Forums
Zextras Carbonio
Install & Setup
Mail SSL not renewi...
 
Notifications
Clear all

Mail SSL not renewing automatically

 
Install & Setup
Last Post by Anonymous 1 second ago
1 Posts
2 Users
0 Reactions
52 Views
RSS
 Viorel-Cosmin Miron
(@uhl-services)
Joined: 3 years ago
Posts: 9
Topic starter 01/13/2025 14:59  

Hi,

So recently I noticed that Carbonio have some major issues in how it handles SSL. Now either at some point something in docs was broken, yet I ended up to replace my Commercial SSL in Carbonio with the free ssl, yet the only issue is, there is no automatic mechanism to renew the Free lets encrypt ssl it seems FOR main Host, it works fine for every other Virtual Domain.

As of today all customers who used main domain mail.uhlhost.net to login had experienced issues with cert expired. Such SSL is not to be found anywhere since it was surely renewed by lets encrypt, the only issue is that the files seems were never updated.

Does Carbonio have a system to renew all SSLs automatically and can one run fully automatic on this process if so why is not working? The process of renewing SSLs since Zimbra every year was manual, yet I was thinking this is solved in Carbonio, seems is not.

Can someone remove the confusion for me, and maybe also properly update the Carbonio docs? 

Found the following certs:
  Certificate Name: atec-bb.ch
    Serial Number: 39715cee562bd9aef454e4f7b0845cff806
    Key Type: ECDSA
    Domains: mail.atec-bb.ch
    Expiry Date: 2025-02-15 23:41:28+00:00 (VALID: 33 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/atec-bb.ch/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/atec-bb.ch/privkey.pem
  Certificate Name: garage-allstars.ch
    Serial Number: 35abe5841f6aa59b35e27dc902d4f8a5b65
    Key Type: ECDSA
    Domains: mail.uhlhost.net mail.garage-allstars.ch
    Expiry Date: 2025-02-26 07:54:29+00:00 (VALID: 43 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/garage-allstars.ch/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/garage-allstars.ch/privkey.pem
  Certificate Name: halenionzion.com
    Serial Number: 3f27132b2d5f6b5d09323031ed77b892b75
    Key Type: ECDSA
    Domains: mail.uhlhost.net mail.halenionzion.com
    Expiry Date: 2025-03-14 11:15:49+00:00 (VALID: 59 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/halenionzion.com/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/halenionzion.com/privkey.pem
  Certificate Name: musashi.ninja
    Serial Number: 43dc31e36daff3f84fc4bd565e4fbb8d8e2
    Key Type: ECDSA
    Domains: mail.musashi.ninja
    Expiry Date: 2025-02-15 23:41:49+00:00 (VALID: 33 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/musashi.ninja/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/musashi.ninja/privkey.pem
  Certificate Name: naturama.at
    Serial Number: 4dbb57985ddc4b4f2b89ae36f4e6142b534
    Key Type: ECDSA
    Domains: mail.naturama.at
    Expiry Date: 2025-02-26 07:55:12+00:00 (VALID: 43 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/naturama.at/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/naturama.at/privkey.pem
  Certificate Name: omnis.email
    Serial Number: 4d502c345d4e98a3f68162c9a07ec2d747b
    Key Type: ECDSA
    Domains: mail.uhlhost.net mail.omnis.email
    Expiry Date: 2025-03-19 02:41:48+00:00 (VALID: 64 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/omnis.email/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/omnis.email/privkey.pem
  Certificate Name: omnis.software
    Serial Number: 3281dc31e25d5af0b40087e8bc2dd8d022e
    Key Type: ECDSA
    Domains: mail.uhlhost.net mail.omnis.software
    Expiry Date: 2025-02-15 23:41:58+00:00 (VALID: 33 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/omnis.software/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/omnis.software/privkey.pem
  Certificate Name: uhl.agency
    Serial Number: 417d25a50bae4a0fc73003022611773613a
    Key Type: ECDSA
    Domains: mail.uhl.agency
    Expiry Date: 2025-02-22 18:54:13+00:00 (VALID: 40 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/uhl.agency/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/uhl.agency/privkey.pem
  Certificate Name: uhl.cloud
    Serial Number: 4cbd782d0f8be0a619430ca0ee7be902bbc
    Key Type: ECDSA
    Domains: mail.uhl.cloud
    Expiry Date: 2025-02-19 07:10:56+00:00 (VALID: 36 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/uhl.cloud/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/uhl.cloud/privkey.pem
  Certificate Name: uhlhost.net
    Serial Number: 3c9e4c429292edf5a37d96ddd5e3836f427
    Key Type: ECDSA
    Domains: mail.uhlhost.net
    Expiry Date: 2025-03-14 11:15:54+00:00 (VALID: 59 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/uhlhost.net/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/uhlhost.net/privkey.pem
  Certificate Name: zaflora.cz
    Serial Number: 3ba45a417ea4d8fca868d1297b09a61798c
    Key Type: ECDSA
    Domains: mail.zaflora.cz
    Expiry Date: 2025-02-16 21:41:27+00:00 (VALID: 34 days)
    Certificate Path: /opt/zextras/common/certbot/etc/letsencrypt/live/zaflora.cz/fullchain.pem
    Private Key Path: /opt/zextras/common/certbot/etc/letsencrypt/live/zaflora.cz/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
zextras@mail:~$ zmcertmgr viewdeployedcrt
- ldap: /opt/zextras/conf/slapd.crt
notBefore=Oct 15 11:44:31 2024 GMT
notAfter=Jan 13 11:44:30 2025 GMT
subject=CN = mail.uhlhost.net
issuer=C = US, O = Let's Encrypt, CN = E6
SubjectAltName=mail.uhlhost.net
- mailboxd: /opt/zextras/mailboxd/etc/mailboxd.pem
notBefore=Oct 15 11:44:31 2024 GMT
notAfter=Jan 13 11:44:30 2025 GMT
subject=CN = mail.uhlhost.net
issuer=C = US, O = Let's Encrypt, CN = E6
SubjectAltName=mail.uhlhost.net
- mta: /opt/zextras/conf/smtpd.crt
notBefore=Oct 15 11:44:31 2024 GMT
notAfter=Jan 13 11:44:30 2025 GMT
subject=CN = mail.uhlhost.net
issuer=C = US, O = Let's Encrypt, CN = E6
SubjectAltName=mail.uhlhost.net
- proxy: /opt/zextras/conf/nginx.crt
notBefore=Oct 15 11:44:31 2024 GMT
notAfter=Jan 13 11:44:30 2025 GMT
subject=CN = mail.uhlhost.net
issuer=C = US, O = Let's Encrypt, CN = E6
SubjectAltName=mail.uhlhost.net
zextras@mail:~$ carbonio prov gacf zimbraReverseProxyMailMode
zimbraReverseProxyMailMode: redirect

 

The main issue as I see it here, is all confusion created around the usage of Commercial SSLs and Free lets encrypt ssl. Since there is a clearly different procedure to keep the certificates up to date.

- When I used Commercial SSL, then I will receive errors in browser or mixed SSL types, for example *.uhlhost.net wildcard commercial ssl is not same with *.uhlhost.net wildcard lets encrypt free ssl.

 

How can I make sure to use across my whole Carbonio mail server, only Let's encrypt ssls without the issues I am facing now?

This topic was modified 1 week ago by Viorel-Cosmin Miron

   
Quote
Forum Jump:
  Previous Topic