Category:Community Sandbox: Difference between revisions
Line 253: | Line 253: | ||
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 | issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 | ||
SubjectAltName=mail.example.com, mail.example.net, tmail.example.com | SubjectAltName=mail.example.com, mail.example.net, tmail.example.com | ||
</pre> | |||
acme.sh can also tell you when renewal would occur if you have this automated via the supplied crontab entry. | |||
<pre> | |||
./acme.sh --list | |||
Main_Domain KeyLength SAN_Domains Created Renew | |||
example.com "" www.example.com Sat Mar 16 14:13:39 UTC 2019 Wed May 15 14:13:39 UTC 2019 | |||
example.us "" www.example.us,www2.example.com Sat Mar 16 14:15:08 UTC 2019 Wed May 15 14:15:08 UTC 2019 | |||
example.net "" www.example.net,example.net,www.example.net,db.example.com Sat Mar 16 14:30:40 UTC 2019 Wed May 15 14:30:40 UTC 2019 | |||
</pre> | </pre> |
Revision as of 17:11, 15 April 2019
JDunphy Letsencrypt - Another Method Using acme.sh to Generate Certs
Introduction
Letsencrypt is a free, automated, and open Certificate Authority to generate all your PKI certificates so a browser can see & display that trusted green secure lock for your domains. Instead of installing a development environment like other Letsencrypt methods, this article describes a single bash script and can be installed and operated without being root. Here is how to get Zimbra up and running with your Letsencrypt certificate.
Requirements (1 time only)
- Install acme.sh bash script in your home directory. Ref: https://github.com/Neilpang/acme.sh
% curl https://get.acme.sh | sh Or: % wget -O - https://get.acme.sh | sh
Note: This will do three things.
- create a directory ~/.acme.sh
- update your .cshrc and .bashrc so that script is in your path
- create a cron job for the local user for automatic renewal
Issue Your Certificate
Letsencrypt needs to verify you have control of your domains before they will sign your certificate. To do that, we complete a challenge and prove we have control of the domains using their acme protocol. The acme.sh script supports all challenge methods but for this article we will focus on the Automatic DNS challenge. See https://github.com/Neilpang/acme.sh for other methods or my own documentation https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh/tree/master/Recipies/SingleServer which lists 3 different type of DNS methods. All challenge methods that acme.sh supports work with this article including --standalone/--tls if you prefer an alternative to the DNS method described here.
When using the Automatic DNS Method for the first time, you will need to update ~/.acme.sh/account.conf to contain your DNS provider api key. A list of supported DNS providers can be found at ~/.acme.sh/dnsapi. In this article we will use CloudFlare. Login to your CloudFlare account to get your API key before proceeding and then add these 2 lines to your ~/.acme.sh/account.conf file
- SAVED_CF_Key= '......Your API key..........'
- CF_EMAIL='XXXX@example.com'
From now on, anytime we need a certificate or renew a certificate we can do the following:
acme.sh --issue --dns dns_cf -d mail.example.com
If we have multiple domains associated with our Zimbra server, then it works like this:
acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
Wild card certs are supported with ACME v2 protocol
acme.sh --issue --dns dns_cf -d example.com -d '*.example.com'
Your certificates can be found at: ~/.acme.sh/mail.example.com ... It uses the first '-d' name to create a directory to store your certificates
Install Certificate With Zimbra
Regardless of which challenge method you used with the acme.sh bash script, the following commands will install it. Note: I have also created a script to perform these steps automatically at https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh and the forums have a thread on this method https://forums.zimbra.org/viewtopic.php?f=15&t=60781 for additional background information. For this article we walk through those steps.
Step 1 (Append IdentTrust CERT to fullchain)
cd ~/.acme.sh/mail.example.com echo '-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----' >> fullchain.cer
Because zmcertmgr will chdir during install which can abort when permissions are incorrect in some circumstances, we do the following.
% cd ~.acme.sh/mail.example.com % cp mail.example.com.key mail.example.com.cer fullchain.cer /tmp
Note: For version 8.7 and above, zmcertmgr runs as zimbra. For all earlier versions you will run zmcertmgr as root. Example below is for 8.7 and 8.8 versions.
Step 2 Verify your certificate
% su - zimbra % cd /tmp % /opt/zimbra/bin/zmcertmgr verifycrt comm mail.example.com.key mail.example.com.cer fullchain.cer
If there were no errors, you can install the certificate
Step 3 Install your certificate
% su - zimbra % cd /tmp % cp mail.example.key /opt/zimbra/ssl/zimbra/commercial/commercial.key % /opt/zimbra/bin/zmcertmgr deploycrt comm mail.example.cer fullchain.cer
If there were no errors, proceed to restart zimbra
Step 4 Restart Zimbra
% su - zimbra % zmcontrol restart
All in One Method (Simplest)
Once you understand how to issue your certificates and install acme.sh, you can use the --deploy and --deploy-hook options and have acme.sh perform the zimbra installation for you. This method requires you install and run the acme.sh bash script as the zimbra user and will also handle the identTrust intermediate certificate for you during your certificate installation to zimbra. Note: If you leave the crontab entry, all subsequent renewals including the loading of the certificate with zimbra will happen automatically for future unattended renewals approximately every 60 days. Versions prior to 8.7, need to modify the hook script below so that the two zmcertmgr commands are run as root.
- Copy the hook script below to /opt/zimbra/.acme.sh/deploy/zimbra.sh
#!/bin/bash # Zimbra Assumptions: # 1) acme.sh is installed as Zimbra # 2) see: https://wiki.zimbra.com/wiki/index.php?curid=2441 ######## Public functions ##################### #domain keyfile certfile cafile fullchain zimbra_deploy() { _cdomain="$1" _ckey="$2" _ccert="$3" _cca="$4" _cfullchain="$5" _debug _cdomain "$_cdomain" _debug _ckey "$_ckey" _debug _ccert "$_ccert" _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" # Zimbra's javastore still needs DST Root CA X3 to verify on some versions _IdentTrust="$(dirname "$_cca")/../IdentTrust.pem" _debug _IdentTrust "$_IdentTrust" # grab it if we don't have it if [ ! -f "$_IdentTrust" ]; then _debug No "$_IdentTrust" wget -q "https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem" -O "$_IdentTrust" || return 1 fi # append Intermediate cat "$_cfullchain" "$(dirname "$_cca")/../IdentTrust.pem" > "${_cca}.real" /opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1 #if it verifies we can deploy it /bin/logger -p local2.info NETWORK "Certificate has been Renewed for $_cdomain" cp -f "$_ckey" /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" || return 1 # %%% ldap wasn't being restarted leading to failed communication in the future if we hadn't done a restart. # Adding a ldap restart was not tested so perhaps. Reload is restart when not defined by zimbra with # exception of ldap which they didn't provide a reload. #/opt/zimbra/bin/ldap restart #/opt/zimbra/bin/zmmailboxdctl reload #/opt/zimbra/bin/zmproxyctl reload #/opt/zimbra/bin/zmmtactl reload /opt/zimbra/bin/zmcontrol restart return 0 }
Complete example:
% su - zimbra % wget -O - https://get.acme.sh | sh % cd .acme.sh % acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org % acme.sh --issue --deploy --deploy-hook zimbra --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
Note: if you get an error attempting to install acme.sh as the zimbra user, do this as /opt/zimbra is owned by root. Switch to root before switching back to zimbra. Here is an example:
% su - # cd /opt/zimbra/ # mkdir .acme.sh # chown zimbra:zimbra .acme.sh # su - zimbra % cd .acme.sh % wget -O - https://get.acme.sh | sh
Subsequent issues or renewals are performed like this (issue the cert and if successful then deploy the certificate):
% su - zimbra % acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org % acme.sh --issue --deploy --deploy-hook zimbra --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
Note: You don't need to worry about the IdentTrust.pem certificate described above as the deploy-hook handles this automatically including its fetch. The hook will be called on your successful certificate verification and restart/reload zimbra. If it fails to renew the certificate, the hook will not be called. While the automatic dns method is shown above, any of the challenge methods that acme.sh supports can be used.
Pro Tip: look into the --challenge-alias option with the automatic DNS method to further isolate/secure your zone updates with letsencrypt. You only require a CNAME entry for your trusted zimbra domains for the domains above. In other words, each letsencrypt secured zimbra domain would have this in their zone file. Same entry for every one.
_acme-challenge IN CNAME _acme-challenge.adifferentCFzone.com.
where adifferentCFzone.com is a completely different and managed zone and not a zimbra domain. It can be any of the supported automatic DNS providers including BIND directly.
Here is how this would look using the CNAME alias where example.com, example.net, and example.org are not managed by CF (cloudflare) but we want to secure for zimbra:
% su - zimbra % acme.sh --issue --dns dns_cf --challenge-alias adifferentCFzone.com -d mail.example.com -d mail.example.net -d mail.example.org % acme.sh --issue --deploy --deploy-hook zimbra --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
Notes
Zimbra has 4 major daemons that require certificates. nginx, ldap, postfix, and mailboxd... Below is where zmcertmgr installs the certificate. Because mailboxd is java based, it uses a keystore. Note: /opt/zimbra/ssl contains your certificates. The other locations are copies from here. Further: nginx, ldap, and postfix can reload those new certificates hot without shutting down the services so in theory we are performing a restart because mailboxd and taking an outage during certificate renewal.
% ls -lt /opt/zimbra/conf/slapd.* -rw-r----- 1 zimbra zimbra 7213 Aug 4 10:46 slapd.crt -rw-r----- 1 zimbra zimbra 1679 Aug 4 10:46 slapd.key % ls -lt /opt/zimbra/ssl/zimbra/commercial -rw-r----- 1 zimbra zimbra 5030 Aug 4 10:46 commercial_ca.crt -rw-r----- 1 zimbra zimbra 7213 Aug 4 10:46 commercial.crt -rw-r----- 1 zimbra zimbra 1679 Aug 4 10:46 commercial.key % ls -lt /opt/zimbra/conf/nginx.??? -rw-r----- 1 zimbra zimbra 7213 Aug 4 10:46 /opt/zimbra/conf/nginx.crt -rw-r----- 1 zimbra zimbra 1679 Aug 4 10:46 /opt/zimbra/conf/nginx.key % -l /opt/zimbra/conf/smtpd.??? -rw-r----- 1 zimbra zimbra 7213 Aug 4 10:46 /opt/zimbra/conf/smtpd.crt -rw-r----- 1 zimbra zimbra 1679 Aug 4 10:46 /opt/zimbra/conf/smtpd.key % ls -l /opt/zimbra/mailboxd/etc/keystore -rw-r----- 1 zimbra zimbra 4965 Aug 4 10:46 /opt/zimbra/mailboxd/etc/keystore % ls -l /opt/zimbra/ssl/zimbra/jetty.pkcs12 -rw-r----- 1 zimbra zimbra 6952 Aug 4 10:46 /opt/zimbra/ssl/zimbra/jetty.pkcs12
Bad Certificate Recovery
Should you receive an error with your new certificates because they were not validated correctly you can recover by re-issuing your certificate and then re-install to zimbra. Should zimbra not allow you to re-install the corrected certificates, issue a self signed as a quick workaround before proceeding to re-install your corrected letsencrypt certs. Ref: https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools#Single-Node_Self-Signed_Certificate Ref: https://forums.zimbra.org/viewtopic.php?f=15&t=64882&p=285958&hilit=zmcertmgr+deploycrt#p285958
Confirm that your SSL certs are all valid and not-expired
% /opt/zimbra/bin/zmcertmgr viewdeployedcrt all - ldap: /opt/zimbra/conf/slapd.crt notBefore=Oct 27 18:10:32 2018 GMT notAfter=Jan 25 18:10:32 2019 GMT subject= /CN=mail.example.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=mail.example.com, mail.example.net, tmail.example.com - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Oct 27 18:10:32 2018 GMT notAfter=Jan 25 18:10:32 2019 GMT subject= /CN=mail.example.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=mail.example.com, mail.example.net, tmail.example.com - mta: /opt/zimbra/conf/smtpd.crt notBefore=Oct 27 18:10:32 2018 GMT notAfter=Jan 25 18:10:32 2019 GMT subject= /CN=mail.example.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=mail.example.com, mail.example.net, tmail.example.com - proxy: /opt/zimbra/conf/nginx.crt notBefore=Oct 27 18:10:32 2018 GMT notAfter=Jan 25 18:10:32 2019 GMT subject= /CN=mail.example.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=mail.example.com, mail.example.net, tmail.example.com
acme.sh can also tell you when renewal would occur if you have this automated via the supplied crontab entry.
./acme.sh --list Main_Domain KeyLength SAN_Domains Created Renew example.com "" www.example.com Sat Mar 16 14:13:39 UTC 2019 Wed May 15 14:13:39 UTC 2019 example.us "" www.example.us,www2.example.com Sat Mar 16 14:15:08 UTC 2019 Wed May 15 14:15:08 UTC 2019 example.net "" www.example.net,example.net,www.example.net,db.example.com Sat Mar 16 14:30:40 UTC 2019 Wed May 15 14:30:40 UTC 2019
Subcategories
This category has the following 2 subcategories, out of 2 total.
Pages in category "Community Sandbox"
The following 200 pages are in the current category.
(previous page) (next page)I
J
K
- Kauzz-notes
- Template:KB
- King0770-Notes-Access GAL from Clients 6.0
- King0770-Notes-Account-Organization
- King0770-Notes-Always Bcc-Mishap
- King0770-Notes-Borderware-LDAP-Config
- King0770-Notes-Bulk Upload To Briefcase
- King0770-Notes-Calendar-Notes
- King0770-Notes-Cannot-Start-ldap-ldap starttls supported-Enabled
- King0770-Notes-Chameleon-Skin
- King0770-Notes-Change-LDAP-Log-Levels
- King0770-Notes-Check-Submission-Port-587
- King0770-Notes-Directory-Permissions-on-tmp
- King0770-Notes-Disable-Zimbra-Desktop
- King0770-Notes-Download-JDK
- King0770-Notes-Drop-Single-Mboxgroup-and-Reimport
- King0770-Notes-Emulate-a-user-login-via-the-command-line
- King0770-Notes-error-decoding-message
- King0770-Notes-Export And Import Spamassassin Rules
- King0770-Notes-External-Authentication-with-LDAP
- King0770-Notes-Find Out When Message Was Read
- King0770-Notes-FireFox MimeTypes
- King0770-Notes-Force-Authentication-With-Full-Email-Address
- King0770-Notes-Handy-Links
- King0770-Notes-Header-Checks
- King0770-Notes-import-SSL
- King0770-Notes-InnoDB is in the future
- King0770-Notes-Installing-Proxy-For-Single-Server
- King0770-Notes-Internal-False-Positives
- King0770-Notes-ldap-fragmentation
- King0770-Notes-ldapsearch-to-csv
- King0770-Notes-Lock-All-Accounts
- King0770-Notes-Mass-Account-Removal
- King0770-Notes-Merge Two Independent Machines
- King0770-Notes-Milter And DistributionLists
- King0770-Notes-MovingUsers
- King0770-Notes-MTA-ALLOW-HELO
- King0770-Notes-NG Modules
- King0770-Notes-Old-Misc-Commands
- King0770-Notes-Outbound SMTP Authentication Using Port 465
- King0770-Notes-Postconf or localconfig
- King0770-Notes-Prevent-Accounts-From-Sending-To-External-Domains-With-CBPOLICYD
- King0770-Notes-Quick-Guide-Setting-Up-ZCS-8.8.15 And NextCloud17
- King0770-Notes-Read-the-install-history-file-in-a-readable-format
- King0770-Notes-Rejecting-Nested-From-Addresses
- King0770-Notes-Relocated-Maps
- King0770-Notes-Removal of Bad Contact Address
- King0770-Notes-Remove-Orphaned-Account
- King0770-Notes-Removing-Messages-with-zmmailbox-based-on-Subject
- King0770-Notes-rsync-excludes
- King0770-Notes-SearchGal-Edit
- King0770-Notes-Setup-RateLimiting-with-CBPOLICYD
- King0770-Notes-smtp tls policy maps
- King0770-Notes-SpamTitan
- King0770-Notes-Ultra-Restrictive-Sending-And-Receiving
- King0770-Notes-Verify-LDAP-Passwords
- King0770-Notes-When innodb force recovery Fails
- King0770-Notes-Whitelist-Phishing-Service
- King0770-Notes-Whitelist-Spamassassin-MTA
- King0770-Notes-YAMM
- King0770-Notes-ZCO-Repair
- King0770-Notes-Zimbra-Connect
- King0770-Notes-zmtrainsa cleanup host
- Kwinke-Notes
- KyaPanel with Zimbra
L
M
- Mail client Configuration
- Mail Client LDAP Configuration
- Mail Injection Stress Test
- Mail Migration
- Mail Queue Monitoring
- Mailbox Purge
- Mailbox Troubleshooting
- Mailbox usage report
- Maildir to zmmailbox with bash
- Making Zimbra run on minimal RAM
- Manage Certificate SOAP
- Managing Domains
- Mapping Folders
- Maumar-Notes
- Mbox to maildir with Python
- MeneM-Notes
- Message Cache
- Message Flags
- Mgolfieri Disable password autocompletion
- Mgolfieri Provisioning with a username unrelated to any email address
- Mgolfieri- Admin notification emails
- Mgolfieri-GalSyncAccount notes
- Migrating from 32 bit Centos 4.x to 64 bit Centos 5.x
- Migrating from Dovecot passwd with bash
- Migrating from Dovecot with External LDAP
- Migrating from End of Life Platform to Supported Platform
- Migrating from Exchange
- Mikew-Notes
- Missing Contacts From Share Contact Group
- Mobile Device Support Table
- Mobile web browser
- Modified Rsync Migration
- Monitoring Tools Articles
- Monitoring Zimbra Collaboration - InfluxDB, Telegraf and Grafana
- Monitoring Zimbra Collaboration Nagios
- Move messages to new secondary volume
- Moving ZDB File To Another Location
- MTA
- MySQL Backup and Restore
O
P
- Per User Mailbox Backup (OE Version)
- Performance Tuning Guidelines for Single-Server 100-500 User Systems
- Plobbes-Handling-System-Mail
- Plobbes-Higher-Availability
- Plus Addressing
- Postfix PCI Compliance in ZCS
- Preauth
- Preparing to Use the Migration Wizard
- Preserving Original Date when Importing EML Archive
- Prevent duplicates messages for POP3 users post migration
- Provide HTTP(s) Integration with Apache
R
- Rebranding and Themes
- Rebranding Articles
- RecommendedResetYourGlobalAddressList
- Rejecting false "mail from" addresses
- Relay per Domain
- Remote-Commands-from-Windows-to-Zimbra
- Removing A Mailstore
- Removing-Backups-In-Zimbra
- Repairing ZCS Connector for Outlook
- Resetting LDAP and MySQL Passwords
- Resetting Your Mobile Device
- REST File Formats
- Restore-Quarantined-Emails
- Restoring a Single User from Backups Archived to Tape
- Restrict Admin 'View Mail'
- Restrict sending to certain domains
- Restrict users to certain domain
- RestrictPostfixSenders
- Rolling Upgrades Overview
- Rspamd
- Running Kerberos with Zimbra Collaboration Suite
- Running Migration Wizard
- Russianspi-Notes
S
- Sandbox
- Scheduling-Backups-In-Zimbra
- Scotty-Notes
- Scripts to sync to a remote Zimbra backup machine
- SeanG-Notes
- Search deleted accounts
- Self-Signed-CA-SSL-CRT
- Send Receive fax ZCS Hylafax
- SendAs sendOnBehalfOf
- Sending mail through an external relay
- Separation Of WebApp Service From Mailstore In ZCS8.5
- Server Live sync
- Server Monitoring
- Server status inconsistent if /etc/mysql/conf.d does not exist
- Setting automatic Default Signature