Problem with gettin...
 
Notifications
Clear all

Problem with getting letsencrypt renewal

21 Posts
7 Users
1 Reactions
696 Views
Myriad
(@myriad)
Joined: 13 years ago
Posts: 28
 

You can try my method which works fine in my installation.


   
ReplyQuote
 jppo
(@jppo)
Joined: 10 months ago
Posts: 30
Topic starter  

Hello,

I am trying to renew the letsencrypt certificate but it does not work, connections are always blocked with "Certificate expired".

I renew the cert with certbot and use the procédure from anahuac and end with deploying the certs, trace follow :

--------------------------------------------------------------------------------------------------------------------------------------------------------

/opt/zextras/bin/zmcertmgr deploycrt comm cert.pem zextras_ca.pem
** Verifying 'cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'zextras_ca.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial.crt'
** Copying 'zextras_ca.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt'
** Appending ca chain 'zextras_ca.pem' to '/opt/zextras/ssl/carbonio/commercial/commercial.crt'
** Importing cert '/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zextras/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.jpp.fr...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.jpp.fr...ok
** Installing ldap certificate '/opt/zextras/conf/slapd.crt' and key '/opt/zextras/conf/slapd.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/slapd.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/slapd.key'
** Creating file '/opt/zextras/ssl/carbonio/jetty.pkcs12'
** Creating keystore '/opt/zextras/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zextras/conf/smtpd.crt' and key '/opt/zextras/conf/smtpd.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/smtpd.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/smtpd.key'
** Installing proxy certificate '/opt/zextras/conf/nginx.crt' and key '/opt/zextras/conf/nginx.key'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.crt' to '/opt/zextras/conf/nginx.crt'
** Copying '/opt/zextras/ssl/carbonio/commercial/commercial.key' to '/opt/zextras/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zextras/conf/ca'
** Removing /opt/zextras/conf/ca/daa2b876.0
** Removing /opt/zextras/conf/ca/commercial_ca_2.crt
** Removing /opt/zextras/conf/ca/ca.key
** Removing /opt/zextras/conf/ca/4042bcee.0
** Removing /opt/zextras/conf/ca/f84f46dc.0
** Removing /opt/zextras/conf/ca/commercial_ca_1.crt
** Removing /opt/zextras/conf/ca/ca.pem
** Removing /opt/zextras/conf/ca/commercial_ca_3.crt
** Removing /opt/zextras/conf/ca/aa578057.0
** Copying CA to /opt/zextras/conf/ca
** Copying '/opt/zextras/ssl/carbonio/ca/ca.key' to '/opt/zextras/conf/ca/ca.key'
** Copying '/opt/zextras/ssl/carbonio/ca/ca.pem' to '/opt/zextras/conf/ca/ca.pem'
** Creating CA hash symlink 'daa2b876.0' -> 'ca.pem'
** Creating /opt/zextras/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink 'f84f46dc.0' -> 'commercial_ca_1.crt'
** Creating /opt/zextras/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink 'aa578057.0' -> 'commercial_ca_2.crt'
** Creating /opt/zextras/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_3.crt'

-------------------------------------------------------------------------------------------------------------------------------------------------------

but it does not work and nobody can connect .... without the infamous message.

The certs are found in many files in /opt/zextras/ .... but even if I copy the "good" files and restart the machine it does not work.

What can I do.

 

Regards

JP P


   
ReplyQuote
 jppo
(@jppo)
Joined: 10 months ago
Posts: 30
Topic starter  

Hello,

I reverify the certs (list here) :

- ldap: /opt/zextras/conf/slapd.crt
- mailboxd: /opt/zextras/mailboxd/etc/mailboxd.pem
- mta: /opt/zextras/conf/smtpd.crt
- proxy: /opt/zextras/conf/nginx.crt

with : openssl x509 -in CERT_PATH -text -noout

And all are identical and with :

Validity
Not Before: Jun 10 13:23:44 2024 GMT
Not After : Sep 8 13:23:43 2024 GMT

But I get always that bloody message :

This server could not prove that it is "server_name"; its security certificate expired 3 days ago.

Where is that "bad" certificate located ?

Regards

JP P


   
ReplyQuote
 jppo
(@jppo)
Joined: 10 months ago
Posts: 30
Topic starter  

Hello,

I find the "bad" file :

/opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt and the key mail.jppozzi.dyndns.org.key.

the problem is that both files are "overwritten" on every reboot. and I don't know with what they are done.

Dose somebody know what files are used to create that two files.

Regards


   
ReplyQuote
 jppo
(@jppo)
Joined: 10 months ago
Posts: 30
Topic starter  

Hello,

The certificate verification is OK :

/opt/zextras/libexec/zmcheckexpiredcerts -days 30 -verbose -mailto jpp@jpp.fr
ldap: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/slapd.crt' expires outside of 30 days (OK)
mailboxd: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/mailboxd/etc/mailboxd.pem' expires outside of 30 days (OK)
mta: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/smtpd.crt' expires outside of 30 days (OK)
proxy: notAfter=Sep 8 13:23:43 2024 GMT '/opt/zextras/conf/nginx.crt' expires outside of 30 days (OK)

But when I try to connect to the web service I get always :

This server could not prove that it is mail.jppozzi.dyndns.org; its security certificate expired 13 days ago. 

The file "/opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt and the key" are always ending on 16/06/2024 and renewed every day at 00:00 and that file is used in all nginx config files :

./includes/nginx.conf.mail.imaps: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.imaps: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.imaps: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.imap: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.imap: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.imap: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.pop3: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.pop3: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.pop3: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.web.admin: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.web.admin: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.admin: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.mail.pop3s: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.mail.pop3s: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.mail.pop3s: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;
./includes/nginx.conf.map.crt:mail.jppozzi.dyndns.org /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.https: server_name mail.jppozzi.dyndns.org;
./includes/nginx.conf.web.https: ssl_certificate /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.crt;
./includes/nginx.conf.web.https: ssl_certificate_key /opt/zextras/conf/domaincerts/mail.jppozzi.dyndns.org.key;

From what files are that files copied ?

 

Regards

JP P

 


   
ReplyQuote
 jppo
(@jppo)
Joined: 10 months ago
Posts: 30
Topic starter  

Hello,

The only solution I find was to create a new file "nginx.conf.web.https.template" in the directoey "/opt/zextras/conf/nginx/templates_custom" copy of the same file in "/opt/zextras/conf/nginx/templates".

I modify the lines (23/24) :

ssl_certificate ${ssl.crt};
ssl_certificate_key ${ssl.key};

to :

ssl_certificate /opt/zextras/conf/nginx.crt;
ssl_certificate_key /opt/zextras/conf/nginx.key;

Restarting the proxy : "zmproxyctl restart" and ... the web app is OK, from PC as from the Iphone application.

I hope this will help somebody.

I think that it is a small bug (?).

Regards

JP P


   
ReplyQuote
Page 2 / 2