Hello,
I am trying to renew the letsencrypt certificate but it does not work, connections are always blocked with "Certificate expired".
I renew the cert with certbot and use the procédure from anahuac and end with deploying the certs, trace follow :
--------------------------------------------------------------------------------------------------------------------------------------------------------
/opt/zextras/bin/zmcertmgr deploycrt comm cert.pem zextras_ca.pem
** Verifying 'cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'zextras_ca.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial.crt'
** Copying 'zextras_ca.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt'
** Appending ca chain 'zextras_ca.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial.crt'
** Importing cert '/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zextras/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.jpp.fr...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.jpp.fr...ok
** Installing ldap certificate '/opt/zextras/conf/slapd.crt' and key '/opt/zextras/conf/slapd.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/slapd.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/slapd.key'
** Creating file '/opt/zextras/ssl/carbonio/jetty.pkcs12'
** Creating keystore '/opt/zextras/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zextras/conf/smtpd.crt' and key '/opt/zextras/conf/smtpd.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/smtpd.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/smtpd.key'
** Installing proxy certificate '/opt/zextras/conf/nginx.crt' and key '/opt/zextras/conf/nginx.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/nginx.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zextras/conf/ca'
** Removing /opt/zextras/conf/ca/daa2b876.0
** Removing /opt/zextras/conf/ca/commercial_ca_2.crt
** Removing /opt/zextras/conf/ca/ca.key
** Removing /opt/zextras/conf/ca/4042bcee.0
** Removing /opt/zextras/conf/ca/f84f46dc.0
** Removing /opt/zextras/conf/ca/commercial_ca_1.crt
** Removing /opt/zextras/conf/ca/ca.pem
** Removing /opt/zextras/conf/ca/commercial_ca_3.crt
** Removing /opt/zextras/conf/ca/aa578057.0
** Copying CA to /opt/zextras/conf/ca
** Copying '/opt/zextras/ssl/carbonio/ca/ca.key' to '/opt/zextras/conf/ca/ca.key'
** Copying '/opt/zextras/ssl/carbonio/ca/ca.pem' to '/opt/zextras/conf/ca/ca.pem'
** Creating CA hash symlink 'daa2b876.0' -> 'ca.pem'
** Creating /opt/zextras/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'f84f46dc.0' -> 'commercial_ca_1.crt'
** Creating /opt/zextras/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink 'aa578057.0' -> 'commercial_ca_2.crt'
** Creating /opt/zextras/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'
-------------------------------------------------------------------------------------------------------------------------------------------------------
but it does not work and nobody can connect .... without the infamous message.
The certs are found in many files in /opt/zextras/ .... but even if I copy the "good" files and restart the machine it does not work.
What can I do.
Regards
JP P
Hello,
I reverify the certs (list here) :
- ldap: /opt/zextras/conf/slapd.crt
- mailboxd: /opt/zextras/mailboxd/etc/mailboxd.pem
- mta: /opt/zextras/conf/smtpd.crt
- proxy: /opt/zextras/conf/nginx.crt
with : openssl x509 -in CERT_PATH -text -noout
And all are identical and with :
Validity
Not Before: Jun 10 13:23:44 2024 GMT
Not After : Sep 8 13:23:43 2024 GMT
But I get always that bloody message :
This server could not prove that it is "server_name"; its security certificate expired 3 days ago.
Where is that "bad" certificate located ?
Regards
JP P
Hello,
I find the "bad" file :
/opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt and the key mail.jppozzi.dyndns.org.key.
the problem is that both files are "overwritten" on every reboot. and I don't know with what they are done.
Dose somebody know what files are used to create that two files.
Regards
Hello,
The certificate verification is OK :
/opt/zextras/libexec/zmcheckexpiredcerts -days 30 -verbose -mailto jpp@jpp.fr
ldap: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/slapd.crt' expires outside of 30 days (OK)
mailboxd: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/mailboxd/etc/mailboxd.pem' expires outside of 30 days (OK)
mta: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/smtpd.crt' expires outside of 30 days (OK)
proxy: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/nginx.crt' expires outside of 30 days (OK)
But when I try to connect to the web service I get always :
This server could not prove that it is mail.jppozzi.dyndns.org; its security certificate expired 13 days ago.
The file "/opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt and the key" are always ending on 16/06/2024 and renewed every day at 00:00 and that file is used in all nginx config files :
./includes/nginx.conf.mail.imaps: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.imaps: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.imaps: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.imap: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.imap: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.imap: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.pop3: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.pop3: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.pop3: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.web.admin: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.web.admin: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.admin: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.pop3s: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.pop3s: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.pop3s: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.map.crt:mail.jppozzi.dyndns.org /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.https: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.web.https: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.https: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
From what files are that files copied ?
Regards
JP P
Hello,
The only solution I find was to create a new file "nginx.conf.web.https.template" in the directoey "/opt/zextras/conf/nginx/templates_custom" copy of the same file in "/opt/zextras/conf/nginx/templates".
I modify the lines (23/24) :
ssl_certificate ${ssl.crt};
ssl_certificate_key ${ssl.key};
to :
ssl_certificate /opt/zextras/conf/nginx.crt;
ssl_certificate_key /opt/zextras/conf/nginx.key;
Restarting the proxy : "zmproxyctl restart" and ... the web app is OK, from PC as from the Iphone application.
I hope this will help somebody.
I think that it is a small bug (?).
Regards
JP P
Hello,
It is very nice, not a simgle response to my problem .... and now I can't access the admin web service ...
WIll try to find by myself ...