I'm trying to deploy Let's Encrypt SSL certificate according to this guide.
Run the following commands:
certbot certonly --preferred-chain "ISRG Root X1" -d [domain] cp /etc/letsencrypt/live/[domain]/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key cp /etc/letsencrypt/live/[domain]/cert.pem /tmp cp /etc/letsencrypt/live/[domain]/chain.pem /tmp wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt cat /tmp/ISRG-X1.pem >> /tmp/chain.pem chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key
Then verification
su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'
gives the following error:
** Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key' 140636855592256:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474: ERROR: Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' do not match.
What could be a problem?
Hi,
While I don't use that acme client for LE, that guide should be updated to reflect that the certbot acme client now defaults to certificate type ec-256 from rsa certificates and zmcertmgr doesn't support that without a patch at least with zimbra so perhaps the same thing here.
add --key-type rsa when you issue your certificate
I also wrote a deploy method for carbonio that I have been using that I referenced here: https://community.zextras.com/forum/postid/2986/
Note: acme.sh also changed their default but we use --keylength 2048 to use RSA
Ref: https://forums.zimbra.org/viewtopic.php?p=308088#p308088
BTW, They have been rewriting a lot and Carbonio should support letsencrypt natively in the future so this kind of stuff will get a lot easier.
Jim
I'm trying to deploy Let's Encrypt SSL certificate according to this guide.
Run the following commands:
certbot certonly --preferred-chain "ISRG Root X1" -d [domain] cp /etc/letsencrypt/live/[domain]/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key cp /etc/letsencrypt/live/[domain]/cert.pem /tmp cp /etc/letsencrypt/live/[domain]/chain.pem /tmp wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt cat /tmp/ISRG-X1.pem >> /tmp/chain.pem chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.keyThen verification
su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'gives the following error:
** Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key' 140636855592256:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474: ERROR: Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' do not match.What could be a problem?
you may have missed this part :
cp /etc/letsencrypt/live/mail.sampleserver.xyz/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key
you may have missed this part :
It's the 2nd line in the commands block
if you do a cat /tmp/chain.pem
is it composed of 2 block of code delimited by "-----BEGIN CERTIFICATE-----" -> "-----END CERTIFICATE-----" ?
if there is 3 block, something went wrong (remove the 2nd).
Here the solution:
https://forums.zimbra.org/viewtopic.php?t=69645#p301581
modify of file /opt/zextras/bin/zmcertmgr needed
[....]
my $ssl = $self->Openssl;
my $keydg =
# $self->run("$ssl rsa -noout -modulus -in '$keyf' | $ssl sha256");
$self->run("$ssl pkey -pubout -in '$keyf' | $ssl sha256");
my $crtdg =
# $self->run("$ssl x509 -noout -modulus -in '$crtf' | $ssl sha256");
$self->run("$ssl x509 -noout -pubkey -in '$crtf' | $ssl sha256");