Problem with gettin...
 
Notifications
Clear all

Problem with getting letsencrypt renewal

28 Posts
7 Users
1 Reactions
2,322 Views
Myriad
(@myriad)
Eminent Member
Joined: 13 years ago
Posts: 38
 

You can try my method which works fine in my installation.


   
ReplyQuote
 jppo
(@jppo)
Eminent Member
Joined: 2 years ago
Posts: 69
Topic starter  

Hello,

I am trying to renew the letsencrypt certificate but it does not work, connections are always blocked with "Certificate expired".

I renew the cert with certbot and use the procédure from anahuac and end with deploying the certs, trace follow :

--------------------------------------------------------------------------------------------------------------------------------------------------------

/opt/zextras/bin/zmcertmgr deploycrt comm cert.pem zextras_ca.pem
** Verifying 'cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'zextras_ca.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial.crt'
** Copying 'zextras_ca.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt'
** Appending ca chain 'zextras_ca.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial.crt'
** Importing cert '/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zextras/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.jpp.fr...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.jpp.fr...ok
** Installing ldap certificate '/opt/zextras/conf/slapd.crt' and key '/opt/zextras/conf/slapd.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/slapd.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/slapd.key'
** Creating file '/opt/zextras/ssl/carbonio/jetty.pkcs12'
** Creating keystore '/opt/zextras/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zextras/conf/smtpd.crt' and key '/opt/zextras/conf/smtpd.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/smtpd.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/smtpd.key'
** Installing proxy certificate '/opt/zextras/conf/nginx.crt' and key '/opt/zextras/conf/nginx.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/nginx.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zextras/conf/ca'
** Removing /opt/zextras/conf/ca/daa2b876.0
** Removing /opt/zextras/conf/ca/commercial_ca_2.crt
** Removing /opt/zextras/conf/ca/ca.key
** Removing /opt/zextras/conf/ca/4042bcee.0
** Removing /opt/zextras/conf/ca/f84f46dc.0
** Removing /opt/zextras/conf/ca/commercial_ca_1.crt
** Removing /opt/zextras/conf/ca/ca.pem
** Removing /opt/zextras/conf/ca/commercial_ca_3.crt
** Removing /opt/zextras/conf/ca/aa578057.0
** Copying CA to /opt/zextras/conf/ca
** Copying '/opt/zextras/ssl/carbonio/ca/ca.key' to '/opt/zextras/conf/ca/ca.key'
** Copying '/opt/zextras/ssl/carbonio/ca/ca.pem' to '/opt/zextras/conf/ca/ca.pem'
** Creating CA hash symlink 'daa2b876.0' -> 'ca.pem'
** Creating /opt/zextras/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'f84f46dc.0' -> 'commercial_ca_1.crt'
** Creating /opt/zextras/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink 'aa578057.0' -> 'commercial_ca_2.crt'
** Creating /opt/zextras/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'

-------------------------------------------------------------------------------------------------------------------------------------------------------

but it does not work and nobody can connect .... without the infamous message.

The certs are found in many files in /opt/zextras/ .... but even if I copy the "good" files and restart the machine it does not work.

What can I do.

 

Regards

JP P


   
ReplyQuote
 jppo
(@jppo)
Eminent Member
Joined: 2 years ago
Posts: 69
Topic starter  

Hello,

I reverify the certs (list here) :

- ldap: /opt/zextras/conf/slapd.crt
- mailboxd: /opt/zextras/mailboxd/etc/mailboxd.pem
- mta: /opt/zextras/conf/smtpd.crt
- proxy: /opt/zextras/conf/nginx.crt

with : openssl x509 -in CERT_PATH -text -noout

And all are identical and with :

Validity
Not Before: Jun 10 13:23:44 2024 GMT
Not After : Sep 8 13:23:43 2024 GMT

But I get always that bloody message :

This server could not prove that it is "server_name"; its security certificate expired 3 days ago.

Where is that "bad" certificate located ?

Regards

JP P


   
ReplyQuote
 jppo
(@jppo)
Eminent Member
Joined: 2 years ago
Posts: 69
Topic starter  

Hello,

I find the "bad" file :

/opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt and the key mail.jppozzi.dyndns.org.key.

the problem is that both files are "overwritten" on every reboot. and I don't know with what they are done.

Dose somebody know what files are used to create that two files.

Regards


   
ReplyQuote
 jppo
(@jppo)
Eminent Member
Joined: 2 years ago
Posts: 69
Topic starter  

Hello,

The certificate verification is OK :

/opt/zextras/libexec/zmcheckexpiredcerts -days 30 -verbose -mailto jpp@jpp.fr
ldap: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/slapd.crt' expires outside of 30 days (OK)
mailboxd: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/mailboxd/etc/mailboxd.pem' expires outside of 30 days (OK)
mta: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/smtpd.crt' expires outside of 30 days (OK)
proxy: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/nginx.crt' expires outside of 30 days (OK)

But when I try to connect to the web service I get always :

This server could not prove that it is mail.jppozzi.dyndns.org; its security certificate expired 13 days ago. 

The file "/opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt and the key" are always ending on 16/06/2024 and renewed every day at 00:00 and that file is used in all nginx config files :

./includes/nginx.conf.mail.imaps: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.imaps: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.imaps: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.imap: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.imap: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.imap: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.pop3: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.pop3: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.pop3: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.web.admin: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.web.admin: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.admin: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.pop3s: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.pop3s: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.pop3s: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.map.crt:mail.jppozzi.dyndns.org /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.https: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.web.https: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.https: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;

From what files are that files copied ?

 

Regards

JP P

 


   
ReplyQuote
 jppo
(@jppo)
Eminent Member
Joined: 2 years ago
Posts: 69
Topic starter  

Hello,

The only solution I find was to create a new file "nginx.conf.web.https.template" in the directoey "/opt/zextras/conf/nginx/templates_custom" copy of the same file in "/opt/zextras/conf/nginx/templates".

I modify the lines (23/24) :

ssl_certificate ${ssl.crt};
ssl_certificate_key ${ssl.key};

to :

ssl_certificate /opt/zextras/conf/nginx.crt;
ssl_certificate_key /opt/zextras/conf/nginx.key;

Restarting the proxy : "zmproxyctl restart" and ... the web app is OK, from PC as from the Iphone application.

I hope this will help somebody.

I think that it is a small bug (?).

Regards

JP P


   
ReplyQuote
 jppo
(@jppo)
Eminent Member
Joined: 2 years ago
Posts: 69
Topic starter  

Hello,

It is very nice, not a simgle response to my problem .... and now I can't access the admin web service ...

WIll try to find by myself ...

 


   
ReplyQuote
(@liopardo)
New Member
Joined: 11 months ago
Posts: 5
 

@sharif 

Hi and thank you for your great Job

Certbot.timer each time postponed the renewal by a few hours without ever doing it

So I succesfully forced certs renew very close to expire.

After reboot certs are renewed and if I input zmcontrol status i obtain   certbot.timer Stopped

and if I input  systemctl status carbonio-certbot.service I get:

○ carbonio-certbot.service - Renew certificates acquired via Carbonio Certbot
Loaded: loaded (/lib/systemd/system/carbonio-certbot.service; static)
Active: inactive (dead)
TriggeredBy: ● carbonio-certbot.timer
Docs: https://eff-certbot.readthedocs.io/en/stable/

Whats wrong?

Thanks

Fabio


   
ReplyQuote
(@sharif)
Reputable Member Admin
Joined: 3 years ago
Posts: 693
 

@liopardo 

Hi,

Try this:

  • Start the timer
  • Enable it (if needed)
  • See the status

For example:

root@mail:~# systemctl start carbonio-certbot.timer
root@mail:~# systemctl enable carbonio-certbot.timer

&

root@mail:~# systemctl status carbonio-certbot.timer
● carbonio-certbot.timer - Run Carbonio Certbot twice daily
     Loaded: loaded (/lib/systemd/system/carbonio-certbot.timer; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2025-04-15 17:47:48 +06; 24h ago
    Trigger: n/a
   Triggers: ● carbonio-certbot.service

Apr 15 17:47:48 mail.demo-carbonioce.com systemd[1]: Started Run Carbonio Certbot twice daily.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# systemctl list-timers carbonio-certbot.timer
NEXT                        LEFT    LAST                        PASSED  UNIT                   ACTIVATES
Thu 2025-04-17 02:53:23 +06 8h left Wed 2025-04-16 18:20:03 +06 28s ago carbonio-certbot.timer carbonio-certbot.service

1 timers listed.
Pass --all to see loaded but inactive timers, too.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# journalctl -u carbonio-certbot.timer
Apr 11 21:58:33 mail.demo-carbonioce.com systemd[1]: Started Run Carbonio Certbot twice daily.
Apr 15 17:43:09 mail.demo-carbonioce.com systemd[1]: carbonio-certbot.timer: Deactivated successfully.
Apr 15 17:43:09 mail.demo-carbonioce.com systemd[1]: Stopped Run Carbonio Certbot twice daily.
-- Boot b6fe48d3b61a4cba9e8beef3fabb8249 --
Apr 15 17:47:48 mail.demo-carbonioce.com systemd[1]: Started Run Carbonio Certbot twice daily.
root@mail:~#

 


   
ReplyQuote
(@liopardo)
New Member
Joined: 11 months ago
Posts: 5
 

@sharif 

root@mail ~ #
root@mail ~ # systemctl start carbonio-certbot.timer
root@mail ~ # systemctl enable carbonio-certbot.timer
root@mail ~ #
root@mail ~ #
root@mail ~ # systemctl status carbonio-certbot.timer
● carbonio-certbot.timer - Run Carbonio Certbot twice daily
Loaded: loaded (/lib/systemd/system/carbonio-certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Wed 2025-04-16 09:09:39 UTC; 3h 35min ago
Trigger: Thu 2025-04-17 09:49:10 UTC; 21h left
Triggers: ● carbonio-certbot.service

Apr 16 09:09:39 mail.liopardo.eu systemd[1]: Started Run Carbonio Certbot twice daily.
root@mail ~ #
root@mail ~ #
root@mail ~ #
root@mail ~ # systemctl list-timers carbonio-certbot.timer
NEXT LEFT LAST PASSED UNIT ACTIVATES
Thu 2025-04-17 09:49:10 UTC 21h left Wed 2025-04-16 12:13:21 UTC 32min ago carbonio-certbot.timer carbonio-certbot.service

1 timers listed.
Pass --all to see loaded but inactive timers, too.
root@mail ~ #
root@mail ~ #
root@mail ~ #
root@mail ~ # journalctl -u carbonio-certbot.timer
Apr 16 09:04:45 mail.liopardo.eu systemd[1]: carbonio-certbot.timer: Deactivated successfully.
Apr 16 09:04:45 mail.liopardo.eu systemd[1]: Stopped Run Carbonio Certbot twice daily.
-- Boot b3cb5f938a8041a4b9c4611d8d61cbc9 --
Apr 16 09:09:39 mail.liopardo.eu systemd[1]: Started Run Carbonio Certbot twice daily.
root@mail ~ #
root@mail ~ #
root@mail ~ # su zextras
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

zextras@mail:/root$ zmcontrol status
Host mail.liopardo.eu
amavis Running
antispam Running
antivirus Running
cbpolicyd Running
certbot.timer Stopped
directory-server Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
service-discover Running
stats Running
config service Running


   
ReplyQuote
(@sharif)
Reputable Member Admin
Joined: 3 years ago
Posts: 693
 

@liopardo 

Hi,

Now it should work. Let us know how it goes.


   
ReplyQuote
(@liopardo)
New Member
Joined: 11 months ago
Posts: 5
 

@sharif 

Thanks for the replay. I'll be able to check later.

But do you think that it doesn't affect the correct renewal functioning that with input zmcontrol status it results 

certbot.timer Stopped

Thanks

Fabio


   
ReplyQuote
(@sharif)
Reputable Member Admin
Joined: 3 years ago
Posts: 693
 

@liopardo

Hi,

I can understand your concern, hence it needs further investigation to conclude anything. let's see.😊


   
ReplyQuote
Page 2 / 2