Renew vs continual obtain-and-deploy

[lifzgreat]

Is there a better way to renew once you're all setup rather than running the whole process over again every 60 days (30 days prior to expiry)? In a normal LE setup, the renew just happens quickly, but it appears this will take Zimbra down, obtain a new cert, deploy it, and bring Zimbra back up every 60 days.

[VojtechMyslivec]

Renew the certificate is pretty quick. However, most of the whole renewal process this script handle is to shut down nginx (to release needed port 80) and restart Zimbra services to take apply the new cert.

You would be able to renew it without shut down the nginx if you configure it to use "webroot" method, however you would need to restart the services anyway.

Zimbra is a complex tool with a lot of services. Although some of the services needs only reload (i.e. nginx and postfix) others don't even have (for example AFAIK dovecot). And there are other services which I don't even have a clue what needs to be done to do a minimal tasks to reload the certificate. So I have followed the documentation to apply so-called "commercial" certificate and restart all of the services.

PS: make sure I have written the script to minimize the outage.

1. Nothing is shut down if the certificate is not going to renew
2. Only nginx is shut down during the certificate renewal process and it is started immediately after the certificate is obtained
3. Zimbra is restarted after certificate is checked and installed

[lifzgreat]

So it can't just renew without shutting down the Zimbra services and restarting them? I was hoping the renew was different than the initial deploy because otherwise, email must be down every 2 months for a few minutes for the company.

[drphr4ud]

So it can't just renew without shutting down the Zimbra services and restarting them? I was hoping the renew was different than the initial deploy because otherwise, email must be down every 2 months for a few minutes for the company.

I think the issue wasn't looked at as a high priority because the assumption was that if your uptime is critical enough to worry about 2 minutes / 60-80 days to restart services you are probably playing on a playing field where your setup is HA clustered and you have budget for a 10 year commercial cert.

Letsencrypt is economy class, not business class.

[lifzgreat]

That's an overreaching statement. Anyone can use free opensource software, even if they're a business class. We're 20M+ business but we prefer Zimbra + LE to Outlook + GoDaddy.

[drphr4ud]

Of course. Nothing do do with FOSS. But if you need several nines uptime you probably cluster it and can squeeze out a few extra $ for a 10 year cert so no services need to be reconfigured or reloaded every time the LE cert is due for renewal. I am just guessing that could be one reason why Zimbra aren't making it a priority to speed up zmcontrol restart or let you deploy service certs without a full restart.

[VojtechMyslivec]

I was hoping the renew was different than the initial deploy

No it's not, You get another certificate (although for the same key), so you need to redeploy it.

Letsencrypt is economy class, not business class.

I strongly disagree, but it's off-topic duscussion.

a few extra $ for a 10 year

It's not possible. Due to CAB forum, no certificate can be valid for more than circa 2 years (and it's going to be shorter soon).

However, this is a Zimbra issue. Please discuss it with Zimbra support and please report back if they point to some better solution than to restart all services.

[lifzgreat]

can squeeze out a few extra $ for a 10 year cert

Necessity isn't the driving force, optimization is. We're the opposite from what you mentioned - we're moving from a long term paid cert to LE. We've used LE for years on web servers and have decided to use it on our mail server as well. Thanks for your input, it's just not helpful for our situation though.

this is a Zimbra issue

If we need to restart Zimbra, we obviously will. I didn't know Zimbra required it so I asked out of ignorance. One has the right (obligation?) to try to better any situation :) It just so happens that it sounds like a Zimbra issue, not an LE issue.

We can close this @VojtechMyslivec, thanks for your response and help.