Scriptable

Outils pour utilisateurs

Outils du site

Piste :
renew_certificat_from_letsencrypt

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Prochaine révision		Révision précédente
renew_certificat_from_letsencrypt [2021/11/11 19:57] – créée inc002renew_certificat_from_letsencrypt [2022/10/25 02:11] (Version actuelle) inc002
Ligne 1: Ligne 1:
-=== Change certificate of no standard port ==+==== Change certificate of no standard port ====
  
 generate a new one and copy (with root user) generate a new one and copy (with root user)
Ligne 25: Ligne 25:
  
   zmcontrol restart   zmcontrol restart
 +  
 +==== Renew certificate with OVH API ====
 +
 +=== Introduction ===
 +
 +You need to install certbot with OVH API support described to point 1 and 2 of https://buzut.net/certbot-challenge-dns-ovh-wildcard/
 +For automatic renewal, you can add to crontab the script bellow. Don't forget to change the $DOMAIN variable and adjust the certbot line if your mail server 
 +
 +<code bash | renewLECertZimbra.sh>
 +#!/bin/bash
 +DOMAIN='mydomain.tld'
 +HOST='mail'
 +MAIL_USER='postmaster'
 +CERTBOT_OUT=""
 +TMP_CERTBOT="/tmp/certbot.txt"
 +
 +touch $TMP_CERTBOT
 +
 +/usr/local/bin/certbot --preferred-chain "ISRG Root X1" certonly --dns-ovh --dns-ovh-credentials /root/.ovhapi --non-interactive --agree-tos --email $MAIL_USER@$DOMAIN -d $HOST.$DOMAIN > /tmp/certbot.txt
 +
 +#check if renewal is needed
 +CERTBOT_OUT=`cat $TMP_CERTBOT | grep "Certificate not yet due for renewal; no action taken."`
 +
 +if [ -z "$CERTBOT_OUT" ]
 +then
 +  #copy the new cert to zimbra
 +  cp /etc/letsencrypt/live/mail.$DOMAIN/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +  #ajust ownership
 +  chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +  #download LE chain certificate
 +  wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
 +  cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/mail.$DOMAIN/chain.pem
 +  #Temp copy of cert and chain for zimbra integration (removed from /tmp after integration)
 +  cp /etc/letsencrypt/live/mail.$DOMAIN/chain.pem /tmp
 +  cp /etc/letsencrypt/live/mail.$DOMAIN/cert.pem /tmp
 +  # verify and deploy the cert on zimbra
 +  su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem"
 +  su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem"
 +  #remove cert copy to tmp
 +  rm /tmp/chain.pem
 +  rm /tmp/cert.pem
 +  #restart zimbra
 +  su - zimbra -c "zmcontrol restart"
 +else
 +  echo $CERTBOT_OUT
 +fi
 +
 +rm $TMP_CERTBOT
 +</code> 
renew_certificat_from_letsencrypt.1636657035.txt.gz · Dernière modification : 2021/11/11 19:57 de inc002