installation Steps
Thanks and regards,
Sharif
@sharif I went throgh the video and could not see anything I missed except removing any IPV6 lines from /etc/hosts which I have done now.
I also re-ran /opt/zextras/libexec/zmproxyconfgen
2023-12-13 21:54:29,735 [main] WARN : Invalid value found in 'zimbraReverseProxyAvailableLookupTargets': mailgate-bkm-5
Please correct and run zmproxyconfgen again
2023-12-13 21:54:29,742 [main] WARN : No available nginx lookup handlers could be found
Exception in thread "main" java.lang.NullPointerException: Cannot invoke "com.zimbra.cs.account.Server.getBooleanAttr(String, boolean)" because "server" is null
at com.zimbra.cs.util.proxyconfgen.ProxyConfVar.isValidUpstream(ProxyConfVar.java:281)
at com.zimbra.cs.util.proxyconfgen.WebEwsSSLUpstreamServersVar.update(WebEwsSSLUpstreamServersVar.java:29)
at com.zimbra.cs.util.proxyconfgen.ProxyConfGen.updateDefaultVars(ProxyConfGen.java:2099)
at com.zimbra.cs.util.proxyconfgen.ProxyConfGen.createConf(ProxyConfGen.java:2289)
at com.zimbra.cs.util.proxyconfgen.ProxyConfGen.main(ProxyConfGen.java:2818)