Category:Community Sandbox: Difference between revisions
m (Blanked the page) |
No edit summary |
||
| Line 1: | Line 1: | ||
=JDunphy Letsencrypt - Another Method Using acme.sh to Generate Certs= | |||
{{KB|{{Unsupported}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}} | |||
{{WIP}} | |||
= Introduction = | |||
Letsencrypt is a free, automated, and open Certificate Authority to generate all your PKI certificates so a browser can see & display that trusted green secure lock for your domains. Instead of installing a development environment like other Letsencrypt methods, this article describes a single bash script and can be installed and operated without being root. Here is how to get Zimbra up and running with your Letsencrypt certificate. | |||
= Requirements (1 time only)= | |||
# Install acme.sh bash script in your home directory. Ref: https://github.com/Neilpang/acme.sh | |||
<pre> | |||
% curl https://get.acme.sh | sh | |||
Or: | |||
% wget -O - https://get.acme.sh | sh | |||
</pre> | |||
Note: This will do three things. | |||
# create a directory ~/.acme.sh | |||
# update your .cshrc and .bashrc so that script is in your path | |||
# create a cron job for the local user for automatic renewal | |||
= Issue Your Certificate = | |||
Letsencrypt needs to verify you have control of your domains before they will sign your certificate. To do that, we complete a challenge and prove we have control of the domains using their acme protocol. The acme.sh script supports all challenge methods but for this article we will focus on the Automatic DNS challenge. See https://github.com/Neilpang/acme.sh for other methods or my own documentation https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh/tree/master/Recipies/SingleServer which lists 3 different type of DNS methods. All methods that acme.sh supports work with this article. | |||
When using the '''Automatic DNS Method''' for the first time, you will need to update '''~/.acme.sh/account.conf''' to contain your DNS provider api key. A list of supported DNS providers can be found at ~/.acme.sh/dnsapi. In this article we will use CloudFlare. Login to your CloudFlare account to get your API key before proceeding and then add these 2 lines to your '''~/.acme.sh/account.conf file''' | |||
# SAVED_CF_Key= '......Your API key..........' | |||
# CF_EMAIL='XXXX@example.com' | |||
From now on, anytime we need a certificate or renew a certificate we can do the following: | |||
<pre> | |||
acme.sh --issue --dns dns_cf -d mail.example.com | |||
</pre> | |||
If we have multiple domains associated with our Zimbra server, then it works like this: | |||
<pre> | |||
acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org | |||
</pre> | |||
Wild card certs are supported with ACME v2 protocol | |||
<pre> | |||
acme.sh --issue --dns dns_cf -d mail.example.com -d '*.example.com' | |||
</pre> | |||
Your certificates can be found at: ~/.acme.sh/mail.example.com ... It uses the first '-d' name to create a directory to store your certificates | |||
= Install Certificate With Zimbra = | |||
Regardless of which challenge method you used with the acme.sh bash script, the following commands will install it. Note: I have also created a script to perform these steps automatically at https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh and the forums have a thread on this method https://forums.zimbra.org/viewtopic.php?f=15&t=60781 for additional background information. For this article we walk through those steps. | |||
= Step 1 (Append IdentTrust CERT to fullchain) | |||
<pre> | |||
cd ~/.acme.sh/example.com | |||
echo '-----BEGIN CERTIFICATE----- | |||
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ | |||
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT | |||
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow | |||
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD | |||
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB | |||
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O | |||
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq | |||
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b | |||
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw | |||
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD | |||
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV | |||
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG | |||
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 | |||
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr | |||
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz | |||
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 | |||
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo | |||
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ | |||
-----END CERTIFICATE-----' >> fullchain.cer | |||
</pre> | |||
Because zmcertmgr will chdir during install which can abort when permissions are incorrect in some circumstances, we do the following. | |||
<pre> | |||
% cd .acme.sh/mail.example.com | |||
% cp mail.example.com.key mail.example.com.cer fullchain.cer /tmp | |||
</pre> | |||
= Note: | |||
For version 8.7 and above, zmcertmgr runs as zimbra. For all earlier versions you will run zmcertmgr as root. Example below is for 8.7 and 8.8 versions. | |||
= Step 2 Verify your certificate | |||
<pre> | |||
% su - zimbra | |||
% cd /tmp | |||
% /opt/zimbra/bin/zmcertmgr verifycrt mail.example.com.key mail.example.com.cer fullchain.cer | |||
</pre> | |||
If there were no errors, you can install the certificate | |||
= Step 3 Install your certificate | |||
<pre> | |||
% su - zimbra | |||
% cd /tmp | |||
% cp mail.example.key /opt/zimbra/ssl/zimbra/commercial/commercial.key | |||
% /opt/zimbra/bin/zmcertmgr deploycrt comm mail.example.cer fullchain.cer | |||
</pre> | |||
If there were no errors, proceed to restart zimbra | |||
= Step 4 Restart Zimbra | |||
<pre> | |||
% su - zimbra | |||
% zmcontrol restart | |||
</pre> | |||
Revision as of 22:30, 19 July 2018
JDunphy Letsencrypt - Another Method Using acme.sh to Generate Certs
- This article is a Work in Progress, and may be unfinished or missing sections.
Introduction
Letsencrypt is a free, automated, and open Certificate Authority to generate all your PKI certificates so a browser can see & display that trusted green secure lock for your domains. Instead of installing a development environment like other Letsencrypt methods, this article describes a single bash script and can be installed and operated without being root. Here is how to get Zimbra up and running with your Letsencrypt certificate.
Requirements (1 time only)
- Install acme.sh bash script in your home directory. Ref: https://github.com/Neilpang/acme.sh
% curl https://get.acme.sh | sh Or: % wget -O - https://get.acme.sh | sh
Note: This will do three things.
- create a directory ~/.acme.sh
- update your .cshrc and .bashrc so that script is in your path
- create a cron job for the local user for automatic renewal
Issue Your Certificate
Letsencrypt needs to verify you have control of your domains before they will sign your certificate. To do that, we complete a challenge and prove we have control of the domains using their acme protocol. The acme.sh script supports all challenge methods but for this article we will focus on the Automatic DNS challenge. See https://github.com/Neilpang/acme.sh for other methods or my own documentation https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh/tree/master/Recipies/SingleServer which lists 3 different type of DNS methods. All methods that acme.sh supports work with this article.
When using the Automatic DNS Method for the first time, you will need to update ~/.acme.sh/account.conf to contain your DNS provider api key. A list of supported DNS providers can be found at ~/.acme.sh/dnsapi. In this article we will use CloudFlare. Login to your CloudFlare account to get your API key before proceeding and then add these 2 lines to your ~/.acme.sh/account.conf file
- SAVED_CF_Key= '......Your API key..........'
- CF_EMAIL='XXXX@example.com'
From now on, anytime we need a certificate or renew a certificate we can do the following:
acme.sh --issue --dns dns_cf -d mail.example.com
If we have multiple domains associated with our Zimbra server, then it works like this:
acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org
Wild card certs are supported with ACME v2 protocol
acme.sh --issue --dns dns_cf -d mail.example.com -d '*.example.com'
Your certificates can be found at: ~/.acme.sh/mail.example.com ... It uses the first '-d' name to create a directory to store your certificates
Install Certificate With Zimbra
Regardless of which challenge method you used with the acme.sh bash script, the following commands will install it. Note: I have also created a script to perform these steps automatically at https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh and the forums have a thread on this method https://forums.zimbra.org/viewtopic.php?f=15&t=60781 for additional background information. For this article we walk through those steps.
= Step 1 (Append IdentTrust CERT to fullchain)
cd ~/.acme.sh/example.com echo '-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----' >> fullchain.cer
Because zmcertmgr will chdir during install which can abort when permissions are incorrect in some circumstances, we do the following.
% cd .acme.sh/mail.example.com % cp mail.example.com.key mail.example.com.cer fullchain.cer /tmp
= Note: For version 8.7 and above, zmcertmgr runs as zimbra. For all earlier versions you will run zmcertmgr as root. Example below is for 8.7 and 8.8 versions.
= Step 2 Verify your certificate
% su - zimbra % cd /tmp % /opt/zimbra/bin/zmcertmgr verifycrt mail.example.com.key mail.example.com.cer fullchain.cer
If there were no errors, you can install the certificate
= Step 3 Install your certificate
% su - zimbra % cd /tmp % cp mail.example.key /opt/zimbra/ssl/zimbra/commercial/commercial.key % /opt/zimbra/bin/zmcertmgr deploycrt comm mail.example.cer fullchain.cer
If there were no errors, proceed to restart zimbra
= Step 4 Restart Zimbra
% su - zimbra % zmcontrol restart
Subcategories
This category has the following 2 subcategories, out of 2 total.
Pages in category "Community Sandbox"
The following 200 pages are in the current category.
(previous page) (next page)A
- Ab5602-Notes
- Accessing Zimbra Collaboration Server with iCal and Calendar
- Accessing Zimbra Collaboration Suite with Apple Mail
- Accessing Zimbra Collaboration Server with Thunderbird
- Account mailbox database structure
- Accounts created Report
- Adding new dictionaries to aspell
- Adeelarifbhatti-Notes
- Advanced Hacking Articles
- AGibanelBtactic-Zimbra80X-Postscreen
- Ajcody-Backup-Restore-Issues
- Ajcody-Ciphers-Outlook
- Ajcody-Ciphers-Outlook-Troubleshooting
- Ajcody-Client-Topics
- Ajcody-Clustering
- Ajcody-Disk-Full-Issues
- Ajcody-External-Authentication
- Ajcody-General-Notes
- Ajcody-Going-From-A-Single-ZCS-Server-To-Multi-Server-Configuration
- Ajcody-Hardlinks-And-Postfix-default destination recipient limit
- Ajcody-Hostname-DNS
- Ajcody-How-To-Setup-sendAs-Right-And-Persona-For-Internal-Users
- Ajcody-How-To-Setup-sendAsDistList-Right-And-Persona-For-A-Distribution-List
- Ajcody-How-To-Setup-sendOnBehalfOf-Right-And-Persona-For-Internal-Users
- Ajcody-HSM-Notes
- Ajcody-Instant-Messaging-Topics
- Ajcody-LDAP-Topics
- Ajcody-Logger-Issues
- Ajcody-Logging
- Ajcody-Lucene-Topics
- Ajcody-MailingLists-And-Mailman
- Ajcody-Migration-Notes
- Ajcody-Mobile-Topics
- Ajcody-MTA-Postfix-Topics
- Ajcody-Multi-Server-Installation-Notes
- Ajcody-Mysql-Topics
- Ajcody-Notes
- Ajcody-Notes-Archive-Discovery
- Ajcody-Notes-Archive-Discovery-Mailstore-Setup
- Ajcody-Notes-HA-Linux-How-To
- Ajcody-Notes-No-Such-Blob
- Ajcody-Notes-Of-Customer-Cluster-Upgrade
- Ajcody-Notes-OS-Upgrade-And-ZCS-Options
- Ajcody-Notes-Server-Move
- Ajcody-Notes-ServerGAL
- Ajcody-Notes-ServerPlanning
- Ajcody-Notes-SSLCerts
- Ajcody-Notes-Upgrade-Options
- Ajcody-Proxy-Config-Txt
- Ajcody-Proxy-Guide-Rewrite-Project
- Ajcody-Proxy-Notes
- Ajcody-Proxy-SETUP.TXT
- Ajcody-Server-Issues-Being-Investigated
- Ajcody-Server-Misc-Topics
- Ajcody-Server-Move-VM-Different-Image-OS
- Ajcody-Server-Plan-Move-Migration-Upgrade-DR
- Ajcody-Server-Topics
- Ajcody-System-Documentation-For-Rights-Included-In-ZCS-Install
- Ajcody-Testing-Debugging
- Ajcody-User-Management-Topics
- Ajcody-Virtualization
- Ajcody-Virtualization-Named-DNS
- Ajcody-WebDAV
- Ajcody-ZCA Appliance
- Ajcody-Zimlet-Notes
- Alexkirsch-Notes
- Allow only few users to send mails
- Anti-spam Strategies
- Antivirus
- Ashbc-Notes
- Authentication/Horizon
- Authentication/OpenIDConsumer
- Autodiscover
B
- Backing up and restoring Zimbra (Open Source Version)
- Bacula pre/post cold backup scripts
- Basic Zimlet Definition Tags
- Block mailsby Subject
- Block user to send email locally or externally
- Blocking the Outlook Mobile App for iOS and Android
- Bmw-Notes
- Bobby-Notes
- Briefcase
- Building the software yourself
- Bulk Provisioning
C
- CalDav and SunBird
- Calendar and Contacts Migration
- CASifying Zimbra 6.0
- Cassifying Zimbra 5
- Centralized Logs - VMware Log Insight
- Certificate errors
- Certificate Management FAQ
- Changing Backup directory and General Information
- Changing the Page Title
- ClamAV - Updating Version
- ClamAV Scan MailboxStore
- Clamav unofficial sigs
- Clearing the "don't inherit grants from parent folder"(i) flag
- Cluster troubleshooting
- Commercial Certificates
- Configuration Management Articles
- Configuring GAL via SOAP
- Configuring maxmessagesize
- Configuring Postfix to work with piped scripts
- Configuring Zimbra Using Chef Oracle Cloud
- Configuring-Logger-Host
- Configuring-Proxy-Server+Change-Zimbra-Hostname
- Connecting with SQLGrey
- Convertd Errors
- Convertd File Formats
- Copying distribution lists
- Crash Recover Specific Table
- Crayz9000-Notes
- Creating a Core Dump from a Running Process using WinDbg
- Creating Themes Long Version
- Customizing Themes and Adding Zimbra Powered Logo - Open Source Edition
D
E
- Email redirection
- Email Rules Migration
- EnableSharingAddin
- Enabling and administering the Zimbra milter
- Enabling Core Files
- Enabling Samesite Cookie
- Enforcing a match between the FROM address and the sasl username
- Errors Importing Appointments using Migration Wizard for Exchange
- Events
- Exchange 2013 Free/Busy Interop
- Extend MTA Queue Lifetime
- Extending Admin UI
F
G
H
- Hard links
- Harley77-Mysqld
- Harley77-Notes
- Historical CalDAV Support
- Hocky-Notes
- Hosting other sites with Zimbra
- Hosting static files on Zimbra Proxy
- HOT Backup and HOT Restore
- HOT Backup with rdiff-backup
- How to "fix" system's sendmail to use that of zimbra
- How to configure auto-provisioning with dynamic DL
- How To Create an Admin Account
- How To Create an User Account
- How to enable ldaps
- How To Link Remote iCal Calendar
- How to merge two independent ZCS servers into one
- How to move mail from one user's folder to another, or to send it for external delivery
- How to move ZCS to another server
- How to re-create self-signed certificate in a multiserver platform?
- How to re-create the Quarantine Account
- How-to for cbpolicyd
- HowZimletConfigWorks
- HSM
I
- IMAP and Outlook Spam training
- IMAP NIO
- Import and Export of Contacts
- Import Personal Distribution Lists from Outlook
- Importing LDAP data from master to replica 6.0
- Importing LDAP data from provider to replica
- Improving Anti-spam system
- Individual Mailbox Restore from Snapshot
- Inotabi-Notes
- Install Zimbra Collaboration and a DNS Server with Script
- Install Zimbra in Cloud-DigitalOcean
- Installation Issues
- Installing a Gandi Commercial Certificate on ZCS
- Installing a GeoTrust Commercial Certificate
- Installing a GlobalSign Commercial Certificate
- Installing a LetsEncrypt SSL Certificate
- Installing Certificates from the Master LDAP to a LDAP Replica
- Installing custom ldap schema
- Installing IRONMAIDEN 8.0.3 on FreeBSD 9.1 amd64
- Installing Zimbra 4.5.x on Ubuntu 7.04 & 7.10 (Feisty Fawn & Gutsy Gibbon)
- Installing Zimbra Desktop on 64bit Linux
- Installing Zimbra Using Chef
- Integrating PWM password manager with Zimbra
- IntelliJ for Ajax
- IntroToZimlets
