- Edited
Hallo zusammen,
Seit 18.01.24 ist mein Zertifikat abgelaufen, siehe Bilder.
Gibt es eine Schritt für Schritt-Anleitung wie man dieses erneuern kann?
Da ich nicht geübt in Sachen Zertifikate bin, möchte ich da nix falsch machen.
Gruß M
Hallo zusammen,
Seit 18.01.24 ist mein Zertifikat abgelaufen, siehe Bilder.
Gibt es eine Schritt für Schritt-Anleitung wie man dieses erneuern kann?
Da ich nicht geübt in Sachen Zertifikate bin, möchte ich da nix falsch machen.
Gruß M
demsi01 If you are using the appliance and Lets Encrypt certificate the following command should help you renew your certificate. This is for HTTP renewal and requires that port 80 is open from the internet toyour Grommunio appliance:-
certbot certonly -n --standalone --agree-tos --preferred-challanges http –certname=”your current certificate name” -d “comma separated list of any additional domain names you have on your existing certitfacte (eg, your_domain.com,mail.your_domain.com,autoidiscover.your_domain.com” -m “email_address_you_used_when_you_created_your_current_certificate”
Edit the italicised text in the above command and transpose the relevant details from your expired certificate into the command then SSH into your appliance and paste the command in at the root user prompt.
This should then renew your certificate.
Good Luck
Ich bekomme es nicht wirklich hin. Keine Ahnung ob ich was nicht verstehe oder zu doof bin Sorry gerade echt wirr im Kopf
Habe nun versucht wie von Mister2 beschrieben so:
certbot certonly -n --standalone --agree-tos --preferred-challenges http --cert-name="dems03.unserfirma.lan" -d "unserefirma.lan" -m "info@unserefirma.de" --pre-hook "service nginx stop" --deploy-hook /usr/share/grommunio-setup/grommunio-certbot-renew-hook --post-hook "service nginx start"
Dabei kommt diese Fehlermeldung:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for dofa.lan
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "dofa.lan": Domain name does not end with a valid public suffix (TLD)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Ebenfalls habe ich es so versucht:
openssl req -new -x509 -days 365 -nodes -out /etc/grommunio-common/ssl/server-bundle.pem -keyout /etc/grommunio-common/ssl/server.key
Dann eben DE, BY, MUC usw.
Rufe ich nun die Admin-Seite von Grommunio auf - ist das Zertifikat ungültig und es kommt dieser Meldung:
Starte ich Outlook kommt diese Meldung:
Ich befürchte, dass ich so ziemlich alles "vernichtet" habe, kann ich das Zertifikatdurcheinander wieder irgendwie hinbekommen?
Eckdaten:
Netzwerk intern 192.168.x.x läuft in Domäne meinefirma.lan
Maildomain ... ist dann aber meinefirma.de
der Grommunio-Server selbst hat dename.meinefirma.lan (unter Netzwerk auch so eingestellt)
in Grommunio dann Organisatin angelegt + Domain angelegt mit meinefirma.de und darauf die User...
Nun meine Frage, gibt es irgendwie eine Möglichkeit das wieder in den Griff zu bekommen?
Für Rückantworten wäre ich sehr dankbar...
Gruß M
demsi01 You cannot use domain.lan as a domain for your email. You can only request certificates from Let's Encrypt (or any Certificate Authority) for valid Internet domains. The '.lan' part of a domain name is reserved for internal use only and cannot be used on the Internet. Additionally, you need to own this domain (ie you must register the domain you use with a domain registrar and then setup your external DNS to point the domain at your external IP address, before you try and request a Let's Encrypt Certificate. The certbot script I mentioned above requires all this to be in place before it will work. So if you do not have a registered domain your tasks are:-
If you have not setup this before you really need to do a lot of reading before you will get this to work, as it is not just a case of installing Grommunio to setup a mail server.
Apologies if I have made this sound difficult, but from your emails above it sounds like you are dipping your feet into Grommunio without a lot of experience of the task involved in setting up a mail server.
Andy Ah ok, ja find das mit Zertifikate recht schlecht gemacht. Da bräuchte es einen Menüpunkt in der Admin-WebGUI wo man das alles einstellen kann, ggf. bei Bedarf überarbeiten usw.
Kann mir kaum vorstellen, dass in Firmen dann ... also größere, da die User recht viel Lust haben immer da auf Ja zu drücken. Das wenn unser GF mitbekommt, ist Apollo19 angesagt
Vllt. wird da ja mal was kommen dazu
Ich setze jetzt einen neuen Email-Server auf und muss halt die Konten dann wieder alle iwie rüber holen... Zeit spielt ja "keine" Rolle
Noch zwei Fragen...
bei uns dient der Grommunio nur als Ersatz für einen alten MS Exchange-Server. Dieser soll nur über Fetchmail Mails abholen und intern den Benutzern zur Verfügung stellen, ebenso Versand per SMTP dann... Einfach nur als Ersatz für den Exchange UND er liefert über Relay aus...
Kann man da ggf. auf Zertifikate etc. iwie "verzichten" ?
Frage 2... Was soll ich bei der Erstinstallation nehmen ? Wie gesagt, unser Gommunio ist nicht öffentlich erreichbar und dient nur als Ersatz für den Exchange...
1 oder 3... ?
Mit 3 habe ich es bereits einmal versucht, danach liegt nginx nicht mehr ...
Viele Grüße M
demsi01 Creating a mail server is usually a process of many re-starts from scratch, as each iteration you find that you do something wrong (or not quite right) and learn from the process. I suspect you used your internal domain information when you ran through the Let's Encrypt wizard within the Grommunio Setup Wizard, it is important you use your external domain details in this wizard, mail.yourexternaldomain.com, yourexternaldomain.com, autodiscover.yourexternaldomain.com, otherwise Let's Encrypt will just say 'NO'.
Unfortunately, you cannot do the certificate from the Command or GUI consoles. However, if you modify the certbot script I provided you with the correct domain information that will add the certificate in all the right places in your Grommunio server. You can open a SSH shell to your server and just copy the script in again - with the corrected domain info, just be aware Let's Encrypt only allow so many attempts per hour or day (rate limiting), so don't try to often if it doesn't work.
If you are rebuilding your Grommunio server you can use the following process to move the Org, Domain, Users and mails to your new server. Hopefully you are using VM's as you can snapshot each milepost in your test install and revert back when something goes wrong to save a lot of rebuilding from scratch.
You need to copy the parts in bold above and paste into a SSH shell on the relevant server (Old/New). Some command are long so make sure you get all of it in one go (hence I put it in bold text). Replace the 192.168.xxx.xxx in steps 7 and 8 with the IP address of your new server.
The above process if just for a core installation (ie no Grommunio Files, Meet Archive etc), but should be possible to modify if you need to (I only use Core and Files).
And of course when you have migrated your mailboxes over to a new server - TEST - TEST - TEST to make sure everything is working as you expect.
Hope above helps.
demsi01 I would always build the server as fully functional so that if need in the future it is just a case of opening ports on your firewall. Its good practice for your build documentation just in case you ever need to use it in the real world not just internally, rather than having to learn new bits when the server is in production with the consequential issues that might occur when a mistake is made. Hope that makes sense.
Choose option 3 and let Let's Encrypt do the certificate request for you. Don't forget you will need to port forward port 80 to the grommunio server in your router/firewall. Add all 3 DNS names the wizard offers this will make it easier for your clients to connect to the server and create mail profiles (as you use Outlook - Outlook really likes certificates and can be a pain without valid ones).
@demsi01 If you cannot open port 80 from the Internet to your Grommunio server for the Let's Encrypt Certificate check, you can get a certificate by other means (even a paid one from a Certificate Authority and manually apply to the grommunio server. Put the certs in /etc/grommunio-common/ssl. They must be in PEM format - use the Grommunio documentation on what you need to do here as I only use the LE certs.
demsi01 Ersatz für den Exchange
If you have an Exchange, you have an AD and you can roll out certificates which are trusted by your clients. Generate a new certificate for that host/fqdn and put them in /etc/grommunio-common/ssl
.
There are a bunch of HowTo's out their. I would start with https://learn.microsoft.com tho .
© 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice