Problem deploying L...
 
Notifications
Clear all

Problem deploying Let's Encrypt SSL certificate

6 Posts
4 Users
1 Likes
1,721 Views
(@regul8or)
Joined: 1 year ago
Posts: 5
Topic starter  

I'm trying to deploy Let's Encrypt SSL certificate according to this guide.

Run the following commands:

certbot certonly --preferred-chain "ISRG Root X1" -d [domain]
cp /etc/letsencrypt/live/[domain]/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key
cp /etc/letsencrypt/live/[domain]/cert.pem /tmp
cp /etc/letsencrypt/live/[domain]/chain.pem /tmp
wget -O /tmp/ISRG-X1.pem  https://letsencrypt.org/certs/isrgrootx1.pem.txt 
cat /tmp/ISRG-X1.pem >> /tmp/chain.pem
chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key

 Then verification

su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'

gives the following error:

** Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
140636855592256:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' do not match.

What could be a problem?


   
Quote
Jim Dunphy
(@jdunphy)
Joined: 6 years ago
Posts: 25
 

Hi,

While I don't use that acme client for LE, that guide should be updated to reflect that the certbot acme client now defaults to certificate type ec-256 from rsa certificates and zmcertmgr doesn't support that without a patch at least with zimbra so perhaps the same thing here. 

add  --key-type rsa when you issue your certificate 

I also wrote a deploy method for carbonio that I have been using that I referenced here: https://community.zextras.com/forum/postid/2986/  

Note: acme.sh also changed their default but we use --keylength 2048 to use RSA

Ref: https://forums.zimbra.org/viewtopic.php?p=308088#p308088

BTW, They have been rewriting a lot and Carbonio should support letsencrypt natively in the future so this kind of stuff will get a lot easier. 

Jim


   
ReplyQuote
dominix
(@dominix)
Joined: 11 years ago
Posts: 129
 
Posted by: @regul8or

I'm trying to deploy Let's Encrypt SSL certificate according to this guide.

Run the following commands:

certbot certonly --preferred-chain "ISRG Root X1" -d [domain]
cp /etc/letsencrypt/live/[domain]/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key
cp /etc/letsencrypt/live/[domain]/cert.pem /tmp
cp /etc/letsencrypt/live/[domain]/chain.pem /tmp
wget -O /tmp/ISRG-X1.pem  https://letsencrypt.org/certs/isrgrootx1.pem.txt 
cat /tmp/ISRG-X1.pem >> /tmp/chain.pem
chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key

 Then verification

su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'

gives the following error:

** Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
140636855592256:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' do not match.

What could be a problem?

you may have missed this part :

cp /etc/letsencrypt/live/mail.sampleserver.xyz/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key

   
ReplyQuote
(@regul8or)
Joined: 1 year ago
Posts: 5
Topic starter  
Posted by: @dominix

you may have missed this part :

It's the 2nd line in the commands block


   
ReplyQuote
dominix
(@dominix)
Joined: 11 years ago
Posts: 129
 

if you do a cat /tmp/chain.pem

is it composed of 2 block of code delimited by "-----BEGIN CERTIFICATE-----" -> "-----END CERTIFICATE-----"  ?

if there is 3 block, something went wrong (remove the 2nd).


   
ReplyQuote
(@marco-manenti)
Joined: 1 year ago
Posts: 2
 

Here the solution:

https://forums.zimbra.org/viewtopic.php?t=69645#p301581

modify of file /opt/zextras/bin/zmcertmgr needed

[....]

my $ssl = $self->Openssl;
my $keydg =
# $self->run("$ssl rsa -noout -modulus -in '$keyf' | $ssl sha256");
$self->run("$ssl pkey -pubout -in '$keyf' | $ssl sha256");
my $crtdg =
# $self->run("$ssl x509 -noout -modulus -in '$crtf' | $ssl sha256");
$self->run("$ssl x509 -noout -pubkey -in '$crtf' | $ssl sha256");


   
ReplyQuote