Si vamos a actualizar el certificado de letsencrypt en nuestro servidor,
Ingresamos al directorio donde residen los archivos que queremos respaldar
[root@correo ]# cd /etc/letsencrypt/live/server.domain
lo recomendable es crear una carpeta para respaldar los archivos actuales.
[root@correo ]# mkdir -p /etc/letsencrypt/bck/live/
Luego procedemos a copiar los archivos a respaldar en el directorio recién creado.
[root@correo ]# mv cert.pem /etc/letsencrypt/bck/live/cert.pem.`date +{29abae026baad3be178e8b4d9df8b452ab37360abfdefacab414000aba9cdfd4}d{29abae026baad3be178e8b4d9df8b452ab37360abfdefacab414000aba9cdfd4}m{29abae026baad3be178e8b4d9df8b452ab37360abfdefacab414000aba9cdfd4}y`
[root@correo ]# mv chain.pem /etc/letsencrypt/bck/live/chain.pem.`date +{29abae026baad3be178e8b4d9df8b452ab37360abfdefacab414000aba9cdfd4}d{29abae026baad3be178e8b4d9df8b452ab37360abfdefacab414000aba9cdfd4}m{29abae026baad3be178e8b4d9df8b452ab37360abfdefacab414000aba9cdfd4}y`
Creamos los enlaces simbólicos que apuntan a otro directorio
[root@correo ]# ln -s ../../archive/server/chain1.pem chain.pem [root@correo ]# ln -s ../../archive/server/cert1.pem cert.pem
Procedemos entonces a ejecutar el comando para renovar el certificado
[root@correo ]# /root/zcs-8.7.0_GA_1659.RHEL6_64.20160628192545/letsencrypt/letsencrypt-auto renew -nvv --standalone Upgrading certbot-auto 0.9.3 to 0.10.1... Replacing certbot-auto... Creating virtual environment... Running virtualenv with interpreter /usr/bin/python2 New python executable in /root/.local/share/letsencrypt/bin/python2 Also creating executable in /root/.local/share/letsencrypt/bin/python Installing Setuptools..............................................................................................................................................................................................................................done. Installing Pip.....................................................................................................................................................................................................................................................................................................................................done. Installing Python packages... ................................. ................................. .................................
Luego de un rato de estar proceso nos verificamos que todo haya concluido de forma exitosa
Writing new private key to /etc/letsencrypt/archive/server/privkey2.pem. Writing certificate to /etc/letsencrypt/archive/server/cert2.pem. Writing chain to /etc/letsencrypt/archive/server/chain2.pem. Writing full chain to /etc/letsencrypt/archive/server/fullchain2.pem. Writing new config /etc/letsencrypt/renewal/server.conf.new. ------------------------------------------------------------------------------- new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/server/fullchain.pem ------------------------------------------------------------------------------- Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/server/fullchain.pem (success) no renewal failures
Una vez efectuada la renovación, procedemos a dar todos los permisos en la carpeta donde residen los certificados, esto con el fin de poder realizar la comparación de certificados e instalarlos en Zimbra
[root@correo ]# chmod 777 /etc/letsencrypt/live /etc/letsencrypt/archive
Procedemos a verificar los certificados con la siguiente orden
[root@correo ]# su -c "/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem " zimbra ** Verifying 'cert.pem' against 'privkey.pem' Certificate 'cert.pem' and private key 'privkey.pem' match. ** Verifying 'cert.pem' against 'chain.pem' ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 error 2 at 1 depth lookup:unable to get issuer certificate
Como se puede ver, sale un error, ojo con este error, deben verificar cert.pem, el cual debe contener dos certificados, el error que saca es que no encuentra un certificado en dicho archivo.
Una vez organizado el archivo, procedemos a ejecutar nuevamente el proceso de verificación.
[root@correo ]# su -c "/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem fullchain.pem " zimbra ** Verifying 'cert.pem' against 'privkey.pem' Certificate 'cert.pem' and private key 'privkey.pem' match. ** Verifying 'cert.pem' against 'fullchain.pem' Valid certificate chain: cert.pem: OK
Ahora lo que hacemos es respaldar el arhivo commercial.key, este archivo es reemplazado cuando ejecutemos el deploy en el zimbra…
[root@correo ]# cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key_backup
Luego copiamos el archivo privkey.pem al archivo commercial.key
[root@correo ]# cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key cp: overwrite `/opt/zimbra/ssl/zimbra/commercial/commercial.key'? yes
Habiendo realizado el proceso anterior, de forma satisfactoria, instalamos el certificado en el zimbra con el siguiente comando…
[root@correo ]# su -c "/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem fullchain.pem" zimbra ** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying 'cert.pem' against 'fullchain.pem' Valid certificate chain: cert.pem: OK ** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying 'fullchain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain 'fullchain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer correo.rexisweb.com...failed (rc=1) ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 7 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/4f06f81d.0 ** Removing /opt/zimbra/conf/ca/e7a52430.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt ** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/ca.pem ** Removing /opt/zimbra/conf/ca/2e5ac55d.0 ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink 'e7a52430.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink 'c1568470.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_2.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_3.crt' [root@correo ]#
Esto es todo, ya podemos verificar con un navegador la validés de nuestro certificado.
Saludos…
Sin respuestas