Difference between revisions of "Category:Community Sandbox"

m (Step 2 Verify your certificate)
m (Step 2 Verify your certificate)
Line 79: Line 79:
% su - zimbra
% su - zimbra
% cd /tmp
% cd /tmp
% /opt/zimbra/bin/zmcertmgr verifycrt mail.example.com.key mail.example.com.cer fullchain.cer
% /opt/zimbra/bin/zmcertmgr verifycrt comm mail.example.com.key mail.example.com.cer fullchain.cer

Revision as of 19:32, 20 July 2018

JDunphy Letsencrypt - Another Method Using acme.sh to Generate Certs

   KB 2441        Last updated on 2018-07-20  

(0 votes)


Letsencrypt is a free, automated, and open Certificate Authority to generate all your PKI certificates so a browser can see & display that trusted green secure lock for your domains. Instead of installing a development environment like other Letsencrypt methods, this article describes a single bash script and can be installed and operated without being root. Here is how to get Zimbra up and running with your Letsencrypt certificate.

Requirements (1 time only)

  1. Install acme.sh bash script in your home directory. Ref: https://github.com/Neilpang/acme.sh
% curl https://get.acme.sh | sh
% wget -O -  https://get.acme.sh | sh

Note: This will do three things.

  1. create a directory ~/.acme.sh
  2. update your .cshrc and .bashrc so that script is in your path
  3. create a cron job for the local user for automatic renewal

Issue Your Certificate

Letsencrypt needs to verify you have control of your domains before they will sign your certificate. To do that, we complete a challenge and prove we have control of the domains using their acme protocol. The acme.sh script supports all challenge methods but for this article we will focus on the Automatic DNS challenge. See https://github.com/Neilpang/acme.sh for other methods or my own documentation https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh/tree/master/Recipies/SingleServer which lists 3 different type of DNS methods. All methods that acme.sh supports work with this article.

When using the Automatic DNS Method for the first time, you will need to update ~/.acme.sh/account.conf to contain your DNS provider api key. A list of supported DNS providers can be found at ~/.acme.sh/dnsapi. In this article we will use CloudFlare. Login to your CloudFlare account to get your API key before proceeding and then add these 2 lines to your ~/.acme.sh/account.conf file

  1. SAVED_CF_Key= '......Your API key..........'
  2. CF_EMAIL='XXXX@example.com'

From now on, anytime we need a certificate or renew a certificate we can do the following:

acme.sh --issue --dns dns_cf -d mail.example.com

If we have multiple domains associated with our Zimbra server, then it works like this:

acme.sh --issue --dns dns_cf -d mail.example.com -d mail.example.net -d mail.example.org 

Wild card certs are supported with ACME v2 protocol

acme.sh --issue --dns dns_cf -d mail.example.com -d '*.example.com'

Your certificates can be found at: ~/.acme.sh/mail.example.com ... It uses the first '-d' name to create a directory to store your certificates

Install Certificate With Zimbra

Regardless of which challenge method you used with the acme.sh bash script, the following commands will install it. Note: I have also created a script to perform these steps automatically at https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh and the forums have a thread on this method https://forums.zimbra.org/viewtopic.php?f=15&t=60781 for additional background information. For this article we walk through those steps.

= Step 1 (Append IdentTrust CERT to fullchain)

cd ~/.acme.sh/example.com 
echo '-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----' >> fullchain.cer

Because zmcertmgr will chdir during install which can abort when permissions are incorrect in some circumstances, we do the following.

% cd .acme.sh/mail.example.com
% cp mail.example.com.key mail.example.com.cer fullchain.cer /tmp

= Note: For version 8.7 and above, zmcertmgr runs as zimbra. For all earlier versions you will run zmcertmgr as root. Example below is for 8.7 and 8.8 versions.

Step 2 Verify your certificate

% su - zimbra
% cd /tmp
% /opt/zimbra/bin/zmcertmgr verifycrt comm mail.example.com.key mail.example.com.cer fullchain.cer

If there were no errors, you can install the certificate

Step 3 Install your certificate

% su - zimbra
% cd /tmp
% cp mail.example.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
% /opt/zimbra/bin/zmcertmgr deploycrt comm mail.example.cer fullchain.cer

If there were no errors, proceed to restart zimbra

Step 4 Restart Zimbra

% su - zimbra
% zmcontrol restart


This category has the following 2 subcategories, out of 2 total.

Pages in category "Community Sandbox"

The following 200 pages are in the current category.

(previous page) (next page)


(previous page) (next page)
Jump to: navigation, search