certbot-zimbra
certbot-zimbra copied to clipboard
Published
20 hours ago •
YetOpen
YetOpen
Issue with renew
Hi currently Getting an issue with renewing SSL currently running 0.7.12 this is the error code im getting
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'pre-hook' reported error code 1
Hook 'pre-hook' ran with output:
certbot-zimbra v0.7.12 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU18_64
Using zmhostname to detect domain.
Using domain mail.domain.com.co (as certificate DN)
Checking zimbra-proxy is running and enabled
Detecting port from zimbraMailProxyPort
Checking if process is listening on port 80 with name "nginx" user "zimbra"
Error: port check failed. If you have overridden the port with --port, a web server to use for letsencrypt authentication
zimbra@mail:~$ zmprov gs $(zmhostname) zimbraServiceEnabled | grep proxy
zimbraServiceEnabled: proxy
zimbra@mail:~$ zmprov gs $(zmhostname) zimbraReverseProxyHttpEnabled
# name mail.domain.com.co
zimbraReverseProxyHttpEnabled: TRUE
zimbra@mail:~$ zmprov gs $(zmhostname) | grep Port
zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraCBPolicydBindPort: 10031
zimbraChatXmppPort: 5222
zimbraChatXmppSslPort: 5223
zimbraChatXmppSslPortEnabled: FALSE
zimbraClamAVListenPort: 3310
zimbraExtensionBindPort: 7072
zimbraImapBindPort: 7143
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraLmtpBindPort: 7025
zimbraMailPort: 8080
zimbraMailProxyPort: 80
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLPort: 8443
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 443
zimbraMemcachedBindPort: 11211
zimbraMessageChannelPort: 7285
zimbraMilterBindPort: 7026
zimbraMtaAuthPort: 7073
zimbraMtaSmtpdClientPortLogging: no
zimbraNotifyBindPort: 7035
zimbraNotifySSLBindPort: 7036
zimbraPop3BindPort: 7110
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraRemoteImapBindPort: 8143
zimbraRemoteImapSSLBindPort: 8993
zimbraRemoteManagementPort: 22
zimbraSmtpPort: 27
zimbra@mail:~$ exit
exit
root@mail:~# lsof -i -s TCP:LISTEN -a -n | grep zimbra
java 12683 zimbra 151u IPv4 341082582 0t0 TCP 127.0.0.1:7171 (LISTEN)
slapd 12853 zimbra 7u IPv4 286566641 0t0 TCP 192.168.3.140:ldap (LISTEN)
mysqld 13379 zimbra 18u IPv4 286567312 0t0 TCP 127.0.0.1:7306 (LISTEN)
java 13681 zimbra 119u IPv4 286567654 0t0 TCP 127.0.0.1:http-alt (LISTEN)
java 13681 zimbra 120u IPv4 286567657 0t0 TCP *:8443 (LISTEN)
java 13681 zimbra 121u IPv4 286567658 0t0 TCP *:7071 (LISTEN)
java 13681 zimbra 122u IPv4 286567659 0t0 TCP *:7110 (LISTEN)
java 13681 zimbra 123u IPv4 286567660 0t0 TCP *:7995 (LISTEN)
java 13681 zimbra 124u IPv4 286567661 0t0 TCP *:7143 (LISTEN)
java 13681 zimbra 125u IPv4 286567662 0t0 TCP *:7993 (LISTEN)
java 13681 zimbra 126u IPv4 286567663 0t0 TCP *:7025 (LISTEN)
java 13681 zimbra 127u IPv4 286567666 0t0 TCP *:7073 (LISTEN)
java 13681 zimbra 129u IPv4 286567667 0t0 TCP *:7072 (LISTEN)
memcached 14038 zimbra 26u IPv4 286568249 0t0 TCP *:11211 (LISTEN)
memcached 14038 zimbra 27u IPv6 286568250 0t0 TCP *:11211 (LISTEN)
nginx 14061 zimbra 6u IPv4 286571227 0t0 TCP *:imap2 (LISTEN)
nginx 14061 zimbra 7u IPv4 286571228 0t0 TCP *:imaps (LISTEN)
nginx 14061 zimbra 8u IPv4 286571229 0t0 TCP *:pop3 (LISTEN)
nginx 14061 zimbra 9u IPv4 286571230 0t0 TCP *:pop3s (LISTEN)
nginx 14061 zimbra 10u IPv4 286571231 0t0 TCP *:https (LISTEN)
nginx 14062 zimbra 6u IPv4 286571227 0t0 TCP *:imap2 (LISTEN)
nginx 14062 zimbra 7u IPv4 286571228 0t0 TCP *:imaps (LISTEN)
nginx 14062 zimbra 8u IPv4 286571229 0t0 TCP *:pop3 (LISTEN)
nginx 14062 zimbra 9u IPv4 286571230 0t0 TCP *:pop3s (LISTEN)
nginx 14062 zimbra 10u IPv4 286571231 0t0 TCP *:https (LISTEN)
nginx 14063 zimbra 6u IPv4 286571227 0t0 TCP *:imap2 (LISTEN)
nginx 14063 zimbra 7u IPv4 286571228 0t0 TCP *:imaps (LISTEN)
nginx 14063 zimbra 8u IPv4 286571229 0t0 TCP *:pop3 (LISTEN)
nginx 14063 zimbra 9u IPv4 286571230 0t0 TCP *:pop3s (LISTEN)
nginx 14063 zimbra 10u IPv4 286571231 0t0 TCP *:https (LISTEN)
nginx 14064 zimbra 6u IPv4 286571227 0t0 TCP *:imap2 (LISTEN)
nginx 14064 zimbra 7u IPv4 286571228 0t0 TCP *:imaps (LISTEN)
nginx 14064 zimbra 8u IPv4 286571229 0t0 TCP *:pop3 (LISTEN)
nginx 14064 zimbra 9u IPv4 286571230 0t0 TCP *:pop3s (LISTEN)
nginx 14064 zimbra 10u IPv4 286571231 0t0 TCP *:https (LISTEN)
nginx 14065 zimbra 6u IPv4 286571227 0t0 TCP *:imap2 (LISTEN)
nginx 14065 zimbra 7u IPv4 286571228 0t0 TCP *:imaps (LISTEN)
nginx 14065 zimbra 8u IPv4 286571229 0t0 TCP *:pop3 (LISTEN)
nginx 14065 zimbra 9u IPv4 286571230 0t0 TCP *:pop3s (LISTEN)
nginx 14065 zimbra 10u IPv4 286571231 0t0 TCP *:https (LISTEN)
httpd 14094 zimbra 4u IPv6 286571324 0t0 TCP *:7780 (LISTEN)
httpd 14116 zimbra 4u IPv6 286571324 0t0 TCP *:7780 (LISTEN)
httpd 14117 zimbra 4u IPv6 286571324 0t0 TCP *:7780 (LISTEN)
httpd 14118 zimbra 4u IPv6 286571324 0t0 TCP *:7780 (LISTEN)
zmlogger: 14381 zimbra 3u IPv4 341083177 0t0 TCP 127.0.0.1:10663 (LISTEN)
httpd 22198 zimbra 4u IPv6 286571324 0t0 TCP *:7780 (LISTEN)
root@mail:~# ss -nlpt | grep nginx
LISTEN 0 128 0.0.0.0:993 0.0.0.0:* users:(("nginx",pid=14065,fd=7),("nginx",pid=14064,fd=7),("nginx",pid=14063,fd=7),("nginx",pid=14062,fd=7),("nginx",pid=14061,fd=7))
LISTEN 0 128 0.0.0.0:995 0.0.0.0:* users:(("nginx",pid=14065,fd=9),("nginx",pid=14064,fd=9),("nginx",pid=14063,fd=9),("nginx",pid=14062,fd=9),("nginx",pid=14061,fd=9))
LISTEN 0 128 0.0.0.0:110 0.0.0.0:* users:(("nginx",pid=14065,fd=8),("nginx",pid=14064,fd=8),("nginx",pid=14063,fd=8),("nginx",pid=14062,fd=8),("nginx",pid=14061,fd=8))
LISTEN 0 128 0.0.0.0:143 0.0.0.0:* users:(("nginx",pid=14065,fd=6),("nginx",pid=14064,fd=6),("nginx",pid=14063,fd=6),("nginx",pid=14062,fd=6),("nginx",pid=14061,fd=6))
LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=14065,fd=10),("nginx",pid=14064,fd=10),("nginx",pid=14063,fd=10),("nginx",pid=14062,fd=10),("nginx",pid=14061,fd=10))
i try to run the renew manually
/snap/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
root@mail:~# /snap/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: mail.domain.com.co
Serial Number: xxxxxx
Key Type: RSA
Domains: mail.domain.com.co
Expiry Date: 2022-07-25 01:33:08+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/mail.domain.com.co/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.domain.com.co/privkey.pem
Thank you
I haven't seen this before.
Can you run bash -x /usr/local/bin/certbot_zimbra.sh -p and copy the
command run right before the error message is printed? (before the
"Error: port check failed" message)
Thank you so much for the reply this is the outcome
root@mail:~# bash -x /usr/local/bin/certbot_zimbra.sh -p
+ readonly progname=certbot-zimbra
+ progname=certbot-zimbra
+ readonly version=0.7.12
+ version=0.7.12
+ readonly github_url=https://github.com/YetOpen/certbot-zimbra
+ github_url=https://github.com/YetOpen/certbot-zimbra
+ readonly zmpath=/opt/zimbra
+ zmpath=/opt/zimbra
+ readonly zmwebroot=/opt/zimbra/data/nginx/html
+ zmwebroot=/opt/zimbra/data/nginx/html
+ readonly le_live_path=/etc/letsencrypt/live
+ le_live_path=/etc/letsencrypt/live
+ readonly temppath=/run/certbot-zimbra
+ temppath=/run/certbot-zimbra
+ readonly zmprov_opts=-l
+ zmprov_opts=-l
+ readonly ca_certificates_file=/etc/ssl/certs/ca-certificates.crt
+ ca_certificates_file=/etc/ssl/certs/ca-certificates.crt
+ readonly pki_ca_bundle_file=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ pki_ca_bundle_file=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ webroot=
+ certpath=
+ le_bin=
+ le_params=
+ le_agree_tos=false
+ le_noniact=false
+ agree_tos=false
+ extra_domains=()
+ no_nginx=false
+ deploy_only=false
+ new_cert=false
+ services=all
+ patch_only=false
+ restart_zimbra=true
+ prompt_confirm=false
+ detect_public_hostnames=true
+ skip_port_check=false
+ port=
+ quiet=false
+ readonly min_certbot_version=0.19.0
+ min_certbot_version=0.19.0
+ locked=false
+ platform=
+ detected_zimbra_version=
+ trap exitfunc EXIT
+ [[ 1 -gt 0 ]]
+ case "$1" in
+ patch_only=true
+ shift
+ [[ 0 -gt 0 ]]
+ readonly deploy_only new_cert patch_only agree_tos le_noniact detect_public_hostnames skip_port_check no_nginx services restart_zimbra prompt_confirm quiet
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ false
+ false
+ false
+ true
+ false
+ false
+ '[' -n '' ']'
+ false
+ false
+ echo 'certbot-zimbra v0.7.12 - https://github.com/YetOpen/certbot-zimbra'
certbot-zimbra v0.7.12 - https://github.com/YetOpen/certbot-zimbra
+ bootstrap
+ check_user
+ '[' 0 -ne 0 ']'
+ make_temp
+ mkdir --mode=750 -p /run/certbot-zimbra
+ chown root:zimbra /run/certbot-zimbra
+ get_lock
+ exec
+ flock -n 200
+ locked=true
+ readonly locked
+ check_depends
+ false
+ echo 'Checking for dependencies...'
Checking for dependencies...
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which su
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which openssl
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which grep
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which head
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which cut
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which sed
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which chmod
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which chown
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which cat
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which cp
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which gawk
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which /opt/zimbra/bin/zmhostname
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which /opt/zimbra/bin/zmcertmgr
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which /opt/zimbra/bin/zmcontrol
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which /opt/zimbra/bin/zmprov
+ for name in su openssl grep head cut sed chmod chown cat cp gawk $zmpath/bin/zmhostname $zmpath/bin/zmcertmgr $zmpath/bin/zmcontrol $zmpath/bin/zmprov $zmpath/libexec/get_plat_tag.sh
+ which /opt/zimbra/libexec/get_plat_tag.sh
+ check_depends_ca
+ '[' -r /etc/ssl/certs/ca-certificates.crt ']'
+ return
++ /opt/zimbra/libexec/get_plat_tag.sh
+ platform=UBUNTU18_64
+ readonly platform
++ su - zimbra -c '/opt/zimbra/bin/zmcontrol -v'
++ grep -Po '(\d+).(\d+).(\d+)'
++ head -n 1
+ detected_zimbra_version=8.8.15
+ readonly detected_zimbra_version
+ '[' -z 8.8.15 ']'
+ false
+ echo 'Detected Zimbra 8.8.15 on UBUNTU18_64'
Detected Zimbra 8.8.15 on UBUNTU18_64
+ get_domain
+ '[' -z '' ']'
+ false
+ echo 'Using zmhostname to detect domain.'
Using zmhostname to detect domain.
++ /opt/zimbra/bin/zmhostname
+ domain=mail.domain.com.co
+ '[' -z mail.domain.com.co ']'
+ false
+ echo 'Using domain mail.domain.com.co (as certificate DN)'
Using domain mail.domain.com.co (as certificate DN)
+ false
+ false
+ '[' -n '' ']'
+ return 0
+ return 0
+ false
+ false
+ webroot=/opt/zimbra/data/nginx/html
+ readonly webroot
+ check_zimbra_proxy
+ '[' -z mail.domain.com.co ']'
+ false
+ echo 'Checking zimbra-proxy is running and enabled'
Checking zimbra-proxy is running and enabled
+ su - zimbra -c '/opt/zimbra/bin/zmproxyctl status > /dev/null'
+ su - zimbra -c '/opt/zimbra/bin/zmprov -l gs mail.domain.com.co zimbraReverseProxyHttpEnabled | grep -q TRUE'
+ '[' -z '' ']'
+ false
+ echo 'Detecting port from zimbraMailProxyPort'
Detecting port from zimbraMailProxyPort
++ su - zimbra -c '/opt/zimbra/bin/zmprov -l gs mail.domain.com.co zimbraMailProxyPort | sed -n '\''s/zimbraMailProxyPort: //p'\'''
+ port=80
+ '[' -z 80 ']'
+ '[' 80 '!=' 80 ']'
+ check_port 80 nginx zimbra
+ false
+ '[' -z 80 ']'
+ false
+ echo 'Checking if process is listening on port 80 with name "nginx" user "zimbra"'
Checking if process is listening on port 80 with name "nginx" user "zimbra"
++ which lsof
+ local lsof_bin=/usr/bin/lsof
++ which ss
+ local ss_bin=/bin/ss
+ local check_bin=
+ local grep_filter=
+ '[' -x /usr/bin/lsof ']'
+ check_bin='/usr/bin/lsof -i :80 -s TCP:LISTEN -a -n'
+ grep_filter='nginx.*zimbra'
++ /usr/bin/lsof -i :80 -s TCP:LISTEN -a -n
++ grep -c 'nginx.*zimbra'
+ (( 0 == 0 ))
+ return 1
+ echo 'Error: port check failed. If you have overridden the port with --port, a web server to use for letsencrypt authentication of the domain mail.domain.com.co must be listening on it.'
Error: port check failed. If you have overridden the port with --port, a web server to use for letsencrypt authentication of the domain mail.domain.com.co must be listening on it.
+ exit 1
+ exitfunc
+ e=1
+ '[' 1 -ne 0 ']'
+ false
+ echo
+ echo 'An error seems to have occurred. Please read the output above for clues and try to rectify the situation.'
An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
+ echo 'If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.'
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.
+ exec
+ true
+ rm /run/certbot-zimbra/certbot-zimbra.lck
+ exit 1
You do not have zimbra-proxy configured to listen on port 80. That is required in order for the ACME HTTP challenge to work. This is enabled by setting zimbraReverseProxyMailMode to "redirect" or "both" (but I highly recommend "redirect" for security).
zmprov gs "$(zmhostname)" zimbraReverseProxyMailMode
zmprov ms "$(zmhostname)" zimbraReverseProxyMailMode redirect
Thank you so much for the reply, on zimbra having on both or redirect would be 80 and 443 i ask because i have HA proxy in front using TLS passthough (using pfsense) to pass the traffic to zimbra whats odd was that few months ago was working fine when it needs to renew
I think this is most likely an issue with the particular configuration you used - behind a reverse proxy (HA proxy), likely it's not passing through the challenge to zimbra's nginx correctly.