In many cases IT staff will have automated TLS certificates so they are renewed and deployed automatically. However sometimes the automation fails or deployments use an additional reverse proxy or web application firewall in front of Zimbra. In the latter case, sometimes the renewal of the Zimbra self-signed certificate is overlooked.
Zimbra (LDAP) requires a TLS certificate that is not expired for continued operation.
In this article you will learn how to set-up a notification email whenever the TLS certificates on Zimbra are about to expire.
Installation
On your Zimbra server download the check-expiration script as follows:
wget https://raw.githubusercontent.com/Zimbra-Community/zimbra-tools/master/check-expiration -O /usr/local/sbin/check-expiration chmod +x /usr/local/sbin/check-expiration
Then install the script in the Zimbra user crontab as follows:
su - zimbra crontab -e
Scroll all the way down in the crontab and append under:
# ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
The following:
40 * * * * /usr/local/sbin/check-expiration 25 admin@example.com
And replace admin@example.com with the email address or distribution list where you want to receive the notification.
Screenshots
Here is a screenshot of a notification email:
Hi,
I tried to find the project on github to log an issue there, but couldn’t find it.
Anyway, on my mailbox-server without mailboxes, I get:
/usr/local/sbin/check_expiration.sh: line 33: /opt/zimbra/common/sbin/sendmail: No such file or directory
This server only servers API requests for provisioning.
What do I need to install?
The example script is meant to run on a Zimbra mailbox server. If you run it on a different server, you have to change the script to use an operating system provided sendmail.
yum install sendmailAnd replace
/opt/zimbra/common/sbin/sendmailwithsendmailin the script.