Hello,
I am trying to renew the letsencrypt certificate but it does not work, connections are always blocked with "Certificate expired".
I renew the cert with certbot and use the procédure from anahuac and end with deploying the certs, trace follow :
--------------------------------------------------------------------------------------------------------------------------------------------------------
/opt/zextras/bin/zmcertmgr deploycrt comm cert.pem zextras_ca.pem
** Verifying 'cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'zextras_ca.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial.crt'
** Copying 'zextras_ca.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt'
** Appending ca chain 'zextras_ca.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial.crt'
** Importing cert '/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zextras/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.jpp.fr...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.jpp.fr...ok
** Installing ldap certificate '/opt/zextras/conf/slapd.crt' and key '/opt/zextras/conf/slapd.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/slapd.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/slapd.key'
** Creating file '/opt/zextras/ssl/carbonio/jetty.pkcs12'
** Creating keystore '/opt/zextras/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zextras/conf/smtpd.crt' and key '/opt/zextras/conf/smtpd.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/smtpd.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/smtpd.key'
** Installing proxy certificate '/opt/zextras/conf/nginx.crt' and key '/opt/zextras/conf/nginx.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/nginx.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zextras/conf/ca'
** Removing /opt/zextras/conf/ca/daa2b876.0
** Removing /opt/zextras/conf/ca/commercial_ca_2.crt
** Removing /opt/zextras/conf/ca/ca.key
** Removing /opt/zextras/conf/ca/4042bcee.0
** Removing /opt/zextras/conf/ca/f84f46dc.0
** Removing /opt/zextras/conf/ca/commercial_ca_1.crt
** Removing /opt/zextras/conf/ca/ca.pem
** Removing /opt/zextras/conf/ca/commercial_ca_3.crt
** Removing /opt/zextras/conf/ca/aa578057.0
** Copying CA to /opt/zextras/conf/ca
** Copying '/opt/zextras/ssl/carbonio/ca/ca.key' to '/opt/zextras/conf/ca/ca.key'
** Copying '/opt/zextras/ssl/carbonio/ca/ca.pem' to '/opt/zextras/conf/ca/ca.pem'
** Creating CA hash symlink 'daa2b876.0' -> 'ca.pem'
** Creating /opt/zextras/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'f84f46dc.0' -> 'commercial_ca_1.crt'
** Creating /opt/zextras/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink 'aa578057.0' -> 'commercial_ca_2.crt'
** Creating /opt/zextras/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'
-------------------------------------------------------------------------------------------------------------------------------------------------------
but it does not work and nobody can connect .... without the infamous message.
The certs are found in many files in /opt/zextras/ .... but even if I copy the "good" files and restart the machine it does not work.
What can I do.
Regards
JP P
Hello,
I reverify the certs (list here) :
- ldap: /opt/zextras/conf/slapd.crt
- mailboxd: /opt/zextras/mailboxd/etc/mailboxd.pem
- mta: /opt/zextras/conf/smtpd.crt
- proxy: /opt/zextras/conf/nginx.crt
with : openssl x509 -in CERT_PATH -text -noout
And all are identical and with :
Validity
Not Before: Jun 10 13:23:44 2024 GMT
Not After : Sep 8 13:23:43 2024 GMT
But I get always that bloody message :
This server could not prove that it is "server_name"; its security certificate expired 3 days ago.
Where is that "bad" certificate located ?
Regards
JP P
Hello,
I find the "bad" file :
/opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt and the key mail.jppozzi.dyndns.org.key.
the problem is that both files are "overwritten" on every reboot. and I don't know with what they are done.
Dose somebody know what files are used to create that two files.
Regards
Hello,
The certificate verification is OK :
/opt/zextras/libexec/zmcheckexpiredcerts -days 30 -verbose -mailto jpp@jpp.fr
ldap: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/slapd.crt' expires outside of 30 days (OK)
mailboxd: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/mailboxd/etc/mailboxd.pem' expires outside of 30 days (OK)
mta: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/smtpd.crt' expires outside of 30 days (OK)
proxy: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/nginx.crt' expires outside of 30 days (OK)
But when I try to connect to the web service I get always :
This server could not prove that it is mail.jppozzi.dyndns.org; its security certificate expired 13 days ago.
The file "/opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt and the key" are always ending on 16/06/2024 and renewed every day at 00:00 and that file is used in all nginx config files :
./includes/nginx.conf.mail.imaps: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.imaps: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.imaps: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.imap: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.imap: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.imap: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.pop3: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.pop3: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.pop3: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.web.admin: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.web.admin: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.admin: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.pop3s: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.pop3s: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.pop3s: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.map.crt:mail.jppozzi.dyndns.org /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.https: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.web.https: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.https: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
From what files are that files copied ?
Regards
JP P
Hello,
The only solution I find was to create a new file "nginx.conf.web.https.template" in the directoey "/opt/zextras/conf/nginx/templates_custom" copy of the same file in "/opt/zextras/conf/nginx/templates".
I modify the lines (23/24) :
ssl_certificate ${ssl.crt};
ssl_certificate_key ${ssl.key};
to :
ssl_certificate /opt/zextras/conf/nginx.crt;
ssl_certificate_key /opt/zextras/conf/nginx.key;
Restarting the proxy : "zmproxyctl restart" and ... the web app is OK, from PC as from the Iphone application.
I hope this will help somebody.
I think that it is a small bug (?).
Regards
JP P
Hello,
It is very nice, not a simgle response to my problem .... and now I can't access the admin web service ...
WIll try to find by myself ...
Hi and thank you for your great Job
Certbot.timer each time postponed the renewal by a few hours without ever doing it
So I succesfully forced certs renew very close to expire.
After reboot certs are renewed and if I input zmcontrol status i obtain certbot.timer Stopped
and if I input systemctl status carbonio-certbot.service I get:
○ carbonio-certbot.service - Renew certificates acquired via Carbonio Certbot
Loaded: loaded (/lib/systemd/system/carbonio-certbot.service; static)
Active: inactive (dead)
TriggeredBy: ● carbonio-certbot.timer
Docs: https://eff-certbot.readthedocs.io/en/stable/
Whats wrong?
Thanks
Fabio
Hi,
Try this:
- Start the timer
- Enable it (if needed)
- See the status
For example:
root@mail:~# systemctl start carbonio-certbot.timer root@mail:~# systemctl enable carbonio-certbot.timer
&
root@mail:~# systemctl status carbonio-certbot.timer
● carbonio-certbot.timer - Run Carbonio Certbot twice daily
Loaded: loaded (/lib/systemd/system/carbonio-certbot.timer; enabled; vendor preset: enabled)
Active: active (running) since Tue 2025-04-15 17:47:48 +06; 24h ago
Trigger: n/a
Triggers: ● carbonio-certbot.service
Apr 15 17:47:48 mail.demo-carbonioce.com systemd[1]: Started Run Carbonio Certbot twice daily.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# systemctl list-timers carbonio-certbot.timer
NEXT LEFT LAST PASSED UNIT ACTIVATES
Thu 2025-04-17 02:53:23 +06 8h left Wed 2025-04-16 18:20:03 +06 28s ago carbonio-certbot.timer carbonio-certbot.service
1 timers listed.
Pass --all to see loaded but inactive timers, too.
root@mail:~#
root@mail:~#
root@mail:~#
root@mail:~# journalctl -u carbonio-certbot.timer
Apr 11 21:58:33 mail.demo-carbonioce.com systemd[1]: Started Run Carbonio Certbot twice daily.
Apr 15 17:43:09 mail.demo-carbonioce.com systemd[1]: carbonio-certbot.timer: Deactivated successfully.
Apr 15 17:43:09 mail.demo-carbonioce.com systemd[1]: Stopped Run Carbonio Certbot twice daily.
-- Boot b6fe48d3b61a4cba9e8beef3fabb8249 --
Apr 15 17:47:48 mail.demo-carbonioce.com systemd[1]: Started Run Carbonio Certbot twice daily.
root@mail:~#
root@mail ~ #
root@mail ~ # systemctl start carbonio-certbot.timer
root@mail ~ # systemctl enable carbonio-certbot.timer
root@mail ~ #
root@mail ~ #
root@mail ~ # systemctl status carbonio-certbot.timer
● carbonio-certbot.timer - Run Carbonio Certbot twice daily
Loaded: loaded (/lib/systemd/system/carbonio-certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Wed 2025-04-16 09:09:39 UTC; 3h 35min ago
Trigger: Thu 2025-04-17 09:49:10 UTC; 21h left
Triggers: ● carbonio-certbot.service
Apr 16 09:09:39 mail.liopardo.eu systemd[1]: Started Run Carbonio Certbot twice daily.
root@mail ~ #
root@mail ~ #
root@mail ~ #
root@mail ~ # systemctl list-timers carbonio-certbot.timer
NEXT LEFT LAST PASSED UNIT ACTIVATES
Thu 2025-04-17 09:49:10 UTC 21h left Wed 2025-04-16 12:13:21 UTC 32min ago carbonio-certbot.timer carbonio-certbot.service
1 timers listed.
Pass --all to see loaded but inactive timers, too.
root@mail ~ #
root@mail ~ #
root@mail ~ #
root@mail ~ # journalctl -u carbonio-certbot.timer
Apr 16 09:04:45 mail.liopardo.eu systemd[1]: carbonio-certbot.timer: Deactivated successfully.
Apr 16 09:04:45 mail.liopardo.eu systemd[1]: Stopped Run Carbonio Certbot twice daily.
-- Boot b3cb5f938a8041a4b9c4611d8d61cbc9 --
Apr 16 09:09:39 mail.liopardo.eu systemd[1]: Started Run Carbonio Certbot twice daily.
root@mail ~ #
root@mail ~ #
root@mail ~ # su zextras
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
zextras@mail:/root$ zmcontrol status
Host mail.liopardo.eu
amavis Running
antispam Running
antivirus Running
cbpolicyd Running
certbot.timer Stopped
directory-server Running
mailbox Running
memcached Running
mta Running
opendkim Running
proxy Running
service webapp Running
service-discover Running
stats Running
config service Running
Thanks for the replay. I'll be able to check later.
But do you think that it doesn't affect the correct renewal functioning that with input zmcontrol status it results
certbot.timer Stopped
Thanks
Fabio
@liopardo
Hi,
I can understand your concern, hence it needs further investigation to conclude anything. let's see.😊