Scriptable

Outils pour utilisateurs

Outils du site

Piste :
renew_certificat_from_letsencrypt

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentesRévision précédente
Prochaine révision		Révision précédente
renew_certificat_from_letsencrypt [2022/10/25 02:03] inc002renew_certificat_from_letsencrypt [2022/10/25 02:11] (Version actuelle) inc002
Ligne 31: Ligne 31:
  
 You need to install certbot with OVH API support described to point 1 and 2 of https://buzut.net/certbot-challenge-dns-ovh-wildcard/ You need to install certbot with OVH API support described to point 1 and 2 of https://buzut.net/certbot-challenge-dns-ovh-wildcard/
-For automatic renewal, you can add to crontab the script bellow+For automatic renewal, you can add to crontab the script bellow. Don't forget to change the $DOMAIN variable and adjust the certbot line if your mail server 
  
 <code bash | renewLECertZimbra.sh> <code bash | renewLECertZimbra.sh>
 #!/bin/bash #!/bin/bash
 DOMAIN='mydomain.tld' DOMAIN='mydomain.tld'
 +HOST='mail'
 +MAIL_USER='postmaster'
 CERTBOT_OUT="" CERTBOT_OUT=""
 TMP_CERTBOT="/tmp/certbot.txt" TMP_CERTBOT="/tmp/certbot.txt"
Ligne 41: Ligne 43:
 touch $TMP_CERTBOT touch $TMP_CERTBOT
  
-/usr/local/bin/certbot --preferred-chain "ISRG Root X1" certonly --dns-ovh --dns-ovh-credentials /root/.ovhapi --non-interactive --agree-tos --email postmaster@$DOMAIN -d mail.$DOMAIN > /tmp/certbot.txt+/usr/local/bin/certbot --preferred-chain "ISRG Root X1" certonly --dns-ovh --dns-ovh-credentials /root/.ovhapi --non-interactive --agree-tos --email $MAIL_USER@$DOMAIN -d $HOST.$DOMAIN > /tmp/certbot.txt
  
-#check id renewal is needed+#check if renewal is needed
 CERTBOT_OUT=`cat $TMP_CERTBOT | grep "Certificate not yet due for renewal; no action taken."` CERTBOT_OUT=`cat $TMP_CERTBOT | grep "Certificate not yet due for renewal; no action taken."`
  
 if [ -z "$CERTBOT_OUT" ] if [ -z "$CERTBOT_OUT" ]
 then then
 +  #copy the new cert to zimbra
   cp /etc/letsencrypt/live/mail.$DOMAIN/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key   cp /etc/letsencrypt/live/mail.$DOMAIN/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +  #ajust ownership
   chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key   chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +  #download LE chain certificate
   wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt   wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
   cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/mail.$DOMAIN/chain.pem   cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/mail.$DOMAIN/chain.pem
 +  #Temp copy of cert and chain for zimbra integration (removed from /tmp after integration)
   cp /etc/letsencrypt/live/mail.$DOMAIN/chain.pem /tmp   cp /etc/letsencrypt/live/mail.$DOMAIN/chain.pem /tmp
   cp /etc/letsencrypt/live/mail.$DOMAIN/cert.pem /tmp   cp /etc/letsencrypt/live/mail.$DOMAIN/cert.pem /tmp
 +  # verify and deploy the cert on zimbra
   su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem"   su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem"
   su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem"   su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem"
 +  #remove cert copy to tmp
   rm /tmp/chain.pem   rm /tmp/chain.pem
   rm /tmp/cert.pem   rm /tmp/cert.pem
 +  #restart zimbra
   su - zimbra -c "zmcontrol restart"   su - zimbra -c "zmcontrol restart"
 else else
renew_certificat_from_letsencrypt.1666656232.txt.gz · Dernière modification : 2022/10/25 02:03 de inc002