{"id":6479,"date":"2021-11-24T01:44:02","date_gmt":"2021-11-24T01:44:02","guid":{"rendered":"https:\/\/www.kevinmaschke.com\/?p=6479"},"modified":"2021-11-24T01:47:52","modified_gmt":"2021-11-24T01:47:52","slug":"zimbra-ssl-expiration-dst-root-ca-x3-lets-encrypt-isrg-root-x1","status":"publish","type":"post","link":"https:\/\/www.kevinmaschke.com\/en\/zimbra-ssl-expiration-dst-root-ca-x3-lets-encrypt-isrg-root-x1\/","title":{"rendered":"Zimbra &#8211; Upgrading SSL certificates after Let&#8217;s Encrypt DST Root CA X3 expiration"},"content":{"rendered":"\n<p>On September 30, 2021, the <a href=\"https:\/\/letsencrypt.org\/docs\/dst-root-ca-x3-expiration-september-2021\/\" target=\"_blank\" rel=\"noopener\">Let&#8217;s Encrypt DST Root CA X3 certificate expired<\/a>. This certificate was used to sign all SSL certificates generated by Let&#8217;s Encrypt.<\/p>\n\n\n\n<p>To avoid serious problems, <strong>Let&#8217;s Encrypt created a new ISRG Root X1 certificate<\/strong> that should be used from there on to generate certificates.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Renewing SSL Certificates by forcing ISRG Root X1<\/h2>\n\n\n\n<p>Trying to renew the certificates by forcing the use of the new Let&#8217;s Encrypt ISRG Root X1 did not seem to work:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">certbot --force-renewal --preferred-chain \"ISRG Root X1\" renew\nusage:\n  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...\n\nCertbot can obtain and install HTTPS\/TLS\/SSL certificates.  By default,\nit will attempt to use a webserver both for obtaining and installing the\ncertificate.\ncertbot: error: unrecognized arguments: --preferred-chain ISRG Root X1<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Install correct version of Certbot<\/h2>\n\n\n\n<p>The version of Certbot I was using was already a bit outdated, and did not support the <code>--preferred-chain<\/code> argument, so it had to be replaced with a newer version. The EFF (Electronic Frontier Foundation) <a href=\"https:\/\/certbot.eff.org\/instructions\" target=\"_blank\" rel=\"noopener\"><strong>recommends using the Snap version<\/strong><\/a>:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo snap install --classic certbot\nmv \/usr\/bin\/certbot \/usr\/bin\/certbot-old\nsudo ln -s \/snap\/bin\/certbot \/usr\/bin\/certbot<\/pre>\n\n\n\n<p>I then tried to renew the certificate again:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">certbot --force-renewal --preferred-chain \"ISRG Root X1\" renew\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nProcessing \/etc\/letsencrypt\/renewal\/mail.DOMAIN.com.conf\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nRenewing an existing certificate for mail.DOMAIN.com and 4 more domains\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nCongratulations, all renewals succeeded:\n  \/etc\/letsencrypt\/live\/mail.DOMAIN.com\/fullchain.pem (success)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/pre>\n\n\n\n<p>No problems this time!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Implementing new certificates in Zimbra<\/h2>\n\n\n\n<p>In my case, I use a script called <a href=\"https:\/\/github.com\/YetOpen\/certbot-zimbra\" target=\"_blank\" rel=\"noopener\">Certbot-Zimbra<\/a> that <strong>automates the process of deploying certificates in Zimbra<\/strong>, since doing this manually is a tedious process, and it is very easy to make mistakes that later become headaches.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">root@mail:\/home\/mqc\/certbot-zimbra# .\/certbot_zimbra.sh -d -H mail.DOMAIN.com\ncertbot-zimbra v0.7.12 - https:\/\/github.com\/YetOpen\/certbot-zimbra\nChecking for dependencies...\nDetected Zimbra 8.8.15 on UBUNTU16_64\nUsing domain mail.DOMAIN.com (as certificate DN)\nPreparing certificates for deployment.\nTesting with zmcertmgr.\n** Verifying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' against '\/run\/certbot-zimbra\/certs-MXMcy89c\/privkey.pem'\nCertificate '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' and private key '\/run\/certbot-zimbra\/certs-MXMcy89c\/privkey.pem' match.\n** Verifying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' against '\/run\/certbot-zimbra\/certs-MXMcy89c\/zimbra_chain.pem'\nValid certificate chain: \/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem: OK\nDeploying certificates.\n** Verifying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' against '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key'\nCertificate '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' and private key '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' match.\n** Verifying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' against '\/run\/certbot-zimbra\/certs-MXMcy89c\/zimbra_chain.pem'\nValid certificate chain: \/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem: OK\n** Copying '\/run\/certbot-zimbra\/certs-MXMcy89c\/cert.pem' to '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt'\n** Copying '\/run\/certbot-zimbra\/certs-MXMcy89c\/zimbra_chain.pem' to '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial_ca.crt'\n** Appending ca chain '\/run\/certbot-zimbra\/certs-MXMcy89c\/zimbra_chain.pem' to '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt'\n** Importing cert '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '\/opt\/zimbra\/common\/lib\/jvm\/java\/lib\/security\/cacerts'\n** NOTE: restart mailboxd to use the imported certificate.\n** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.DOMAIN.com...ok\n** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.DOMAIN.com...ok\n** Installing imapd certificate '\/opt\/zimbra\/conf\/imapd.crt' and key '\/opt\/zimbra\/conf\/imapd.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt' to '\/opt\/zimbra\/conf\/imapd.crt'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' to '\/opt\/zimbra\/conf\/imapd.key'\n** Creating file '\/opt\/zimbra\/ssl\/zimbra\/jetty.pkcs12'\n** Creating keystore '\/opt\/zimbra\/conf\/imapd.keystore'\n** Installing ldap certificate '\/opt\/zimbra\/conf\/slapd.crt' and key '\/opt\/zimbra\/conf\/slapd.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt' to '\/opt\/zimbra\/conf\/slapd.crt'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' to '\/opt\/zimbra\/conf\/slapd.key'\n** Creating file '\/opt\/zimbra\/ssl\/zimbra\/jetty.pkcs12'\n** Creating keystore '\/opt\/zimbra\/mailboxd\/etc\/keystore'\n** Installing mta certificate '\/opt\/zimbra\/conf\/smtpd.crt' and key '\/opt\/zimbra\/conf\/smtpd.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt' to '\/opt\/zimbra\/conf\/smtpd.crt'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' to '\/opt\/zimbra\/conf\/smtpd.key'\n** Installing proxy certificate '\/opt\/zimbra\/conf\/nginx.crt' and key '\/opt\/zimbra\/conf\/nginx.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt' to '\/opt\/zimbra\/conf\/nginx.crt'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key' to '\/opt\/zimbra\/conf\/nginx.key'\n** NOTE: restart services to use the new certificates.\n** Cleaning up 7 files from '\/opt\/zimbra\/conf\/ca'\n** Removing \/opt\/zimbra\/conf\/ca\/4042bcee.0\n** Removing \/opt\/zimbra\/conf\/ca\/8d33f237.0\n** Removing \/opt\/zimbra\/conf\/ca\/commercial_ca_2.crt\n** Removing \/opt\/zimbra\/conf\/ca\/commercial_ca_1.crt\n** Removing \/opt\/zimbra\/conf\/ca\/ca.key\n** Removing \/opt\/zimbra\/conf\/ca\/a6222139.0\n** Removing \/opt\/zimbra\/conf\/ca\/ca.pem\n** Copying CA to \/opt\/zimbra\/conf\/ca\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/ca\/ca.key' to '\/opt\/zimbra\/conf\/ca\/ca.key'\n** Copying '\/opt\/zimbra\/ssl\/zimbra\/ca\/ca.pem' to '\/opt\/zimbra\/conf\/ca\/ca.pem'\n** Creating CA hash symlink 'a6222139.0' -> 'ca.pem'\n** Creating \/opt\/zimbra\/conf\/ca\/commercial_ca_1.crt\n** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'\n** Creating \/opt\/zimbra\/conf\/ca\/commercial_ca_2.crt\n** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'\nRemoving temporary files in \/run\/certbot-zimbra\/certs-MXMcy89c\nRestarting Zimbra.\nHost mail.DOMAIN.com\n        Stopping zmconfigd...Done.\n        Stopping zimlet webapp...Done.\n        Stopping zimbraAdmin webapp...Done.\n        Stopping zimbra webapp...Done.\n        Stopping service webapp...Done.\n        Stopping stats...Done.\n        Stopping mta...Done.\n        Stopping spell...Done.\n        Stopping snmp...Done.\n        Stopping cbpolicyd...Done.\n        Stopping archiving...Done.\n        Stopping opendkim...Done.\n        Stopping amavis...Done.\n        Stopping antivirus...Done.\n        Stopping antispam...Done.\n        Stopping proxy...Done.\n        Stopping memcached...Done.\n        Stopping mailbox...Done.\n        Stopping logger...Done.\n        Stopping dnscache...Done.\n        Stopping ldap...Done.\nHost mail.DOMAIN.com\n        Starting ldap...Done.\n        Starting zmconfigd...Done.\n        Starting logger...Done.\n        Starting mailbox...Done.\n        Starting memcached...Done.\n        Starting proxy...Done.\n        Starting amavis...Done.\n        Starting antispam...Done.\n        Starting antivirus...Done.\n        Starting opendkim...Done.\n        Starting snmp...Done.\n        Starting spell...Done.\n        Starting mta...Done.\n        Starting stats...Done.\n        Starting service webapp...Done.\n        Starting zimbra webapp...Done.\n        Starting zimbraAdmin webapp...Done.\n        Starting zimlet webapp...Done.<\/pre>\n\n\n\n<p>As you can see, it takes care of deploying the certificates and restarting the Zimbra server.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Possible problems<\/h2>\n\n\n\n<p>At first, when I launched the process, I received this result:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">certbot-zimbra v0.7.12 - https:\/\/github.com\/YetOpen\/certbot-zimbra\nChecking for dependencies...\nDetected Zimbra 8.8.15 on UBUNTU16_64\nUsing domain mail.DOMAIN.com (as certificate DN)\nPreparing certificates for deployment.\ncat: \/etc\/ssl\/certs\/2e5ac55d.0: No such file or directory<\/pre>\n\n\n\n<p>To fix this, first verify that you have the <code>ca-certificates<\/code> installed:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">root@mail:\/# apt-cache policy ca-certificates\nca-certificates:\n  Installed: 20210119~16.04.1ubuntu0.1~esm1\n  Candidate: 20210119~16.04.1ubuntu0.1~esm1<\/pre>\n\n\n\n<p>If they are not installed, install them using the following command:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">apt-get install ca-certificates<\/pre>\n\n\n\n<p>Then follow the steps above to install the Snap version of Certbot, and force a certificate renewal using the <code>ISRG Root X1<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Useful links<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/letsencrypt.org\/certificates\/#\" target=\"_blank\" rel=\"noreferrer noopener\">Let\u2019s Encrypt Certificates<\/a><\/li><li><a href=\"https:\/\/letsencrypt.org\/docs\/dst-root-ca-x3-expiration-september-2021\/\" target=\"_blank\" rel=\"noreferrer noopener\">Let\u2019s Encrypt DST Root CA X3 Expiration<\/a><\/li><li><a href=\"https:\/\/blog.zimbra.com\/2021\/09\/zimbra-skilz-how-to-use-zimbra-with-lets-encrypt-certificates\/\" target=\"_blank\" rel=\"noreferrer noopener\">Zimbra and Let\u2019s Encrypt certificates<\/a><\/li><li><a href=\"https:\/\/github.com\/YetOpen\/certbot-zimbra\/issues\/140\" target=\"_blank\" rel=\"noreferrer noopener\">Certbot-Zimbra: No such file or directory<\/a><\/li><li><a href=\"https:\/\/github.com\/YetOpen\/certbot-zimbra\" target=\"_blank\" rel=\"noreferrer noopener\">Certbot-Zimbra<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>On September 30, 2021, the Let&#8217;s Encrypt DST Root CA X3 certificate expired. This certificate was used to sign all SSL certificates generated by Let&#8217;s Encrypt. To avoid serious problems, Let&#8217;s Encrypt created a new &#8230;<\/p>\n","protected":false},"author":1,"featured_media":6490,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[410,207],"tags":[2689,1695,645,1050,564,647],"class_list":["post-6479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides","category-linux-en","tag-lets-encrypt-en","tag-linux-en","tag-open-source-en","tag-ssl-en","tag-ubuntu-en","tag-zimbra-en"],"acf":{"book_cover":null,"special_featured_image":null},"_links":{"self":[{"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/posts\/6479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/comments?post=6479"}],"version-history":[{"count":0,"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/posts\/6479\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/media\/6490"}],"wp:attachment":[{"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/media?parent=6479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/categories?post=6479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kevinmaschke.com\/en\/wp-json\/wp\/v2\/tags?post=6479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}