Installing a LetsEncrypt SSL Certificate: Difference between revisions
Gayle Billat (talk | contribs) |
mNo edit summary |
||
(20 intermediate revisions by 7 users not shown) | |||
Line 3: | Line 3: | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=Installing a Let's Encrypt SSL Certificate= | =Installing a Let's Encrypt SSL Certificate= | ||
{{KB|{{Unsupported}}|{{ZCS | {{KB|{{Unsupported}}|{{ZCS 9.0}}|{{ZCS 8.8}}|}} | ||
==Purpose== | ==Purpose== | ||
Let’s Encrypt is a way to obtain trusted and free TLS certificates. To obtain certificates you can use a program called Certbot. You can find instructions for setting up certbot at https://certbot.eff.org/instructions. If you already use Let’s Encrypt on Zimbra keep reading as this post will explain how to keep using Let’s Encrypt after the expiration of IdentTrust DST Root CA X3 on September 30! | |||
In many cases it is easiest to set-up a dedicated VM to take care of the deployment of Let’s Encrypt certificates to all the systems you intent to use with TLS certificates. | |||
If you want to use Zimbra it is recommended you use the <code>snap</code> version of Certbot as that supports the <code>--preferred-chain "ISRG Root X1"</code> option which is needed to make it work with Zimbra. | |||
< | |||
= Installing the obtained certificate on Zimbra = | |||
Make sure to request a certificate with the <code>--preferred-chain "ISRG Root X1"</code> option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the <code>--force-renewal --preferred-chain "ISRG Root X1"</code> options. | |||
< | |||
After you have received the certificate from Let’s Encrypt you can deploy it on Zimbra like this: | |||
As user root or sudo: | |||
<pre>cp /etc/letsencrypt/live/barrydegraaff.nl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key | |||
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key | |||
<pre> | wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt | ||
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.nl/chain.pem</pre> | |||
As user zimbra or <code>sudo su zimbra -</code>: | |||
<pre>cd ~ | |||
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem | |||
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem</pre> | |||
The output should be similar to: | |||
<pre>root@zimbra9:~# su zimbra - | |||
zimbra@zimbra9:/root$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem | |||
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' | |||
Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. | |||
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' | |||
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK | |||
zimbra@zimbra9:/root$ cd ~ | |||
zimbra@zimbra9:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem | |||
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' | |||
Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. | |||
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' | |||
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK | |||
** Copying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' | |||
** Copying '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' | |||
** Appending ca chain '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' | |||
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' | |||
** NOTE: restart mailboxd to use the imported certificate. | |||
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra9.barrydegraaff.nl...ok | |||
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra9.barrydegraaff.nl...ok | |||
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' | |||
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' | |||
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' | |||
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' | |||
** Creating keystore '/opt/zimbra/conf/imapd.keystore' | |||
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' | |||
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' | |||
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' | |||
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' | |||
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' | |||
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' | |||
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' | |||
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' | |||
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' | |||
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' | |||
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' | |||
** NOTE: restart services to use the new certificates. | |||
** Cleaning up 3 files from '/opt/zimbra/conf/ca' | |||
** Removing /opt/zimbra/conf/ca/ca.key | |||
** Removing /opt/zimbra/conf/ca/e50a23da.0 | |||
** Removing /opt/zimbra/conf/ca/ca.pem | |||
** Copying CA to /opt/zimbra/conf/ca | |||
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' | |||
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' | |||
** Creating CA hash symlink 'e50a23da.0' -> 'ca.pem' | |||
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt | |||
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt' | |||
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt | |||
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'</pre> | |||
Finally restart Zimbra as user zimbra or <code>sudo su zimbra -</code>: | |||
<pre>zmcontrol restart</pre> | |||
You | Please note: You have to concatenate the isrgrootx1.pem CA certificate to the chain to make it work!! That’s it for using Let’s Encrypt on Zimbra! | ||
= Further reading = | |||
* https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry | |||
{{Article Footer|Zimbra Collaboration | {{Article Footer|Zimbra Collaboration 9.0, 8.8|22/09/2022}} | ||
{{NeedSME|Jorge|SME2|Copyeditor}} | {{NeedSME|Jorge|SME2|Copyeditor}} | ||
[[Category:Certificates]] | [[Category:Certificates]] |
Revision as of 07:35, 9 May 2022
Installing a Let's Encrypt SSL Certificate
Purpose
Let’s Encrypt is a way to obtain trusted and free TLS certificates. To obtain certificates you can use a program called Certbot. You can find instructions for setting up certbot at https://certbot.eff.org/instructions. If you already use Let’s Encrypt on Zimbra keep reading as this post will explain how to keep using Let’s Encrypt after the expiration of IdentTrust DST Root CA X3 on September 30!
In many cases it is easiest to set-up a dedicated VM to take care of the deployment of Let’s Encrypt certificates to all the systems you intent to use with TLS certificates.
If you want to use Zimbra it is recommended you use the snap
version of Certbot as that supports the --preferred-chain "ISRG Root X1"
option which is needed to make it work with Zimbra.
Installing the obtained certificate on Zimbra
Make sure to request a certificate with the --preferred-chain "ISRG Root X1"
option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the --force-renewal --preferred-chain "ISRG Root X1"
options.
After you have received the certificate from Let’s Encrypt you can deploy it on Zimbra like this:
As user root or sudo:
cp /etc/letsencrypt/live/barrydegraaff.nl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
As user zimbra or sudo su zimbra -
:
cd ~ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
The output should be similar to:
root@zimbra9:~# su zimbra - zimbra@zimbra9:/root$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem ** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK zimbra@zimbra9:/root$ cd ~ zimbra@zimbra9:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem ** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK ** Copying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra9.barrydegraaff.nl...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra9.barrydegraaff.nl...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 3 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/e50a23da.0 ** Removing /opt/zimbra/conf/ca/ca.pem ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink 'e50a23da.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
Finally restart Zimbra as user zimbra or sudo su zimbra -
:
zmcontrol restart
Please note: You have to concatenate the isrgrootx1.pem CA certificate to the chain to make it work!! That’s it for using Let’s Encrypt on Zimbra!
Further reading