#!/bin/bash # ----------------------------- # Zimbra SSL Renewal Script with Zimbra Cert Check # ----------------------------- # Usage: /usr/bin/sh renew_zimbra_cert.sh --domain=mailus.telxio.net # ----------------------------- DOMAIN="${1#--domain=}" if [ -z "$DOMAIN" ]; then echo "Error: No domain provided. Usage: $0 --domain=yourdomain.com" exit 1 fi current_time=$(date +"%Y-%m-%d %H:%M:%S") echo -e "\n------- $current_time -------- Renewing Zimbra domain: $DOMAIN --------\n" CERT_PATH="/etc/letsencrypt/live/$DOMAIN/fullchain.pem" PRIVKEY_PATH="/etc/letsencrypt/live/$DOMAIN/privkey.pem" CHAIN_PATH="/etc/letsencrypt/live/$DOMAIN/chain.pem" ZIMBRA_COMM_CERT="/opt/zimbra/ssl/zimbra/commercial/commercial.crt" ZIMBRA_COMM_KEY="/opt/zimbra/ssl/zimbra/commercial/commercial.key" # ----------------------------- # Check if Zimbra certificate exists and expiry # ----------------------------- if [ -f "$ZIMBRA_COMM_CERT" ]; then ZIMBRA_REMAINING_DAYS=$(openssl x509 -enddate -noout -in "$ZIMBRA_COMM_CERT" | sed 's/.*=\(.*\)/\1/' | xargs -I {} date -d {} +%s) CURRENT_DATE=$(date +%s) ZIMBRA_DAYS_LEFT=$(( ($ZIMBRA_REMAINING_DAYS - $CURRENT_DATE) / 86400 )) echo "Zimbra commercial certificate days left: $ZIMBRA_DAYS_LEFT" # Step 1: If Zimbra cert is valid for more than 10 days, skip renewal if [ $ZIMBRA_DAYS_LEFT -ge 10 ]; then echo "Zimbra certificate is valid for more than 10 days. No renewal needed." exit 0 fi else echo "Zimbra commercial certificate not found or expired." ZIMBRA_DAYS_LEFT=0 fi # ----------------------------- # Check certificate expiry for Certbot domain cert # ----------------------------- if [ ! -f "$CERT_PATH" ] || [ ! -f "$PRIVKEY_PATH" ]; then echo "Certbot certificate files not found. Will proceed with renewal..." DOMAIN_CERT_EXPIRE=0 else DOMAIN_REMAINING_DAYS=$(openssl x509 -enddate -noout -in "$CERT_PATH" | sed 's/.*=\(.*\)/\1/' | xargs -I {} date -d {} +%s) CURRENT_DATE=$(date +%s) DOMAIN_CERT_EXPIRE=$(( ($DOMAIN_REMAINING_DAYS - $CURRENT_DATE) / 86400 )) echo "Certbot certificate days left: $DOMAIN_CERT_EXPIRE" fi # Step 2: If Certbot cert is valid for more than 10 days, skip renewal if [ $DOMAIN_CERT_EXPIRE -ge 10 ]; then echo "Certbot certificate is valid for more than 10 days. Skipping renewal." else # Step 3: Renew Certbot certificate echo "Certbot certificate is expiring or missing. Proceeding with renewal..." # Temporarily open port 80 for HTTP-01 challenge echo "Opening port 80 for Certbot validation..." iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT echo "Renewing certificate using Certbot..." certbot renew --cert-name "$DOMAIN" --preferred-challenges http --force-renewal if [ $? -ne 0 ]; then echo "Certbot renewal failed. Please check logs." iptables -D INPUT 1 exit 1 fi echo "Certificate renewed successfully." # Close temporary port 80 echo "Removing temporary iptables rule..." iptables -D INPUT 1 fi # ----------------------------- # Backup old Zimbra SSL folder # ----------------------------- ZIMBRA_LE_DIR="/opt/zimbra/ssl/letsencrypt" BACKUP_DIR="${ZIMBRA_LE_DIR}.$(date '+%Y%m%d%H%M%S')" echo "Backing up existing Zimbra letsencrypt folder to $BACKUP_DIR" if [ -d "$ZIMBRA_LE_DIR" ]; then mv "$ZIMBRA_LE_DIR" "$BACKUP_DIR" fi mkdir -p "$ZIMBRA_LE_DIR" # ----------------------------- # Copy renewed certs to Zimbra folder # ----------------------------- echo "Copying renewed certificates to $ZIMBRA_LE_DIR" cp "$CERT_PATH" "$ZIMBRA_LE_DIR/cert.pem" cp "$PRIVKEY_PATH" "$ZIMBRA_LE_DIR/privkey.pem" cp "$CHAIN_PATH" "$ZIMBRA_LE_DIR/chain.pem" # Create zimbra_chain.pem combining cert + chain cat "$CHAIN_PATH" | tee "$ZIMBRA_LE_DIR/zimbra_chain.pem" # ----------------------------- # Create zimbra_chain.pem with static root certificate # ----------------------------- tee -a "$ZIMBRA_LE_DIR/zimbra_chain.pem"<