Hallo zusammen,
Seit 18.01.24 ist mein Zertifikat abgelaufen, siehe Bilder.

Gibt es eine Schritt für Schritt-Anleitung wie man dieses erneuern kann?
Da ich nicht geübt in Sachen Zertifikate bin, möchte ich da nix falsch machen.

Gruß M


    demsi01 If you are using the appliance and Lets Encrypt certificate the following command should help you renew your certificate. This is for HTTP renewal and requires that port 80 is open from the internet toyour Grommunio appliance:-

    certbot certonly -n --standalone --agree-tos --preferred-challanges http –certname=”your current certificate name” -d “comma separated list of any additional domain names you have on your existing certitfacte (eg, your_domain.com,mail.your_domain.com,autoidiscover.your_domain.com” -m “email_address_you_used_when_you_created_your_current_certificate

    Edit the italicised text in the above command and transpose the relevant details from your expired certificate into the command then SSH into your appliance and paste the command in at the root user prompt.

    This should then renew your certificate.

    Good Luck

    Ich bekomme es nicht wirklich hin. Keine Ahnung ob ich was nicht verstehe oder zu doof bin 🙂 Sorry gerade echt wirr im Kopf 🙂

    Habe nun versucht wie von Mister2 beschrieben so:
    certbot certonly -n --standalone --agree-tos --preferred-challenges http --cert-name="dems03.unserfirma.lan" -d "unserefirma.lan" -m "info@unserefirma.de" --pre-hook "service nginx stop" --deploy-hook /usr/share/grommunio-setup/grommunio-certbot-renew-hook --post-hook "service nginx start"

    Dabei kommt diese Fehlermeldung:
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Requesting a certificate for dofa.lan
    An unexpected error occurred:
    The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "dofa.lan": Domain name does not end with a valid public suffix (TLD)
    Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

    Ebenfalls habe ich es so versucht:
    openssl req -new -x509 -days 365 -nodes -out /etc/grommunio-common/ssl/server-bundle.pem -keyout /etc/grommunio-common/ssl/server.key
    Dann eben DE, BY, MUC usw.

    Rufe ich nun die Admin-Seite von Grommunio auf - ist das Zertifikat ungültig und es kommt dieser Meldung:


    Starte ich Outlook kommt diese Meldung:

    Ich befürchte, dass ich so ziemlich alles "vernichtet" habe, kann ich das Zertifikatdurcheinander wieder irgendwie hinbekommen?

    Eckdaten:
    Netzwerk intern 192.168.x.x läuft in Domäne meinefirma.lan
    Maildomain ... ist dann aber meinefirma.de
    der Grommunio-Server selbst hat dename.meinefirma.lan (unter Netzwerk auch so eingestellt)
    in Grommunio dann Organisatin angelegt + Domain angelegt mit meinefirma.de und darauf die User...

    Nun meine Frage, gibt es irgendwie eine Möglichkeit das wieder in den Griff zu bekommen?

    Für Rückantworten wäre ich sehr dankbar...

    Gruß M

      demsi01 You cannot use domain.lan as a domain for your email. You can only request certificates from Let's Encrypt (or any Certificate Authority) for valid Internet domains. The '.lan' part of a domain name is reserved for internal use only and cannot be used on the Internet. Additionally, you need to own this domain (ie you must register the domain you use with a domain registrar and then setup your external DNS to point the domain at your external IP address, before you try and request a Let's Encrypt Certificate. The certbot script I mentioned above requires all this to be in place before it will work. So if you do not have a registered domain your tasks are:-

      1. Register a domain of your choice that is available and pay for its use for x years (depends on registrar).
      2. Once you can use the domain, set your DNS settings to point to your external IP address at the location of your Grommunio server. Details on how to do this are beyond the scope of this forum and you have a lot of reading to do if you are not sure how to do this, as it depends on your ISP and DNS providers how you go about the process.
      3. Assuming you have got passed 2. You need to make sure your Internet router has a port forward rules for forward ports 25 & 80 traffic to the internal IP address of your Grommunio server (this will be the IP address of the server on your LAN.
      4. At this point the certbot script I suggested should now work, however, and this is a big however, you will need to rebuild you Grommunio server (or at least re-run the Grommunio Setup Wizard) using you newly registered domain. Again lots of reading needed If you haven't setup a mail server before. Suggest you use the DNS name mail.atyourdomain.com (replace the latter part of this with your registered domain name) for you mail server, and make sure you select all 3 boxes when requesting the Let's Encrypt Certificate (Mail.yourdomain.com, your domain.com, autodiscover.yourdomain.com).
      5. You will need to add mail.yourdomain.com and autodiscover.yourdomain.com 'A entries into your external DNS to get these to point to your Grommunio server., and before your request the certificate otherwise it will just fail when Let's Encrypt its to see if your are the owner of the yourdomain.com domain.

      If you have not setup this before you really need to do a lot of reading before you will get this to work, as it is not just a case of installing Grommunio to setup a mail server.

      Apologies if I have made this sound difficult, but from your emails above it sounds like you are dipping your feet into Grommunio without a lot of experience of the task involved in setting up a mail server.

      demsi01 Starte ich Outlook kommt diese Meldung:

      Das ist bei mir auch so mit Outlook und ich konnte das bis heute nicht beheben. Ich kann mich nicht erinnern, dass sowas in früheren Grommunio-Versionen der Fall war.

        Andy Ah ok, ja find das mit Zertifikate recht schlecht gemacht. Da bräuchte es einen Menüpunkt in der Admin-WebGUI wo man das alles einstellen kann, ggf. bei Bedarf überarbeiten usw.
        Kann mir kaum vorstellen, dass in Firmen dann ... also größere, da die User recht viel Lust haben immer da auf Ja zu drücken. Das wenn unser GF mitbekommt, ist Apollo19 angesagt 🙂

        Vllt. wird da ja mal was kommen dazu

        Ich setze jetzt einen neuen Email-Server auf und muss halt die Konten dann wieder alle iwie rüber holen... Zeit spielt ja "keine" Rolle 🙂

          Noch zwei Fragen...

          bei uns dient der Grommunio nur als Ersatz für einen alten MS Exchange-Server. Dieser soll nur über Fetchmail Mails abholen und intern den Benutzern zur Verfügung stellen, ebenso Versand per SMTP dann... Einfach nur als Ersatz für den Exchange UND er liefert über Relay aus...
          Kann man da ggf. auf Zertifikate etc. iwie "verzichten" ?

          Frage 2... Was soll ich bei der Erstinstallation nehmen ? Wie gesagt, unser Gommunio ist nicht öffentlich erreichbar und dient nur als Ersatz für den Exchange...
          1 oder 3... ?

          Mit 3 habe ich es bereits einmal versucht, danach liegt nginx nicht mehr ...

          Viele Grüße M

            demsi01 Creating a mail server is usually a process of many re-starts from scratch, as each iteration you find that you do something wrong (or not quite right) and learn from the process. I suspect you used your internal domain information when you ran through the Let's Encrypt wizard within the Grommunio Setup Wizard, it is important you use your external domain details in this wizard, mail.yourexternaldomain.com, yourexternaldomain.com, autodiscover.yourexternaldomain.com, otherwise Let's Encrypt will just say 'NO'.

            Unfortunately, you cannot do the certificate from the Command or GUI consoles. However, if you modify the certbot script I provided you with the correct domain information that will add the certificate in all the right places in your Grommunio server. You can open a SSH shell to your server and just copy the script in again - with the corrected domain info, just be aware Let's Encrypt only allow so many attempts per hour or day (rate limiting), so don't try to often if it doesn't work.

            If you are rebuilding your Grommunio server you can use the following process to move the Org, Domain, Users and mails to your new server. Hopefully you are using VM's as you can snapshot each milepost in your test install and revert back when something goes wrong to save a lot of rebuilding from scratch.

            1. Update and reboot the source and target system: zypper refresh & & zypper update (from SSH shell on the servers).
            2. Build new server installation identical to current live server. Follow your build documentation upto the point of creating user accounts (call this ‘new server’ in steps below) - Note: Do note create Organisation, Domain or Users in the GUI.
            3. Stop inbound Internet email and user access to live server mailboxes to avoid missing emails during migration.
            4. Optional step - If Grommunio is in Virtual Environment, clone (or take backup of) live server to avoid any damage/corruption to current live server during migration (call this ‘old server’ in steps below), just in case you need to revert to what was your current live server.
            5. Stop services on both systems: systemctl --all --output json list-units| jq '.[]|select(.unit|test("(grom.|nginx|.fpm).service")).unit' |xargs systemctl stop
            6. Export of the MariaDB database on old server: mysql --execute="SHOW DATABASES" --skip-column-names --batch |grep -Ev '^(mysql|(performance|information)_schema)$' |while read -r DB; do mysqldump --single-transaction --routines --triggers --events --add-drop-database $DB > /usr/local/share/$DB.sql ; done
            7. User Data transfer old server to new server: rsync -aH -essh --delete --numeric-ids -P --stats --inplace /var/lib/gromox/ root@192.168.xxx.xxx:/var/lib/gromox/
            8. Move MariaDB backup (from step 4) from old system to new system. Run this on old server: rsync -aH -essh --delete --numeric-ids -P --stats --inplace /usr/local/share/ root@192.168.xxx.xxx:/usr/local/share/
            9. Check folder permissions on new server: chown -Rf grommunio:gromox /var/ib/gromox
            10. Import of the MariaDB database on new server: mysql grommunio < /usr/local/share/grommunio.sql
            11. Import of the MariaDB database on new server: mysql sys < /usr/local/share/sys.sql
            12. Check import user /var/lib/gromox/user/x/y/: run grommunio-admin user query username maildir on both systems - make sure they match.
            13. Reboot

            You need to copy the parts in bold above and paste into a SSH shell on the relevant server (Old/New). Some command are long so make sure you get all of it in one go (hence I put it in bold text). Replace the 192.168.xxx.xxx in steps 7 and 8 with the IP address of your new server.

            The above process if just for a core installation (ie no Grommunio Files, Meet Archive etc), but should be possible to modify if you need to (I only use Core and Files).

            And of course when you have migrated your mailboxes over to a new server - TEST - TEST - TEST to make sure everything is working as you expect.

            Hope above helps.

            demsi01 I would always build the server as fully functional so that if need in the future it is just a case of opening ports on your firewall. Its good practice for your build documentation just in case you ever need to use it in the real world not just internally, rather than having to learn new bits when the server is in production with the consequential issues that might occur when a mistake is made. Hope that makes sense.

            Choose option 3 and let Let's Encrypt do the certificate request for you. Don't forget you will need to port forward port 80 to the grommunio server in your router/firewall. Add all 3 DNS names the wizard offers this will make it easier for your clients to connect to the server and create mail profiles (as you use Outlook - Outlook really likes certificates and can be a pain without valid ones).

            @demsi01 If you cannot open port 80 from the Internet to your Grommunio server for the Let's Encrypt Certificate check, you can get a certificate by other means (even a paid one from a Certificate Authority and manually apply to the grommunio server. Put the certs in /etc/grommunio-common/ssl. They must be in PEM format - use the Grommunio documentation on what you need to do here as I only use the LE certs.

            demsi01 Ersatz für den Exchange

            If you have an Exchange, you have an AD and you can roll out certificates which are trusted by your clients. Generate a new certificate for that host/fqdn and put them in /etc/grommunio-common/ssl.
            There are a bunch of HowTo's out their. I would start with https://learn.microsoft.com tho 🙊.

            13 days later
            demsi01 changed the title to [Erledigt] Zertifikatserneuerung .

            © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice