YetOpen/certbot-zimbra

certbot-zimbra is failling to update certificates

gpetrom opened this issue · 1 comments

gpetrom commented

Hi

I have an ubuntu 20.04 with Zimbra 8.8.15. I am using certbot 2.2.0 and certbot-zimbra v0.7.12.
I am running
certbot --force-renewal --preferred-chain "ISRG Root X1" renew
and the output i am getting is

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/email.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for email.example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/email.example.com/fullchain.pem (success)

When i run
/usr/local/bin/certbot_zimbra.sh -d
i am getting the following error

certbot-zimbra v0.7.12 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTUUNKNOWN_64
Using zmhostname to detect domain.
Using domain email.example.com (as certificate DN)
Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-eq2yKxqM/cert.pem' against '/run/certbot-zimbra/certs-eq2yKxqM/privkey.pem'
140046976226624:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
ERROR: Certificate '/run/certbot-zimbra/certs-eq2yKxqM/cert.pem' and private key '/run/certbot-zimbra/certs-eq2yKxqM/privkey.pem' do not match.

An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.

Any ideas what is happening?

skelkelos992 commented

Certbot switched to ECDSA key type by default, just run the following to change key type to RSA

certbot renew --key-type rsa --rsa-key-size <key size> --cert-name <your-cert-name> --force-renewal

then re-deploy

/usr/local/bin/certbot_zimbra.sh -d