Closed TheChief79 closed 7 years ago
The script runs daily and launches certbot, which does check if the cert is still valid. If it is nothing is done, if it's approaching expiration it will renew and only in this case reinstall the cert
Are you sure? If i run:
./certbot_zimbra.sh -n -x -w /var/www/html/ -d myhost -r
i always get a new certificate and zimbra services will be restarted. Did i miss something?
-n
is a new request, so yes, I make no check if the cert is still valid when making a new request.
Ah ok, i forgot to remove -n, but i still get this output:
root@host ~/certbot-zimbra # ./certbot_zimbra.sh -x -w /var/www/html/ -d host -r Detected Zimbra 8.7.6 Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem' Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match. Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK Copying '/opt/zimbra/ssl/letsencrypt/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' Copying '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' Appending ca chain '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts' NOTE: restart mailboxd to use the imported certificate. Saving config key 'zimbraSSLCertificate' via zmprov modifyServer host...ok Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer host...ok Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' Creating keystore '/opt/zimbra/mailboxd/etc/keystore' Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' NOTE: restart services to use the new certificates. Cleaning up 7 files from '/opt/zimbra/conf/ca' Removing /opt/zimbra/conf/ca/2e5ac55d.0 Removing /opt/zimbra/conf/ca/commercial_ca_2.crt Removing /opt/zimbra/conf/ca/4f06f81d.0 Removing /opt/zimbra/conf/ca/commercial_ca_1.crt Removing /opt/zimbra/conf/ca/e8899c05.0 Removing /opt/zimbra/conf/ca/ca.key Removing /opt/zimbra/conf/ca/ca.pem Copying CA to /opt/zimbra/conf/ca Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' Creating CA hash symlink 'e8899c05.0' -> 'ca.pem' Creating /opt/zimbra/conf/ca/commercial_ca_1.crt Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt' Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt' Host host Stopping zmconfigd...Done. Stopping zimlet webapp...Done. Stopping zimbraAdmin webapp...Done. Stopping zimbra webapp...Done. Stopping service webapp...Done. Stopping stats...Done. Stopping mta...Done. Stopping spell...Done. Stopping snmp...Done. Stopping cbpolicyd...Done. Stopping archiving...Done. Stopping opendkim...Done. Stopping amavis...Done. Stopping antivirus...Done. Stopping antispam...Done. Stopping proxy...Done. Stopping memcached...Done. Stopping mailbox...Done. Stopping logger...Done. Stopping dnscache...Done. Stopping ldap...Done. Host host Starting ldap...Done. Starting zmconfigd...Done. Starting logger...Done. Starting mailbox...Done. Starting memcached...Failed. Error: memcached not installed
Starting proxy...Failed.
Error: nginx not installed
Starting amavis...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting opendkim...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Done.
Starting zimbra webapp...Done.
Starting zimbraAdmin webapp...Done.
Starting zimlet webapp...Done.
Why are you running this command? What's your purpose? Install a new certificate or renew an existing one?
Also, why are you using the -x
switch?
I think i got it:
/usr/bin/certbot renew --post-hook "/root/certbot_zimbra.sh -n -x -w /var/www/html/ -d host -r"
-x because i dont use the internal webserver
If you have another webserver on port 80 check the README, there's an example renew command (which is missing -d
tough, you have to add it)
Yes, thank you. RTFM :D
Thank you for your script!
Glad that you fixed, and that you liked!
Is it not possible to check, if the current cert is still valid? Normally certbot will do this for my websites automatically. Is that also possible for zimbra? Then it wouldn't be necessary to install a cert and restart the server every day, when your script is running.