Upgrade to the new version of Certbot Zimbra 0.7.10

by Daniel Pham
Published: Updated:

Upgrade to the new version of Certbot Zimbra. This is the content of this article.

If you’ve read the previous article that I wrote about how to use Certbot Zimbra to register Let’s Encrypt SSL for the new domain automatically. Tonight, I accidentally discovered that the script is no longer working.

Certbot Zimbra 0.7.10

What’s the difference between this new version 0.7.10? If with the older version, the -d option was used to represent the domain, then this new version represented --deloy-only.

Upgrade to the new version of Certbot Zimbra 0.7.10
Certbot Zimbra version 0.7.10.

That is why when I used exactly the same command as before used. But the new domain still has not applied ssl certificate.

certbot_zimbra.sh -n -d mail.yourdomain.com -e mail.yourseconddomain.com

In the new version, to declare the main domain to register ssl, use the -H option, i.e. --hostname.

Upgrade Certbot Zimbra to version 0.7.10

The upgrade is quite simple. You just need to perform the following steps.

Step 1: Download the new certbot zimbra package to the server.

wget --content-disposition https://github.com/YetOpen/certbot-zimbra/archive/0.7.10.tar.gz

Step 2: Unzip the package and grant the execution permissions.

tar -xzf certbot-zimbra-0.7.10.tar.gz
cd certbot-zimbra-0.7.10
chmod +x certbot_zimbra.sh

And step 3: Delete the old version certbot zimbra file and copy the new version to the server.

rm -f /usr/local/bin/certbot_zimbra.sh
mv certbot_zimbra.sh /usr/local/bin/

It is done. You can now type this command to see if the help of the displayed software has the -H option.

certbot_zimbra --help

Using the Certbot Zimbra new version

After I upgraded it, I used to add some domains to my Zimbra server.

The process takes place relatively similar to the old version. Register ssl for domain and restart Zimbra service.

[root@mail ~]# certbot_zimbra.sh -n -H mail.yourdomain.com -e mail.yourseconddomain.com -e mail.yourthirddomain.com
certbot-zimbra v0.7.10 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.x.x on RHEL7_64
Using domain mail.yourdomain.com (as certificate DN)
Got 2 domains to use as certificate SANs: mail.yourseconddomain.com mail.yourthirddomain.com
Checking zimbra-proxy is running and enabled
Detecting port from zimbraMailProxyPort
Checking if process is listening on port 80 with name "nginx" user "zimbra"
Nginx templates already patched.
Nginx includes already patched, skipping zmproxy restart.
Detecting certbot version...
Detected certbot 1.3.0
Running /usr/local/bin/certbot-auto certonly  --webroot -w /opt/zimbra/data/nginx/html --cert-name mail.yourdomain.com -d mail.yourdomain.com -d mail.yourseconddomain.com -d mail.yourthirddomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate mail.yourdomain.com to include new domain(s):
+ mail.yourseconddomain.com
+ mail.yourthirddomain.com

You are also removing previously included domain(s):

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: U
Renewing an existing certificate

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2020-06-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' against '/run/certbot-zimbra/certs-JPE5MG3p/privkey.pem'
Certificate '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' and private key '/run/certbot-zimbra/certs-JPE5MG3p/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' against '/run/certbot-zimbra/certs-JPE5MG3p/zimbra_chain.pem'
Valid certificate chain: /run/certbot-zimbra/certs-JPE5MG3p/cert.pem: OK
Deploying certificates.
** Verifying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' against '/run/certbot-zimbra/certs-JPE5MG3p/zimbra_chain.pem'
Valid certificate chain: /run/certbot-zimbra/certs-JPE5MG3p/cert.pem: OK
** Copying '/run/certbot-zimbra/certs-JPE5MG3p/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/run/certbot-zimbra/certs-JPE5MG3p/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/run/certbot-zimbra/certs-JPE5MG3p/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.yourdomain.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.yourdomain.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/b8c8cdf8.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'b8c8cdf8.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Removing temporary files in /run/certbot-zimbra/certs-JPE5MG3p
Restarting Zimbra.
Host mail.yourdomain.com
        Stopping zmconfigd...Done.
        Stopping imapd...Done.
        Stopping zimlet webapp...Done.
        Stopping zimbraAdmin webapp...Done.
        Stopping zimbra webapp...Done.
        Stopping service webapp...Done.
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping cbpolicyd...Done.
        Stopping archiving...Done.
        Stopping opendkim...Done.
        Stopping amavis...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping proxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping dnscache...Done.
        Stopping ldap...Done.
Host mail.yourdomain.com
        Starting ldap...Done.
        Starting zmconfigd...Done.
        Starting logger...Done.
        Starting mailbox...Done.
        Starting memcached...Done.
        Starting proxy...Done.
        Starting amavis...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting opendkim...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
        Starting service webapp...Done.
        Starting zimbra webapp...Done.
        Starting zimbraAdmin webapp...Done.
        Starting zimlet webapp...Done.
        Starting imapd...Done.
[root@mail ~]#

But there is an additional point in this version, it will notify you whether to register or renew for any extended domain.


This article is an update to you who are using the Certbot Zimbra script for your mail server. It’s not a serious bug but needs to be done if you want to continue using it. Hope it helpful.

(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).

0 0 votes
Article Rating

You may also like

Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
3 years ago

Hi, can you help me? it does not work for me, I have configured “redirect” in the zimbra proxy, is there any way that it works with redirect activated?
Letsencrypt, only works with http.

curl -I

I always have this message
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 10 Nov 2020 13:50:10 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive

it should be:

Nathan Costa Freitas
4 years ago

Error: “gawk” not found or executable. How to solve?

DevOps Lite is a personal blog specializing in technology with main topics about DevOps, DevSecOps, SRE and System Administrator. Articles are shared for free and contributed to the community.



Subscribe my Newsletter for new blog posts. Stay updated from your inbox!

© 2021-2024 DevOpsLite.com – All rights reserved.

Please write sources “DevOpsLite.com” when using articles from this website.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Would love your thoughts, please comment.x

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.