Error: port check failed. If you have overridden the port with --port, a web server to use for letsencrypt authentication of the domain mail.domain.com must be listening on it.
mostym opened this issue · 6 comments
mostym commented
root@mail:/usr/local/bin# certbot_zimbra.sh -n
certbot-zimbra v0.7.11 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU18_64
Using zmhostname to detect domain.
Using domain mail.namrotsjh.com (as certificate DN)
Detecting additional public service hostnames... Found 1 zimbraPublicServiceHostnames through auto-detection
Got 1 domains to use as certificate SANs: localhost
Checking zimbra-proxy is running and enabled
Detecting port from zimbraMailProxyPort
Checking if process is listening on port 80 with name "nginx" user "zimbra"
Error: port check failed. If you have overridden the port with --port, a web server to use for letsencrypt authentication of the domain mail.domain.com must be listening on it.
zmprov gs $(zmhostname) zimbraServiceEnabled | grep proxy
zimbraServiceEnabled: proxy
zmprov gs $(zmhostname) zimbraReverseProxyHttpEnabled\
# name mail.domain.com
zimbraReverseProxyHttpEnabled: TRUE
zmprov gs $(zmhostname) | grep Port
zimbra@mail:/usr/local/bin$ zmprov gs $(zmhostname) | grep Port
zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraCBPolicydBindPort: 10031
zimbraChatXmppPort: 5222
zimbraChatXmppSslPort: 5223
zimbraChatXmppSslPortEnabled: FALSE
zimbraClamAVListenPort: 3310
zimbraExtensionBindPort: 7072
zimbraImapBindPort: 7143
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraLmtpBindPort: 7025
zimbraMailPort: 8080
zimbraMailProxyPort: 80
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLPort: 8443
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 443
zimbraMemcachedBindPort: 11211
zimbraMessageChannelPort: 7285
zimbraMilterBindPort: 7026
zimbraMtaAuthPort: 7073
zimbraMtaSmtpdClientPortLogging: no
zimbraNotifyBindPort: 7035
zimbraNotifySSLBindPort: 7036
zimbraPop3BindPort: 7110
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraRemoteImapBindPort: 8143
zimbraRemoteImapSSLBindPort: 8993
zimbraRemoteManagementPort: 22
zimbraSmtpPort: 25
lsof -i -s TCP:LISTEN -a -n | grep zimbra
root@mail:/usr/local/bin# lsof -i -s TCP:LISTEN -a -n | grep zimbra
slapd 1686 zimbra 7u IPv4 31637 0t0 TCP 107.181.234.26:ldap (LISTEN)
java 2267 zimbra 151u IPv4 456743 0t0 TCP 127.0.0.1:7171 (LISTEN)
unbound 3367 zimbra 4u IPv4 447188 0t0 TCP 127.0.0.1:domain (LISTEN)
mysqld 3767 zimbra 481u IPv4 447216 0t0 TCP 127.0.0.1:7306 (LISTEN)
zmlogger: 3772 zimbra 3u IPv4 446305 0t0 TCP 127.0.0.1:10663 (LISTEN)
java 3893 zimbra 118u IPv4 457770 0t0 TCP 127.0.0.1:http-alt (LISTEN)
java 3893 zimbra 119u IPv4 457775 0t0 TCP *:8443 (LISTEN)
java 3893 zimbra 120u IPv4 457776 0t0 TCP *:7071 (LISTEN)
java 3893 zimbra 121u IPv4 453907 0t0 TCP *:7110 (LISTEN)
java 3893 zimbra 122u IPv4 453908 0t0 TCP *:7995 (LISTEN)
java 3893 zimbra 123u IPv4 453909 0t0 TCP *:7143 (LISTEN)
java 3893 zimbra 124u IPv4 453910 0t0 TCP *:7993 (LISTEN)
java 3893 zimbra 125u IPv4 453911 0t0 TCP *:7025 (LISTEN)
java 3893 zimbra 126u IPv4 446324 0t0 TCP *:7073 (LISTEN)
java 3893 zimbra 127u IPv4 446325 0t0 TCP *:7072 (LISTEN)
java 3893 zimbra 463u IPv4 454867 0t0 TCP *:xmpp-server (LISTEN)
java 3893 zimbra 500u IPv4 441180 0t0 TCP *:xmpp-client (LISTEN)
memcached 4192 zimbra 26u IPv4 456855 0t0 TCP *:11211 (LISTEN)
memcached 4192 zimbra 27u IPv6 456856 0t0 TCP *:11211 (LISTEN)
nginx 4231 zimbra 6u IPv4 458947 0t0 TCP *:imap2 (LISTEN)
nginx 4231 zimbra 7u IPv4 458948 0t0 TCP *:imaps (LISTEN)
nginx 4231 zimbra 8u IPv4 458949 0t0 TCP *:pop3 (LISTEN)
nginx 4231 zimbra 9u IPv4 458950 0t0 TCP *:pop3s (LISTEN)
nginx 4231 zimbra 10u IPv4 458951 0t0 TCP *:https (LISTEN)
nginx 4232 zimbra 6u IPv4 458947 0t0 TCP *:imap2 (LISTEN)
nginx 4232 zimbra 7u IPv4 458948 0t0 TCP *:imaps (LISTEN)
nginx 4232 zimbra 8u IPv4 458949 0t0 TCP *:pop3 (LISTEN)
nginx 4232 zimbra 9u IPv4 458950 0t0 TCP *:pop3s (LISTEN)
nginx 4232 zimbra 10u IPv4 458951 0t0 TCP *:https (LISTEN)
nginx 4233 zimbra 6u IPv4 458947 0t0 TCP *:imap2 (LISTEN)
nginx 4233 zimbra 7u IPv4 458948 0t0 TCP *:imaps (LISTEN)
nginx 4233 zimbra 8u IPv4 458949 0t0 TCP *:pop3 (LISTEN)
nginx 4233 zimbra 9u IPv4 458950 0t0 TCP *:pop3s (LISTEN)
nginx 4233 zimbra 10u IPv4 458951 0t0 TCP *:https (LISTEN)
nginx 4234 zimbra 6u IPv4 458947 0t0 TCP *:imap2 (LISTEN)
nginx 4234 zimbra 7u IPv4 458948 0t0 TCP *:imaps (LISTEN)
nginx 4234 zimbra 8u IPv4 458949 0t0 TCP *:pop3 (LISTEN)
nginx 4234 zimbra 9u IPv4 458950 0t0 TCP *:pop3s (LISTEN)
nginx 4234 zimbra 10u IPv4 458951 0t0 TCP *:https (LISTEN)
nginx 4235 zimbra 6u IPv4 458947 0t0 TCP *:imap2 (LISTEN)
nginx 4235 zimbra 7u IPv4 458948 0t0 TCP *:imaps (LISTEN)
nginx 4235 zimbra 8u IPv4 458949 0t0 TCP *:pop3 (LISTEN)
nginx 4235 zimbra 9u IPv4 458950 0t0 TCP *:pop3s (LISTEN)
nginx 4235 zimbra 10u IPv4 458951 0t0 TCP *:https (LISTEN)
amavis-se 4257 zimbra 12u IPv4 446363 0t0 TCP 127.0.0.1:23232 (LISTEN)
amavis-se 4259 zimbra 11u IPv4 457802 0t0 TCP 127.0.0.1:23233 (LISTEN)
/opt/zimb 4284 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4284 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4284 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4284 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4284 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4284 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4287 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4287 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4287 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4287 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4287 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4287 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4288 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4288 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4288 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4288 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4288 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4288 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4289 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4289 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4289 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4289 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4289 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4289 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4292 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4292 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4292 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4292 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4292 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4292 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4295 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4295 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4295 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4295 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4295 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4295 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4300 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4300 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4300 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4300 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4300 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4300 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4303 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4303 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4303 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4303 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4303 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4303 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4305 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4305 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4305 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4305 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4305 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4305 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4307 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4307 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4307 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4307 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4307 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4307 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
/opt/zimb 4310 zimbra 4u IPv4 459785 0t0 TCP 127.0.0.1:10024 (LISTEN)
/opt/zimb 4310 zimbra 6u IPv6 459786 0t0 TCP [::1]:10024 (LISTEN)
/opt/zimb 4310 zimbra 7u IPv4 459787 0t0 TCP 127.0.0.1:10026 (LISTEN)
/opt/zimb 4310 zimbra 8u IPv6 459788 0t0 TCP [::1]:10026 (LISTEN)
/opt/zimb 4310 zimbra 9u IPv4 459789 0t0 TCP 127.0.0.1:10032 (LISTEN)
/opt/zimb 4310 zimbra 10u IPv6 459790 0t0 TCP [::1]:10032 (LISTEN)
clamd 4563 zimbra 5u IPv6 454884 0t0 TCP [::1]:3310 (LISTEN)
clamd 4563 zimbra 6u IPv4 454885 0t0 TCP 127.0.0.1:3310 (LISTEN)
opendkim 4588 zimbra 5u IPv4 455939 0t0 TCP 127.0.0.1:8465 (LISTEN)
httpd 4620 zimbra 4u IPv6 441224 0t0 TCP *:7780 (LISTEN)
httpd 4631 zimbra 4u IPv6 441224 0t0 TCP *:7780 (LISTEN)
httpd 4632 zimbra 4u IPv6 441224 0t0 TCP *:7780 (LISTEN)
httpd 4639 zimbra 4u IPv6 441224 0t0 TCP *:7780 (LISTEN)
ss -nlpt | grep nginx
LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=4235,fd=10),("nginx",pid=4234,fd=10),("nginx",pid=4233,fd=10),("nginx",pid=4232,fd=10),("nginx",pid=4231,fd=10))
LISTEN 0 128 0.0.0.0:993 0.0.0.0:* users:(("nginx",pid=4235,fd=7),("nginx",pid=4234,fd=7),("nginx",pid=4233,fd=7),("nginx",pid=4232,fd=7),("nginx",pid=4231,fd=7))
LISTEN 0 128 0.0.0.0:995 0.0.0.0:* users:(("nginx",pid=4235,fd=9),("nginx",pid=4234,fd=9),("nginx",pid=4233,fd=9),("nginx",pid=4232,fd=9),("nginx",pid=4231,fd=9))
LISTEN 0 128 0.0.0.0:110 0.0.0.0:* users:(("nginx",pid=4235,fd=8),("nginx",pid=4234,fd=8),("nginx",pid=4233,fd=8),("nginx",pid=4232,fd=8),("nginx",pid=4231,fd=8))
LISTEN 0 128 0.0.0.0:143 0.0.0.0:* users:(("nginx",pid=4235,fd=6),("nginx",pid=4234,fd=6),("nginx",pid=4233,fd=6),("nginx",pid=4232,fd=6),("nginx",pid=4231,fd=6))
jjakob commented
Looks like nginx is not listening on port 80. What is your
zmprov gs $(zmhostname) zimbraReverseProxyMailMode
zmprov gs $(zmhostname) zimbraMailMode
Due to the way letsencrypt works, it needs to do the authentication on
HTTP port 80. That's the only method this script supports right now.
Try "zmprov ms $(zmhostname) zimbraReverseProxyMailMode redirect".
mostym commented
zimbra@mail:/usr/local/bin$ zmprov gs $(zmhostname) zimbraReverseProxyMailMode
# name mail.domain.com
zimbraReverseProxyMailMode: https
zimbra@mail:/usr/local/bin$ zmprov gs $(zmhostname) zimbraMailMode
# name mail.domain.com
zimbraMailMode: https
mostym commented
@jjakob If I run zmprov ms $(zmhostname) zimbraReverseProxyMailMode redirect then try to renew the cert, I get this:
root@mail:/opt/zimbra/data/nginx/html# /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Running pre-hook command: /usr/local/bin/certbot_zimbra.sh -p
Output from certbot_zimbra.sh:
certbot-zimbra v0.7.11 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU18_64
Using zmhostname to detect domain.
Using domain mail.domain.com (as certificate DN)
Checking zimbra-proxy is running and enabled
Detecting port from zimbraMailProxyPort
Checking if process is listening on port 80 with name "nginx" user "zimbra"
Nginx templates already patched.
Nginx includes already patched, skipping zmproxy restart.
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.domain.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mail.domain.com) from /etc/letsencrypt/renewal/mail.domain.com.conf produced an unexpected error: Failed authorization procedure. mail.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://mail.domain.com/.well-known/acme-challenge/YRRvbcP4ZFeuMLjNff3imYfp287nSxi4c3z30yQ-L4w [107.181.234.26]: "<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\"/>\n<title>Error 404 Not Found</title>\n</head>\n<bo". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.domain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.domain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mail.domain.com
Type: unauthorized
Detail: Invalid response from
https://mail.domain.com/.well-known/acme-challenge/YRRvbcP4ZFeuMLjNff3imYfp287nSxi4c3z30yQ-L4w
[107.181.234.26]: "<html>\n<head>\n<meta
http-equiv=\"Content-Type\"
content=\"text/html;charset=utf-8\"/>\n<title>Error 404 Not
Found</title>\n</head>\n<bo"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
root@mail:/opt/zimbra/data/nginx/html#
jjakob commented
Please check
/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template
and see if it contains at the end:
# patched by certbot-zimbra.sh
location ^~ /.well-known/acme-challenge {
root /opt/zimbra/data/nginx/html;
}
}
If it does, try this:
mkdir /opt/zimbra/data/nginx/html/.well-known
echo "test" > /opt/zimbra/data/nginx/html/.well-known/acme-challenge
Then go to http://mail.yourdomain.com/.well-known/acme-challenge
which should say "test".
If it does, the templates are patched correctly and nginx is serving
the right response (you can delete the .well-known directory after
that).
I tested this on my server and saw that I got a 302 redirect to https
and then "test" instead of "test" on http. That may be the
problem, maybe they changed nginx's configuration in some new Zimbra
version. In that case I'd need to do an analysis of the nginx templates
to see why it does a 302 redirect and how we could work around it.
Maybe you can try with mode "both" or "http" temporarily, and then
switch it to "redirect" until we find the root cause?
mostym commented
I just noticed that there was another file /opt/zimbra/conf/nginx/includes/nginx.conf.lets.conf that was interfering with the script.... Derp. I just remembered that I followed these instructions months agohttps://syslint.com/blog/tutorial/how-to-install-lets-encrypt-ssl-with-zimbra-fully-automated-configuration/ and that was interfering with the script. Thanks so much for your help.
jjakob commented
No problem, I'm glad you found the issue.