{"id":21342999,"url":"https://github.com/yetopen/certbot-zimbra","last_synced_at":"2025-05-07T15:23:44.929Z","repository":{"id":46133978,"uuid":"80853392","full_name":"YetOpen/certbot-zimbra","owner":"YetOpen","description":"Automated letsencrypt/certbot certificate request and deploy script for Zimbra hosts","archived":false,"fork":false,"pushed_at":"2023-06-19T19:56:52.000Z","size":476,"stargazers_count":178,"open_issues_count":6,"forks_count":76,"subscribers_count":27,"default_branch":"master","last_synced_at":"2025-03-31T11:22:13.569Z","etag":null,"topics":["certbot","letsencrypt","zimbra"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/YetOpen.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-03T17:44:19.000Z","updated_at":"2025-03-02T05:20:15.000Z","dependencies_parsed_at":"2024-11-22T01:11:44.146Z","dependency_job_id":"24fdb446-f15e-48e0-8404-9a8301b48c17","html_url":"https://github.com/YetOpen/certbot-zimbra","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/YetOpen%2Fcertbot-zimbra","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/YetOpen%2Fcertbot-zimbra/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/YetOpen%2Fcertbot-zimbra/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/YetOpen%2Fcertbot-zimbra/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/YetOpen","download_url":"https://codeload.github.com/YetOpen/certbot-zimbra/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252903388,"owners_count":21822436,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certbot","letsencrypt","zimbra"],"created_at":"2024-11-22T01:11:36.736Z","updated_at":"2025-05-07T15:23:44.910Z","avatar_url":"https://github.com/YetOpen.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# certbot-zimbra\nAutomated Certbot (ACME) certificate script for Zimbra.\n\n[![asciicast](https://asciinema.org/a/219713.svg)](https://asciinema.org/a/219713)\n\n## Warning: when upgrading from Certbot 1.x to 2.x\n[Read this](#zmcertmgr-certificate-and-private-key-do-not-match-expecting-an-rsa-key)\n\n# Installation\n\n## Requirements\n\n- bash, capsh, lsof or ss, openssl, grep, sed (GNU), gawk (GNU)\n- ca-certificates (Debian/Ubuntu) or pki-base (RHEL/CentOS)\n- Zimbra: zmhostname, zmcontrol, zmproxyctl, zmprov, zmcertmgr\n- zimbra-proxy installed and working or an alternate webserver configured for ACME webroot\n- Certbot \u003e=0.19.0 in PATH\n\n## Certbot installation\n\nThe preferred way is to install it is by using the wizard [at Certbot's home](https://certbot.eff.org/). Select \"Other\" as software. This will allow you to install easily upgradable system packages.\n\n## certbot-zimbra installation\n\nDownload the latest release and install it (copy the latest URL from the Releases tab):\n\n```\nwget --content-disposition https://github.com/YetOpen/certbot-zimbra/archive/1.0.2.tar.gz\ntar xf certbot-zimbra-1.0.2.tar.gz\ncd certbot-zimbra-1.0.2\n./install all\n```\nIf you have bash older than 4.3 (RHEL/CentOS 7), use `./install_posix` instead.\n\nOr from the master branch (unstable): [certbot-zimbra-master.tar.gz](https://github.com/YetOpen/certbot-zimbra/archive/master.tar.gz)\n\n# Usage\n\n[docs/cli-help.txt](docs/cli-help.txt)\n\n## Automatic hostname detection\nIf no `-e` is given, the script will figure out the additional domain(s) to add to the certificate as SANs via `zmprov gd $domain zimbraPublicServiceHostname zimbraVirtualHostname`.\nThis can be skipped with `-u/--no-public-hostname-detection`, in which case only the CN from `zmhostname` or `-H/--hostname` will be used.\n\nOnly one certificate will be issued including all the found hostnames. The primary host will always be `zmhostname` or the one passed via `-H|--hostname`.\n\n\n# Zimbra 8.6+ single server example\n\n## Preparation\n\nThe script needs some prerequisites. They are listed under Installation/Requirements. The script will run a prerequisite check on startup and exit if anthing is missing.\n\nIn addition, there are different modes of operation, depending on your environment (proxy server):\n\n### Zimbra-proxy mode (the default)\n\nUses zimbra-proxy for the ACME HTTP-01 challenge. Zimbra-proxy must be enabled and running. This is the preferred mode.\n\nWhen starting, the script checks the status of zmproxyctl and checks if a process with the name \"nginx\" and user \"zimbra\" is listening on port zimbraMailProxyPort (obtained via zmprov).\n\nThe port can optionally be overridden with `-P/--port` or the port check skipped entirely with `-j/--no-port-check` if you are absolutely sure everything is set up correctly. The zmproxyctl status check can't be skipped.\n\nPatches are applied to nginx's templates to serve .well-known from the webroot, after which nginx is restarted.\n\nEverything, including new certificate requests, can be done via certbot-zimbra in this mode.\n\n### Alternate webserver mode\n\nIs selected with `-x/--no-nginx`. Requires `-P/--port` and `-w/--webroot`. `--port` is checked for listening status. All zimbra-proxy checks are skipped.\n\nCan be used in case you don't have zimbra-proxy enabled but have a different webserver as a reverse proxy in front of Zimbra. \n\nYou'll have to configure the webserver to serve `/.well-known/acme-challenge` from a webroot somewhere in the filesystem, some examples for this can be found [here.](https://www.hiawatha-webserver.org/forum/topic/2275)\n\nRenewal can be done as per instructions below, but `--pre-hook` can be omitted.\n\n## First run (obtaining a new certificate)\n\nIf you don't yet have a ACME certificate, you'll need to obtain one first. The script can do everything for you, including deploying the certificate and restarting Zimbra.\n\nRun\n`./certbot_zimbra.sh --new --prompt-confirm`\n\nThis will do all pre-run checks, patch Zimbra's nginx, run Certbot to obtain the certificate, test it, deploy it and restart Zimbra. Passing `-c|--prompt-confirm` means the script will prompt you for confirmation before actions (restarting Zimbra's nginx, running Certbot, deploying the certificate, restarting Zimbra,...).\n\nCertbot will also ask you some information about the certificate interactively, including an e-mail to use for expiry notifications. Please use a valid e-mail for this as should the automatic renewal fail for any reason, this is the way you'll get notified.\n\nThe domain of the certificate is obtained automatically using `zmhostname`. If you want to request a specific hostname use the `-H/--hostname` option. This domain will be the DN of the certificate.\n\nThe certificate can be requested with additional hostnames/SANs. By default the script fetches `zimbraPublicServiceHostname` and `zimbraVirtualHostname` attributes from all domains and if present, adds those to the certificate SANs to be requested. If you want to disable this behavior use the `-u/--no-public-hostname-detection` option.\n\n**Note:** Let's Encrypt has a limit of a maximum of 100 domains per certificate at the time of this writing: [Rate Limits](https://letsencrypt.org/docs/rate-limits/)\n\nTo indicate additional domains explicitly use the `-e/--extra-domain` option (can be specified multiple times). Note that `-e` also disables additional hostname detection. \n\nAdditional options can be passed directly to Certbot with `-L | --letsencrypt-params`. The option must be repeated for each Certbot option. For example, if you want 4096-bit certificates, add `-L \"--rsa-key-size\" -L \"4096\"`. Refer to Certbot's documentation for more information.\n\nNote: the naming of `-L|--letsencrypt-params` dates to when Certbot was still a script named \"letsencrypt\", it would make more sense to name it e.g. `--certbot-params` but changing it would break backwards compatibility.\n\n## Running noninteractively\n\nWhen retrieving a new certificate using `-n|--new`, Certbot runs interactively. If you want to run it noninteractively, you can pass `-N/--noninteractive` which will be passed on to Certbot. Also passing `-q/--quiet` will suppress the status output of the script.\nOnly do this if you're absolutely sure what you're doing, as this leaves you with no option to verify the detected hostnames, specify the certificate e-mail etc. `-N/--noninteractive` may be combined with `-q | --quiet` and/or `-L | --letsencrypt-params` to pass all the parameters to Certbot directly, e.g. in scripts to do automated testing with staging certificates.\n\n## Renewal\n\nWhen obtaining a new certificate with `certbot-zimbra.sh --new`, the script will add itself as `pre_hook` and `renew_hook` (equivalent to `--pre-hook` and `--deploy-hook`) to Certbot's certificate renewal configuration. Certbot will then automatically run hooks when renewing the certificate, the hooks will deploy the certificate and restart Zimbra.\n\nCertbot will install a crontab or systemd timer to automatically renew certificates close to expiring. You will likely want to modify the time at which it runs, or else Certbot might restart Zimbra at a random time during the day, which might mean downtime when you don't want it! Read Certbot's documentation to see how to do this (modify the default Certbot crontab or systemd timer).\n\nNote: previously this readme instructed to disable Certbot's crontab or timer and install a script-specific one. This is not required, if you are still using the custom cronjob or timer, you can remove it, reenable stock Certbot ones (though you will probably want to modify the time at which they execute) and [manually add hooks to Certbot](#manually-adding-hooks-to-certbot).\n\n### Renewal failure notifications\n\nMake sure you have a working mail setup (valid alias for root or similar). Cron can send script output to mail if the crontab is correctly configured. Configuring systemd timers to send mail is harder but possible.\n\n### Manually adding hooks to Certbot\n\nIf adding hooks fails during script execution, or if you requested a new certificate without using the script, you can add hooks manually.\n\n#### Certbot \u003e=2.3.0:\n```\ncertbot reconfigure --cert-name \"cert.name\" --pre-hook \"/usr/local/bin/certbot_zimbra.sh -p\" --deploy-hook \"/usr/local/bin/certbot_zimbra.sh -d\"\n```\nReplace `cert.name` with the name of the certificate, you can see it using `certbot certificates`.\nIf you changed the path where the script is installed, change the path here accordingly.\n\n#### Older certbot versions:\nEdit `/etc/letsencrypt/renewal/cert.name.conf` (replace cert.name with the name of your certificate) and modify section `[renewalparams]` to contain:\n```\npre_hook = /usr/local/bin/certbot_zimbra.sh -p\nrenew_hook = /usr/local/bin/certbot_zimbra.sh -d\n```\nIf you changed the path where the script is installed, change the path here accordingly.\n\n## Alternate webserver mode\n\nSee [Preparation](#preparation): [Alternate webserver](#alternate-webserver)\n\n### Alternate webserver, manual Certbot new certificate request\n\nAs above, but the first certificate can be obtained manually with Certbot outside of this script with the authenticator plugin of your choice. Refer to Certbot documentation for first certificate request information.\n\nAfter the certificate has been obtained, `-d/--deploy-only` can be used to deploy the certificate in Zimbra (to use it in services other than HTTP also) and renewal can be done as usual with `--deploy-hook`.\n\n### No proxy server (manual certificate request with alternate authentication method)\n\nSince the HTTP authentication method can't be used, an alternate method like DNS will have to be used. Refer to Certbot documentation on obtaining certificates without HTTP.\n\nDeployment and renewal can be done as in the [Alternate webserver manual mode](#alternate-webserver-manual-certbot-new-certificate-request).\n\n### Manual certificate request example\n\nSay you have Apache in front of Zimbra (or listening on port 80 only) just run Certbot by hand with appropriate options to request the certificate for Apache, and when done run\n```\n/usr/local/bin/certbot_zimbra.sh --deploy-only\n```\nso that it will deploy the certificate in Zimbra.\n\nSet up renewal hooks as above, but without `--pre-hook`.\n\n# Troubleshooting\n\n## Error: port check failed\n\nThis usually means zimbra-proxy is misconfigured. In the default case (without port overrides) the script checks if zimbra-proxy's nginx is listening on \"zimbraMailProxyPort\" (can be read with zmprov, port 80 in most cases). If this check fails, zimbra-proxy is misconfigured, not enabled, not started or you have a custom port configuration and didn't tell the script via port override parameters.\n\nZimbra's proxy guide ([Zimbra Proxy Guide](https://wiki.zimbra.com/wiki/Zimbra_Proxy_Guide)) is usually quite confusing for a novice and may be difficult to learn. For this we have a quick [Zimbra proxy configuration for certbot-zimbra guide](https://github.com/YetOpen/certbot-zimbra/wiki/Zimbra-proxy-configuration-for-Certbot-Zimbra) to get you up and running quickly. Still, you should get to know zimbra-proxy and configure it according to your own needs.\n\n## Error: unable to parse certbot version\n\nThis is caused by Certbot expecting user input when the script tried to run it to detect its version. To fix this, run `certbot` on the command line manually and answer any questions it has or fix any errors. After this the script should work fine.\n\nNewer versions of the script print a more descriptive error message if ran with `-c|--prompt-confirm`.\n\n## Certbot failures\n\n## General Certbot troubleshooting\n\nCheck that you have an updated version of Certbot installed. If you have installed Certbot from your operating system's repositories, they may be out of date, especially on non-rolling distributions. If your distribution's Certbot is outdated, remove the system packages and install it the way that Certbot recommends for your operating system on their installation page, or a different way that you prefer.\n\nCheck certificate statuses with `certbot certificates`. Remove any duplicate or outdated certificates for the same domain names.\n\nCheck that ports 80 and 443 are open and accessible from the outside and check that your domain points to the server's IP. Basically troubleshoot Certbot as if you weren't using certbot-zimbra.\n\n## `cat: /etc/ssl/certs/2e5ac55d.0: No such file or directory` OR `Can't find \"DSTRootCAX3\"` OR `Unable to validate certificate chain: O = Digital Signature Trust Co., CN = DST Root CA X3`\n\nLet's Encrypt's \"DST Root CA X3\" expired in September 2021. Already issued certificates were cross-signed with both the old \"DST Root CA X3\" and new \"ISRG Root X1\" chains. Due to the way certbot-zimbra parses certificate files, it may cause certbot-zimbra to use the wrong chain's CA certificate when deploying the certificate. See issue #140.\n\nProcedure to fix it:\n\n- make sure you have latest ca-certificates (Debian/Ubuntu) or pki-base (RHEL/CentOS) package (do a apt-get dist-upgrade/upgrade/install ca-certificates or equivalent yum/dnf command), this will make sure you have the \"ISRG Root X1\" CA in the system-wide CA store\n- install `certbot_zimbra.sh` \u003e=0.7.13\n- run `/usr/local/bin/certbot_zimbra.sh -d` to redeploy the certificate\n- if unsuccessful, force a renewal with `certbot renew --force-renewal --preferred-chain \"ISRG Root X1\" --cert-name \"zimbra-cert-name\"` Replace zimbra-cert-name with the name of your existing cert, you can find it with `certbot certificates`.\n- if successful, run `/usr/local/bin/certbot_zimbra.sh -d` to deploy the new cert.\n\n`certbot_zimbra.sh` \u003e=0.7.13 includes a fix for parsing the chain and should work better. If simply redeploying the certificate doesn't work, please open a new issue with your problem. `--preferred-chain` is a workaround but should not be required, if it fixes your problem, there is still an issue with the script.\n\n## zmcertmgr certificate and private key do not match (\"expecting an rsa key\")\n\nCertbot v2.0.0 switched to ECDSA private keys by default for newly issued certificates, which Zimbra's zmcertmgr doesn't support. See [Certbot docs](https://github.com/certbot/certbot/blob/caad4d93d048d77ede6508dd42da1d23cde524eb/certbot/docs/using.rst#id34)\n\nIt may be possible to [patch zmcertmgr](https://forums.zimbra.org/viewtopic.php?f=15\u0026t=69645\u0026p=301580) to support ECDSA keys, but this is not officially supported or widely tested.\n\nCertbot-zimbra \u003e=0.7.13 will auto-detect if Certbot is \u003e=2.0.0 and apply options while requesting a new certificate to obtain a RSA key.\n\nExisting certificates will continue to be renewed with their current key type, **unless `certbot renew` is ran with `--force-renewal`**, in which case it will switch to ECDSA, which will cause this issue.\n\n### Already renewed with ECDSA key, which failed to deploy\nIf you used Certbot \u003e=2 with certbot-zimbra \u003c0.7.13, or upgraded Certbot from 1.x to 2.x, and Certbot has already renewed with an ECDSA key, there are two options:\n\n- `certbot renew --key-type rsa --rsa-key-size 4096 --cert-name \"zimbra-cert-name\" --force-renewal` replace zimbra-cert-name with the name of the existing certificate, you can find it with `certbot certificates`. You can also change the key size to one that you prefer. If renewal is successful, redeploy the certificate with `/usr/local/bin/certbot_zimbra.sh -d`.\n- update to certbot-zimbra \u003e=0.7.13 and rerequest the certificate with `certbot-zimbra --new`, and add all the options you used with the original `--new` invocation, else your certificate may get replaced with one with different CN and SANs.\n\n### Just upgraded Certbot 1.x to 2.x, not renewed yet, still using RSA key\nIf you have just upgraded to Certbot \u003e=2.0.0 but the certificate has not yet renewed (is still RSA) you can set it to force a RSA key on renewal. This is not required if you're not going to run `certbot renew --force-renewal` but is good to have just to be safe.\n\nCertbot \u003e=2.3.0: `certbot reconfigure --cert-name \"zimbra-cert-name\" --key-type rsa`\n\nCertbot \u003c2.3.0: edit `/etc/letsencrypt/renewal/zimbra-cert-name.conf`, under `[renewalparams]` add `key_type = rsa`\n\nOn next scheduled renewal the set key type will be honored.\n\n# Notes\n\n## Notes on zimbraReverseProxyMailMode \n\nLet's Encrypt by default tries to verify a domain using http, so the script should work fine if [zimbraReverseProxyMailMode](https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy_and_memcached#Protocol_Requirements_Including_HTTPS_Redirect) is set to http, both, redirect or mixed. It won't work if set to https only. This is due to Certbot deprecating the tls-sni-01 authentication method and switching to HTTP-01. https://letsencrypt.org/docs/challenge-types/\n\n## Limitations\n\nThe script doesn't handle multiple domains configured with SNI (see #8). You can still request a single certificate for multiple hostnames.\n\n## Upgrade from v0.1\n\nIf you originally requested the certificate with the first version of the script, which used *standalone* method, newer version will fail to renew. This because it\nnow uses *webroot* mode by patching Zimbra's nginx, making it more simple to work and to mantain.\n\nTo check if you have the old method, run `grep authenticator /etc/letsencrypt/renewal/YOURDOMAIN.conf`. If it says *standalone* it uses the old method.\n\nTo update to the new \"webroot\" method you can simply run `certbot-zimbra.sh -n -c -L \"--force-renewal\"`. This will force renew your existing certificate and save the new authentication method. It'll also ask you for deploying the new certificate in Zimbra. You can also manually modify the config file in /etc/letsencrypt/renewal/, while not recommended, is detailed here: https://community.letsencrypt.org/t/how-to-change-certbot-verification-method/56735\n\n## How it works\nThis script uses zimbra-proxy's nginx to intercept requests to `.well-known/acme-challenge` and pass them to a custom webroot folder. To do this, we patch the templates Zimbra uses to build nginx's configuration files.\nThe patch is simple, we add this new section to the end of the templates:\n```\n    # patched by certbot-zimbra.sh\n    location ^~ /.well-known/acme-challenge {\n        root $WEBROOT;\n    }\n```\n`$WEBROOT` is either `/opt/zimbra/data/nginx/html` (default) or the path specified by the command line option.\nAfter this we restart zmproxy to apply the patches.\n\nWe then pass this webroot to Certbot with the webroot plugin to obtain the certificate.\n\nAfter the certificate has been obtained successfully we stage the certificates in a temporary directory, find the correct CA certificates from the system's certificate store and build the certificate files in a way Zimbra expects them. If verification with zmcertmgr succeeds we deploy the new certificates, restart Zimbra and clean up the temporary files.\n\nAfter the first patching the script will check if the templates have been already patched and if so, it skips the patching and zmproxy restart steps. This is useful in cron jobs where even if we upgrade Zimbra and wipe out the patched templates they'll be repatched automatically.\n\nThe use of `--deploy-only` from `--deploy-hook` in cron jobs will only deploy the certificates if a renewal was successful. Thus Zimbra won't be unnecessarily restarted if no renewal was done.\n\n## Certbot certificate privacy/security notes\n\nCertbot preserves the gid and the g:rwx and o:r permissions from old privkey files to the renewed ones. This is described in \nhttps://github.com/certbot/certbot/blob/8b684e9b9543c015669844222b8960e1b9a71e97/certbot/storage.py#L1107\n\nIf you have some old certificates you've been renewing for a long time, it may be possible your privkey is created with other read permissions. This may be bad if all the containing directories are also other-readable. In my case they were not (the archive dir was mode 700) so the contained private keys were also not readable. Still, you may consider checking your situation and chmod'ing the privkeys to something more sensible like 640:\n\n`chmod 640 /etc/letsencrypt/archive/*/privkey*.pem`\n\nThe default for new privkeys is 600.\n\nIf you want the keys in /etc/letsencrypt to be readable by some other programs, adjust the folder and file permissions as necessary, for example:\n```\naddgroup --system ssl-cert\nchmod g+rx /etc/letsencrypt/{live,archive}\nchgrp -R ssl-cert /etc/letsencrypt\naddgroup ssl-cert \u003cuser that needs key access\u003e\n```\n\n# License\n\nSee [LICENSE](LICENSE).\n\n### Disclaimer of Warranty\n\nTHERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.\n\n# Author\n\n\u0026copy; Lorenzo Milesi \u003cmaxxer@yetopen.com\u003e\n\n## Contributors\n- Jernej Jakob @jjakob\n- Fredrik Normann @eN0Rm\n- Pavel Pulec @pulecp\n- Antonio Prado @Antonio-Prado\n- André Frimberger @afrimberger\n- Maurizio Marini @mauriziomarini\n- Friedrich Lobenstock @lsl-at\n\n*if you are a contributor, add yourself here (and in the code)*\n\n\nFeedback, bugs, PR are welcome on [GitHub](https://github.com/yetopen/certbot-zimbra).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyetopen%2Fcertbot-zimbra","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyetopen%2Fcertbot-zimbra","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyetopen%2Fcertbot-zimbra/lists"}