Closed TheChief79 closed 7 years ago
maxxer
commented
7 years ago The script runs daily and launches certbot, which does check if the cert is still valid. If it is nothing is done, if it's approaching expiration it will renew and only in this case reinstall the cert
TheChief79
commented
7 years ago Are you sure? If i run:
./certbot_zimbra.sh -n -x -w /var/www/html/ -d myhost -r
i always get a new certificate and zimbra services will be restarted. Did i miss something?
maxxer
commented
7 years ago -n is a new request, so yes, I make no check if the cert is still valid when making a new request.
TheChief79
commented
7 years ago Ah ok, i forgot to remove -n, but i still get this output:
root@host ~/certbot-zimbra # ./certbot_zimbra.sh -x -w /var/www/html/ -d host -r Detected Zimbra 8.7.6 Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem' Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match. Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK Copying '/opt/zimbra/ssl/letsencrypt/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' Copying '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' Appending ca chain '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts' NOTE: restart mailboxd to use the imported certificate. Saving config key 'zimbraSSLCertificate' via zmprov modifyServer host...ok Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer host...ok Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' Creating keystore '/opt/zimbra/mailboxd/etc/keystore' Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' NOTE: restart services to use the new certificates. Cleaning up 7 files from '/opt/zimbra/conf/ca' Removing /opt/zimbra/conf/ca/2e5ac55d.0 Removing /opt/zimbra/conf/ca/commercial_ca_2.crt Removing /opt/zimbra/conf/ca/4f06f81d.0 Removing /opt/zimbra/conf/ca/commercial_ca_1.crt Removing /opt/zimbra/conf/ca/e8899c05.0 Removing /opt/zimbra/conf/ca/ca.key Removing /opt/zimbra/conf/ca/ca.pem Copying CA to /opt/zimbra/conf/ca Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' Creating CA hash symlink 'e8899c05.0' -> 'ca.pem' Creating /opt/zimbra/conf/ca/commercial_ca_1.crt Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt' Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt' Host host Stopping zmconfigd...Done. Stopping zimlet webapp...Done. Stopping zimbraAdmin webapp...Done. Stopping zimbra webapp...Done. Stopping service webapp...Done. Stopping stats...Done. Stopping mta...Done. Stopping spell...Done. Stopping snmp...Done. Stopping cbpolicyd...Done. Stopping archiving...Done. Stopping opendkim...Done. Stopping amavis...Done. Stopping antivirus...Done. Stopping antispam...Done. Stopping proxy...Done. Stopping memcached...Done. Stopping mailbox...Done. Stopping logger...Done. Stopping dnscache...Done. Stopping ldap...Done. Host host Starting ldap...Done. Starting zmconfigd...Done. Starting logger...Done. Starting mailbox...Done. Starting memcached...Failed. Error: memcached not installed
Starting proxy...Failed.Error: nginx not installed
Starting amavis...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting opendkim...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Done.
Starting zimbra webapp...Done.
Starting zimbraAdmin webapp...Done.
Starting zimlet webapp...Done.Why are you running this command? What's your purpose? Install a new certificate or renew an existing one?
maxxer
commented
7 years ago Also, why are you using the -x switch?
TheChief79
commented
7 years ago I think i got it:
/usr/bin/certbot renew --post-hook "/root/certbot_zimbra.sh -n -x -w /var/www/html/ -d host -r"
-x because i dont use the internal webserver
maxxer
commented
7 years ago If you have another webserver on port 80 check the README, there's an example renew command (which is missing -d tough, you have to add it)
TheChief79
commented
7 years ago Yes, thank you. RTFM :D
Thank you for your script!
maxxer
commented
7 years ago Glad that you fixed, and that you liked!
Is it not possible to check, if the current cert is still valid? Normally certbot will do this for my websites automatically. Is that also possible for zimbra? Then it wouldn't be necessary to install a cert and restart the server every day, when your script is running.