{"id":6486,"date":"2021-11-24T01:44:02","date_gmt":"2021-11-24T01:44:02","guid":{"rendered":"https:\/\/www.kevinmaschke.com\/?p=6486"},"modified":"2021-11-24T01:48:13","modified_gmt":"2021-11-24T01:48:13","slug":"zimbra-ssl-ablauf-dst-root-ca-x3-lets-encrypt-isrg-root-x1","status":"publish","type":"post","link":"https:\/\/www.kevinmaschke.com\/de\/zimbra-ssl-ablauf-dst-root-ca-x3-lets-encrypt-isrg-root-x1\/","title":{"rendered":"Zimbra &#8211; SSL-Zertifikate nach Ablauf von Let&#8217;s Encrypt DST Root CA X3 aktualisieren"},"content":{"rendered":"\n<p>Am 30. September 2021 <a href=\"https:\/\/letsencrypt.org\/docs\/dst-root-ca-x3-expiration-september-2021\/\" target=\"_blank\" rel=\"noopener\">lief das Let&#8217;s Encrypt DST Root CA X3 Zertifikat ab<\/a>. Dieses Zertifikat wurde dazu benutzt, alle von Let&#8217;s Encrypt generierten SSL-Zertifikate zu signieren.<\/p>\n\n\n\n<p>Um ernsthafte Probleme zu vermeiden, <strong>erstellte Let&#8217;s Encrypt ein neues ISRG Root X1-Zertifikat<\/strong>, das von da an zur Erzeugung von Zertifikaten verwendet werden sollte.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Erneuerung von SSL-Zertifikaten durch die erzwungene Verwendung des ISRG Root X1<\/h2>\n\n\n\n<p>Der Versuch, Zertifikate zu erneuern, indem die Verwendung des neuen Let&#8217;s Encrypt ISRG Root X1 erzwungen wird, schien nicht zu funktionieren:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">certbot --force-renewal --preferred-chain \"ISRG Root X1\" renew\nusage:\n  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...\n\nCertbot can obtain and install HTTPS\/TLS\/SSL certificates.  By default,\nit will attempt to use a webserver both for obtaining and installing the\ncertificate.\ncertbot: error: unrecognized arguments: --preferred-chain ISRG Root X1<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Richtige Version von Certbot installieren<\/h2>\n\n\n\n<p>Die Version von Certbot, die ich benutzte, war bereits etwas \u00e4lter und unterst\u00fctzte das Argument <code>--preferred-chain<\/code> nicht, also musste sie durch eine neuere Version ersetzt werden. Die EFF (Electronic Frontier Foundation) <a href=\"https:\/\/certbot.eff.org\/instructions\" target=\"_blank\" rel=\"noopener\"><strong>empfiehlt die Verwendung der Snap-Version<\/strong><\/a>:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo snap install --classic certbot\nmv \/usr\/bin\/certbot \/usr\/bin\/certbot-old\nsudo ln -s \/snap\/bin\/certbot \/usr\/bin\/certbot<\/pre>\n\n\n\n<p>Ich habe dann versucht, das Zertifikat erneut zu erneuern:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">certbot --force-renewal --preferred-chain \"ISRG Root X1\" renew\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nProcessing \/etc\/letsencrypt\/renewal\/mail.DOMAIN.com.conf\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nRenewing an existing certificate for mail.DOMAIN.com and 4 more domains\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nCongratulations, all renewals succeeded:\n  \/etc\/letsencrypt\/live\/mail.DOMAIN.com\/fullchain.pem (success)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/pre>\n\n\n\n<p>Diesmal gab es keine Probleme!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Einrichtung neuer Zertifikate in Zimbra<\/h2>\n\n\n\n<p>In meinem Fall verwende ich das <a href=\"https:\/\/github.com\/YetOpen\/certbot-zimbra\" target=\"_blank\" rel=\"noopener\">Certbot-Zimbra<\/a> Script, das <strong>den Prozess der Implementierung von Zertifikaten in Zimbra automatisiert<\/strong>, da die manuelle Implementierung ein aufw\u00e4ndiger Prozess ist, bei dem man sehr leicht Fehler machen kann, die sp\u00e4ter zu Kopfschmerzen f\u00fchren.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">root@mail:\/home\/mqc\/certbot-zimbra# .\/certbot_zimbra.sh -d -H mail.DOMAIN.com\ncertbot-zimbra v0.7.12 - https:\/\/github.com\/YetOpen\/certbot-zimbra\nChecking for dependencies...\nDetected Zimbra 8.8.15 on UBUNTU16_64\nUsing domain mail.DOMAIN.com (as certificate DN)\nPreparing certificates for deployment.\nTesting with zmcertmgr.\n** Verifying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' against '\/run\/certbot-zimbra\/certs-MXMcy89c\/privkey.pem'\nCertificate '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' and private key '\/run\/certbot-zimbra\/certs-MXMcy89c\/privkey.pem' match.\n** Verifying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' against '\/run\/certbot-zimbra\/certs-MXMcy89c\/zimbra_chain.pem'\nValid certificate chain: \/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem: OK\nDeploying certificates.\n** Verifying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' against '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key'\nCertificate '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' and private key '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' match.\n** Verifying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' against '\/run\/certbot-zimbra\/certs-MXMcy89c\/zimbra_chain.pem'\nValid certificate chain: \/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem: OK\n** Copying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' to '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt'\n** Copying '\/run\/certbot-zimbra\/certs-MXMcy89c\/zimbra_chain.pem' to '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial_ca.crt'\n** Appending ca chain '\/run\/certbot-zimbra\/certs-MXMcy89c\/zimbra_chain.pem' to '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt'\n** Importing cert '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '\/opt\/zimbra\/common\/lib\/jvm\/java\/lib\/security\/cacerts'\n** NOTE: restart mailboxd to use the imported certificate.\n** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.DOMAIN.com...ok\n** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.DOMAIN.com...ok\n** Installing imapd certificate '\/opt\/zimbra\/conf\/imapd.crt' and key '\/opt\/zimbra\/conf\/imapd.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt' to '\/opt\/zimbra\/conf\/imapd.crt'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' to '\/opt\/zimbra\/conf\/imapd.key'\n** Creating file '\/opt\/zimbra\/ssl\/zimbra\/jetty.pkcs12'\n** Creating keystore '\/opt\/zimbra\/conf\/imapd.keystore'\n** Installing ldap certificate '\/opt\/zimbra\/conf\/slapd.crt' and key '\/opt\/zimbra\/conf\/slapd.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt' to '\/opt\/zimbra\/conf\/slapd.crt'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' to '\/opt\/zimbra\/conf\/slapd.key'\n** Creating file '\/opt\/zimbra\/ssl\/zimbra\/jetty.pkcs12'\n** Creating keystore '\/opt\/zimbra\/mailboxd\/etc\/keystore'\n** Installing mta certificate '\/opt\/zimbra\/conf\/smtpd.crt' and key '\/opt\/zimbra\/conf\/smtpd.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt' to '\/opt\/zimbra\/conf\/smtpd.crt'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' to '\/opt\/zimbra\/conf\/smtpd.key'\n** Installing proxy certificate '\/opt\/zimbra\/conf\/nginx.crt' and key '\/opt\/zimbra\/conf\/nginx.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt' to '\/opt\/zimbra\/conf\/nginx.crt'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' to '\/opt\/zimbra\/conf\/nginx.key'\n** NOTE: restart services to use the new certificates.\n** Cleaning up 7 files from '\/opt\/zimbra\/conf\/ca'\n** Removing \/opt\/zimbra\/conf\/ca\/4042bcee.0\n** Removing \/opt\/zimbra\/conf\/ca\/8d33f237.0\n** Removing \/opt\/zimbra\/conf\/ca\/commercial_ca_2.crt\n** Removing \/opt\/zimbra\/conf\/ca\/commercial_ca_1.crt\n** Removing \/opt\/zimbra\/conf\/ca\/ca.key\n** Removing \/opt\/zimbra\/conf\/ca\/a6222139.0\n** Removing \/opt\/zimbra\/conf\/ca\/ca.pem\n** Copying CA to \/opt\/zimbra\/conf\/ca\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/ca\/ca.key' to '\/opt\/zimbra\/conf\/ca\/ca.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/ca\/ca.pem' to '\/opt\/zimbra\/conf\/ca\/ca.pem'\n** Creating CA hash symlink 'a6222139.0' -> 'ca.pem'\n** Creating \/opt\/zimbra\/conf\/ca\/commercial_ca_1.crt\n** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'\n** Creating \/opt\/zimbra\/conf\/ca\/commercial_ca_2.crt\n** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'\nRemoving temporary files in \/run\/certbot-zimbra\/certs-MXMcy89c\nRestarting Zimbra.\nHost mail.DOMAIN.com\n        Stopping zmconfigd...Done.\n        Stopping zimlet webapp...Done.\n        Stopping zimbraAdmin webapp...Done.\n        Stopping zimbra webapp...Done.\n        Stopping service webapp...Done.\n        Stopping stats...Done.\n        Stopping mta...Done.\n        Stopping spell...Done.\n        Stopping snmp...Done.\n        Stopping cbpolicyd...Done.\n        Stopping archiving...Done.\n        Stopping opendkim...Done.\n        Stopping amavis...Done.\n        Stopping antivirus...Done.\n        Stopping antispam...Done.\n        Stopping proxy...Done.\n        Stopping memcached...Done.\n        Stopping mailbox...Done.\n        Stopping logger...Done.\n        Stopping dnscache...Done.\n        Stopping ldap...Done.\nHost mail.DOMAIN.com\n        Starting ldap...Done.\n        Starting zmconfigd...Done.\n        Starting logger...Done.\n        Starting mailbox...Done.\n        Starting memcached...Done.\n        Starting proxy...Done.\n        Starting amavis...Done.\n        Starting antispam...Done.\n        Starting antivirus...Done.\n        Starting opendkim...Done.\n        Starting snmp...Done.\n        Starting spell...Done.\n        Starting mta...Done.\n        Starting stats...Done.\n        Starting service webapp...Done.\n        Starting zimbra webapp...Done.\n        Starting zimbraAdmin webapp...Done.\n        Starting zimlet webapp...Done.<\/pre>\n\n\n\n<p>Wie Sie sehen k\u00f6nnen, k\u00fcmmert sich das Skript um die Bereitstellung der Zertifikate und den Neustart des Zimbra-Servers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">M\u00f6gliche Probleme<\/h2>\n\n\n\n<p>Als ich den Prozess zum ersten Mal startete, erhielt ich dieses Ergebnis:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">certbot-zimbra v0.7.12 - https:\/\/github.com\/YetOpen\/certbot-zimbra\nChecking for dependencies...\nDetected Zimbra 8.8.15 on UBUNTU16_64\nUsing domain mail.DOMAIN.com (as certificate DN)\nPreparing certificates for deployment.\ncat: \/etc\/ssl\/certs\/2e5ac55d.0: No such file or directory<\/pre>\n\n\n\n<p>Um dieses Problem zu beheben, muss zuerst \u00fcberpr\u00fcft werden, ob die <code>ca-Zertifikate<\/code> installiert sind:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">root@mail:\/# apt-cache policy ca-certificates\nca-certificates:\n  Installed: 20210119~16.04.1ubuntu0.1~esm1\n  Candidate: 20210119~16.04.1ubuntu0.1~esm1<\/pre>\n\n\n\n<p>Wenn diese nicht installiert sind, dann installieren Sie diese mit dem folgenden Befehl:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">apt-get install ca-certificates<\/pre>\n\n\n\n<p>Folgen Sie dann den oberen Anweisungen, um die Snap-Version von Certbot zu installieren, und eine Zertifikatserneuerung mit dem <code>ISRG Root X1<\/code> zu erzwingen.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">N\u00fctzliche Links<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/letsencrypt.org\/certificates\/#\" target=\"_blank\" rel=\"noopener\">Let&#8217;s Encrypt-Zertifikate<\/a><\/li><li><a href=\"https:\/\/letsencrypt.org\/docs\/dst-root-ca-x3-expiration-september-2021\/\" target=\"_blank\" rel=\"noopener\">Let&#8217;s Encrypt DST Root CA X3 Ablaufdatum<\/a><\/li><li><a href=\"https:\/\/blog.zimbra.com\/2021\/09\/zimbra-skilz-how-to-use-zimbra-with-lets-encrypt-certificates\/\" target=\"_blank\" rel=\"noopener\">Zimbra und Let&#8217;s Encrypt-Zertifikate<\/a><\/li><li><a href=\"https:\/\/github.com\/YetOpen\/certbot-zimbra\/issues\/140\" target=\"_blank\" rel=\"noopener\">Certbot-Zimbra: <a href=\"https:\/\/github.com\/YetOpen\/certbot-zimbra\/issues\/140\" target=\"_blank\" rel=\"noreferrer noopener\">No such file or directory<\/a><\/a><\/li><li><a href=\"https:\/\/github.com\/YetOpen\/certbot-zimbra\" target=\"_blank\" rel=\"noopener\">Certbot-Zimbra<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Am 30. September 2021 lief das Let&#8217;s Encrypt DST Root CA X3 Zertifikat ab. Dieses Zertifikat wurde dazu benutzt, alle von Let&#8217;s Encrypt generierten SSL-Zertifikate zu signieren. Um ernsthafte Probleme zu vermeiden, erstellte Let&#8217;s Encrypt &#8230;<\/p>\n","protected":false},"author":1,"featured_media":6490,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[411,208],"tags":[2690,1696,646,1051,565,648],"class_list":["post-6486","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-anleitungen","category-linux-de","tag-lets-encrypt-de","tag-linux-de","tag-open-source-de","tag-ssl-de","tag-ubuntu-de","tag-zimbra-de"],"acf":{"book_cover":null,"special_featured_image":null},"_links":{"self":[{"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/posts\/6486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/comments?post=6486"}],"version-history":[{"count":0,"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/posts\/6486\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/media\/6490"}],"wp:attachment":[{"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/media?parent=6486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/categories?post=6486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/de\/wp-json\/wp\/v2\/tags?post=6486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}