VojtechMyslivec/letsencrypt-zimbra

Diff. errors with 8.7

Closed this issue · 5 comments

OK, I did this:

  1. first I installed https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate on 8.7 with
    ./letsencrypt-auto certonly --standalone -d hostname.domain -d webmail.domain
    and it's working, although I'm not sure this is correct configuration per:
    zmcertmgr viewdeployedcrt

    subject= /CN=hostname.domain
    issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    SubjectAltName=hostname.domain, webmail.domain
    

    Here, actual mail addresses used are different from those 2, it's mail1.domain and mail2.domain.

  2. when I tried to use, with 8.7 dev branch:
    ./obtain-and-deploy-letsencrypt-cert.sh hostname.domain webmail.domain
    I got errors:

    Unable to start TLS: hostname verification failed when connecting to ldap master.
    obtain-and-deploy-letsencrypt-cert.sh[err]:  Restarting zimbra failed.
    

    I see it's some frequent error, I guess it's about those domain names.

  3. in order to test, I used --staging in script per #3 but since I have certificates it's of no use without --break-my-certs

  4. with --staging or with --standalone, when I commented --non-interactive --quiet --agree-tos \ to get feedback:

    1. I was again asked for domains, is it OK?

      Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel)
      

      if OK, maybe it should be explained - but I'm afraid those 2 domains are not used, although #12 confirms we can use them and I guess #2 is obsolete now.

    2. I got this, why? And why I wasn't asked for email?

      ./obtain-and-deploy-letsencrypt-cert.sh: line 258: --email: command not found
      

I see there are other issues, some of this may be duplicate, but it's more appropriate to write all here then to comment on other issues.

Hi.

  1. I see no problem here. If you follow some other manual, you should keep that solution. Also the domain names in SAN (SubjectAltName) looks as you wish.

  2. It seems that certificate was obtained correctly but Zimbra failed to start. Check the URL of LDAP server in your configuration. If you use TLS, all certificate should be trusted. And if you use Zimbra LDAP service, you must to include DNS used in that URL among domains for the certificate.

  3. You are right. "Use --staging" is simple advice for users that did not issued a certificate yet. Your situation is quite uncommon due to 1.

  4. If you comment one line from multi-line command in shell, you break the syntax (because of missing backslash character). This is why you get error 4.II, where the shell is looking for command called --email, which should be an arg to letsencrypt-auto. You should delete the line completely or moved the commented line bellow the command. 4.I is IMHO invalid because you miss half of the arguments.

Hi. Thank you for your response. I'll keep the numbers here.

  1. I'm not competent enough to understand this. It's all a single server with LDAP also, so ldap_host = hostname.domain.
    If "all certificate should be trusted" means that SAN should be SubjectAltName=hostname.domain, webmail.domain, mail1.domain, mail2.domain then I'm not sure how it works now, that I made manually.
    I don't understand " you must to include DNS used in that URL among domains for the certificate", sorry.

  2. My layman suggestion is to change line 251 from # --staging \ to # --staging --break-my-certs \

4.I I ran the script this time with email argument:
./obtain-and-deploy-letsencrypt-cert.sh mail@domain hostname.domain webmail.domain
and without --standalone and --non-interactive --quiet --agree-tos to see what's going on:

"$letsencrypt" certonly
--staging --break-my-certs \
--email "$email" --csr "$request_file" || {
....

I get (and it's same with --standalone):

certbot: error: unrecognized arguments:
./obtain-and-deploy-letsencrypt-cert.sh: line 258: --email: command not found

It's like you wrote in help $SCRIPTNAME email FQDN.... But, looks like multi-line command is not OK.

4.II When I included also line

--non-interactive --agree-tos \

I got:

certbot: error: unrecognized arguments:
./obtain-and-deploy-letsencrypt-cert.sh: line 258: --non-interactive: command not found

Please print full command, which will be seen when not in --quit mode.
Here I see "$letsencrypt" certonly" but in script and my command there is: "$letsencrypt" certonly \ " with backslash. Somehow like script takes only --standalone and not arguments after. Strange.

4.III When I put all this in a single line:
"$letsencrypt" certonly --staging --break-my-certs --non-interactive --agree-tos --email "$email" --csr "$request_file" || {
I get a different error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line. Run with '--help plugins' to see a list of options, and see https://eff.org/letsencrypt-plugins for more detail on what the plugins do and how to use them.
obtain-and-deploy-letsencrypt-cert.sh[err]: The certificate cannot be obtained with '/opt/letsencrypt/letsencrypt-auto' tool.

/var/log/letsencrypt/letsencrypt.log says:

2017-04-28 16:04:41,785:DEBUG:certbot.main:Arguments: ['--staging', '--break-my-certs', '--non-interactive', '--agree-tos', '--email', 'mail@domain', '--csr', '/tmp/tmp.2j6sB5mk2a/request.pem']
2017-04-28 16:04:41,785:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,Plu$
2017-04-28 16:04:41,786:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2017-04-28 16:04:41,818:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in
sys.exit(main())
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 755, in main
return config.func(config, plugins)
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/main.py", line 662, in certonly
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/plugins/selection.py", line 189, in choose_configurator_plugins
authenticator = pick_authenticator(config, req_auth, plugins)
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/plugins/selection.py", line 40, in pick_authenticator
config, default, plugins, question, (interfaces.IAuthenticator,))
File "/root/.local/share/letsencrypt/lib/python2.6/site-packages/certbot/plugins/selection.py", line 67, in pick_plugin
"Missing command line flags. For non-interactive execution, "
MissingCommandlineFlag: Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line

  1. I kindly ask you to change HELP:

Start with obtain-and-deploy-letsencrypt-cert.sh, it is a pretty well commented shell script.

to

Start with obtain-and-deploy-letsencrypt-cert.sh -h to get arguments and explanation.
Run with obtain-and-deploy-letsencrypt-cert.sh, it is a pretty well commented shell script.

I missed that and email argument in the beginning.

  1. Yes, it is correct. If you are using dev/zimbra-v8.7_dev branch, you should run

    obtain-and-deploy-letsencrypt-cert.sh mail@domain hostname.domain webmail.domain mail1.domain mail2.domain
    

    All of these DNS must be A/AAAA/CNAME record pointing tou your server.

    If you use parameters branch, these args are included in configuration file. These changes are in development now.

  2. I. In your example:

    "$letsencrypt" certonly
      --staging --break-my-certs \
      --email "$email" --csr "$request_file" || {
    

    You are missing backslash \ at the end of first line. Otherwise it is 2 commands. If you are editing the code, please be aware of shell syntax. Each line but last of multiline command must ends with backslash (and no trailing spaces etc..)

  3. III. You are missing --standalone flag in the command.

In general, if you are changing the code, try just to remove the args you don't want.

If I look back in 2. the cert seems to be obtained well (you can check the /var/log/letsencrypt/letsencrypt.log if some unreported error happened). The error was when Zimbra connects to LDAP – try to ask on some Zimbra forum for help (i.e. here or here).

I understand that the instruction should be better. I will focus on it then.

README update is duplicated in #3