Carbonio 23.9.0 adm...
 
Notifications
Clear all

[Solved] Carbonio 23.9.0 admin panel trying to get a Let's Encrypt Certificate

45 Posts
6 Users
2 Reactions
3,785 Views
(@stefanodavid)
Joined: 3 years ago
Posts: 227
 

@anahuac

I always try to test on the latest version, so this time it was 23.9.

What Carbonio does afterwards I have no idea 🙂 The procedure written in the docs is complete as is, I do not think there's something more to do. The change in the docs, compared to the previous version, are in the requirements: step 7 and the reload commands at the end of the box.


   
ReplyQuote
(@rwebb616)
Joined: 9 years ago
Posts: 59
Topic starter  

Posted by: @stefanodavid

@rwebb616 We have updated last week the guidelines on the docs, testing them successfully in the process. Can you please check if it works for you and report back if you still have any issues? 

https://docs.zextras.com/carbonio-ce/html/adminpanel/domains.html#procedure-to-install-a-let-s-encrypt-certificate

 

I followed these instructions and get the same error.  My issue is really SSH related though - not sure what the system is trying to do with SSH - it's a single server install.  From the error it looks like it's trying to SSH to itself as the zextras user. 

 


   
ReplyQuote
(@stefanodavid)
Joined: 3 years ago
Posts: 227
 

@rwebb616 I can only inform our developers, because this is beyond my experience. Sorry for the problems 🙁


   
ReplyQuote
(@rwebb616)
Joined: 9 years ago
Posts: 59
Topic starter  

I'm seeing a similar issue here on Zimbra - it's old but possibly relevant - I'm going to work through this thread and see if I can fix it.  https://forums.zimbra.org/viewtopic.php?t=36426

It shows a command to test the SSH auth.


   
ReplyQuote
(@rwebb616)
Joined: 9 years ago
Posts: 59
Topic starter  

Should the Zextras linux account have a password? I don't remember seeing anywhere about setting or changing that? I just always su to it from root.


   
ReplyQuote
(@anahuac)
Joined: 2 years ago
Posts: 328
 

@rwebb616 no zextras account should not have a password


   
ReplyQuote
(@rwebb616)
Joined: 9 years ago
Posts: 59
Topic starter  

Posted by: @anahuac

@rwebb616 no zextras account should not have a password

Ok so I tried to ssh back to the server using the zimbra_identity file and saw in the /var/log/auth.log that the zextras account was locked.  Went to do a passwd -u zextras it tells me that there is no password set for the account.  To unlock the account set a password using usermod -p . 

So just to try it I set a password, unlocked the account and corrected the authorized_keys file so that I could ssh in with putty and once I could do that then the ssh command worked.  I then tried my certificate and it got further but still failed.  

 

 


   
ReplyQuote
(@anahuac)
Joined: 2 years ago
Posts: 328
 

@stefanodavid I see...

Well.... on a regular manner, when we deploy those certificate manually, after certobot runs we get the certificate, those are the steps:

1 - concatenate Let's Encrypt root AC chain into chain.pem file

2 - concatenate cert.pem and chain.pem into cert.bundle file

3 - fix permissions (ofc)

4 - use the command below to actually save the certificates in LDAP and in /opt/zextras/conf/domaincerts/

zmdomaincertmgr savecrt your_domain cert.bundle privkey.pem

5 - deploy new certificate running

zmdomaincertmgr deploycrts

Only after that is when you run zmproxyconfgen and zmproxyctl

So, as you can see there are few steps Carbonio UI is doing to get that certificate setup

In 23.9.0 all is done and is working as expected... but not in 23.7.0... that's why I'm asking


   
ReplyQuote
(@rwebb616)
Joined: 9 years ago
Posts: 59
Topic starter  

Now when I generate the certificate I'm getting an error back from the CA stating that it can't download the challenge response.  I checked in the .well_known/acme-challenge directory and it's empty.  

This is very odd - I figured getting the SSH part working would resolve the other issues.  This was a clean install of Carbonio so I don't know why all these issues are cropping up.  Only thing I can think of is I am using multiple domains on this machine where maybe others are not but seems like that would have all been tested as well. 


   
ReplyQuote
(@anahuac)
Joined: 2 years ago
Posts: 328
 

@rwebb616 take a look at this tutorial.... maybe it helps

Let’s Encrypt on Carbonio – Easy as never before


   
ReplyQuote
(@rwebb616)
Joined: 9 years ago
Posts: 59
Topic starter  

Posted by: @anahuac

@rwebb616 take a look at this tutorial.... maybe it helps

Let’s Encrypt on Carbonio – Easy as never before

I did look at this the first time you posted it.  I am following all the steps - making sure the mode is redirect etc.  I haven't had time to dig deeper to see if I can figure it out.  

Here is the error this time: 

STARTCMD: mail.example.com /opt/zextras/libexec/certbot certonly --agree-tos --email zextras@example.com -n --keep --webroot -w /opt/zextras --cert-name example.com -d mail.example.com -d mail.example.com
Account registered.
Simulating a certificate request for mail.example.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mail.example.com
Type: connection
Detail: 1.1.1.1: Fetching  http://mail.example.com/.well-known/acme-challenge/VxQAjkPqQRX0WvAxkc8TtThe_TAA5LOwqC9BW7GpN_I:  Connection refused

This is seeming like an incoming connection issue but all the ports are open.  I have 25,80,443,143,993,587,465 all open.  In checking the acme-challenge directory there is nothing in there.  I don't know if it generated the challenge and then deleted it.  Also owner of the directory is zextras:zextras so shouldn't be a permissions issue. 

 

 

This post was modified 1 year ago by rwebb616

   
ReplyQuote
(@anahuac)
Joined: 2 years ago
Posts: 328
 

Run it manually in --dry-run mode... it's faster ans easier to follow the errors:

/opt/zextras/libexec/certbot certonly --agree-tos --email zextras@example.com -n --keep --webroot -w /opt/zextras --cert-name example.com -d mail.example.com -d mail.example.com --dry-run

and at the same time

tail -f /opt/zextras/log/nginx.access.log

 

Anahuac
Telegram: https://t.me/CarbonioMail

 

 

 


   
ReplyQuote
antonio
(@antonio)
Joined: 1 year ago
Posts: 48
 

Hello friends,

2 strange situations:

1)

checking "zmcertmgr viewdeployedcrt" I have 

- ldap: /opt/zextras/conf/slapd.crt

- mta: /opt/zextras/conf/smtpd.crt

- proxy: /opt/zextras/conf/nginx.crt

certificates with dates

notBefore=Jul 20 20:23:53 2023 GMT
notAfter=Oct 18 20:23:52 2023 GMT

This was installed in Carbonio previous version via command line.

Checking with "certbot certificates" I get:

Expiry Date: 2023-12-17 19:48:51+00:00 (VALID: 66 days)

why? what is the correct one?

 

2)

I have a multi server installation, behind a IPTables/NAT firewall running a private network, and I don't have ssh direct access to nodes. only possible via a dummy front-end machine inside the same local network. my external ssh port is not 22 

when I try to run the new certificate option in admin I get the RemoteManager error

system failure: exception executing command certbot certonly.......RemoteManager: ..... org.apache.sshd.common.SshException: DefaultConnectFuture....

and showing user and my public ip acess to port 22

Ideas to solve/overcome this?

 

Thank you and best regards

António

 

 

 


   
ReplyQuote
(@anahuac)
Joined: 2 years ago
Posts: 328
 

Hello @antonio,

So... the thing about certificates is that Carbonio uses two layers of certificates. The 1st layer is generated and installed when Carbonio is installed. I like to call it "the root certificate".

You can use "zmcertmgr deploycrt comm" command to deploy a Let's Encrypt or Commercial certificate to Carbonio and that will be the default certificate for all services, all communication between nodes and for all domains.

The second layer is the proxy certificate. When you ask Carbonio to create and deploy a Let's Encrypt certificate it is done but deployed on Nginx setup, not Carbonio's core.

That's how each domain uses it's own certificate separately.

Knowing that:

zmcertmgr viewdeployedcrt

Will show you the root certificate, and

certbot certificates

Will show you those certificates done to be used by the Proxy.

--------------------------------

About topic 2, try to run this command on each node of your multi-server setup:

zmupdateauthkeys

And try again.

Telegram: https://t.me/CarbonioMail

 

 


   
ReplyQuote
antonio
(@antonio)
Joined: 1 year ago
Posts: 48
 

@anahuac Hi, perfect the first explanation. is there any docs about this? what about this cert renewal process?

 

about second question, already thought about that but not I haven't done yet because the error message: ....zextras@connect.yobi365.com/<public-ip-address>:22.....

there is no way to connect to <public-ip-address>:22

now, after your suggestion I did the zmupdateauthkeys but the issue continues.

A.

 

 


   
ReplyQuote
Page 2 / 3