Let's Encrypt certi...
Clear all

Let's Encrypt certificates and zmcertmgr

2 Posts
2 Users
0 Reactions
Joined: 1 year ago
Posts: 16
Topic starter  

Using Admin Panel I created and deployed Let's Encrypt certificate. There are 2 problems though:

1. this certificate deployed to web mail only. zmcertmgr viewdeployedcrt says that ldap, mta and proxy still are using self-signed certificate. This came to me when I tried to add new mailbox to a phone.

2. certbot uses the following command to generate a certificate:

/opt/zextras/libexec/certbot certonly --preferred-chain "ISRG Root X1" --agree-tos --email zextras@command.com -n --keep --webroot -w /opt/zextras --cert-name command.com -d mail.command.com

which means that certificate creates keys with ECDSA encryption instead of RSA. There's no way in Admin Panel to change it to RSA.

Using zmcertmgr to try to deploy this certificate results in error since it works with RSA.

Looking for a way to resolve it I found accepted pull request on Github ( https://github.com/Zimbra/zm-core-utils/pull/96/files) from November 2023. Just for the quick hack I edited verifycrtkey procedure in zmcertmgr, but I'm sure nex update will broke this.

Could you please confirm my finding or show me where I'm wrong?

Joined: 1 year ago
Posts: 309

Hello there,

I'll recommend you to take a look at this article I wrote about it