Difference between revisions of "Installing a LetsEncrypt SSL Certificate"

(Installing a Let's Encrypt SSL Certificate)
 
(24 intermediate revisions by 9 users not shown)
Line 3: Line 3:
 
<div class="col-md-12 ibox-content">
 
<div class="col-md-12 ibox-content">
 
=Installing a Let's Encrypt SSL Certificate=
 
=Installing a Let's Encrypt SSL Certificate=
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
+
{{KB|{{Unsupported}}|{{ZCS 9.0}}|{{ZCS 8.8}}|}}
{{WIP}}
 
  
[[File:Letsencrypt-en.png|1024px]]
+
This article is a step-by-step instruction on setting up a Zimbra with Let’s Encrypt certificates.
  
==Purpose==
+
If you are running a multi server installation of Zimbra it is recommended you set-up a dedicated VM for obtaining the Let’s Encrypt certificate and follow the steps under <code>Manual installation of Let’s Encrypt on Zimbra</code>.
Step by Step Wiki/KB article to install a Let's Encrypt Commercial Certificate.
 
'''Disclaimer'''
 
The Let’s Encrypt Client is '''BETA SOFTWARE'''. It contains plenty of bugs and rough edges, and it should be tested thoroughly in staging environments before use on production systems.
 
For more information regarding the status of the project, please see https://letsencrypt.org. Be sure to check out the [https://community.letsencrypt.org/t/frequently-asked-questions-faq/26#topic-title Frequently Asked Questions (FAQ)].
 
  
==Resolution==
+
= Prerequisites =
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. It could be an option to protect Zimbra Servers with a valid SSL certificate; however, please be aware that is a Beta for now. Some stuff could not work or have issues, so use it at your own risk.
 
  
===Installing Let's Encrypt on a Zimbra Server===
+
This guide assumes you are using Ubuntu 20 and you have set up a correct hostname and DNS, to check run the following as user <code>zimbra</code> and verify <code>zmhostname</code> is the same as <code>hostname --fqdn</code>:
Let's Encrypt must be installed on one Linux machine to obtain the proper SSL Certificate, CA Intermediate, and Private Key. It is not required that it be on the same Zimbra Server, but it could save time and help to obtain the renewals, etc.
 
* First Step is to stop the jetty or nginx service at Zimbra level
 
zmproxyctl stop
 
zmmailboxdctl stop
 
* Second step is to Install git on the Server (apt-get install git/yum install git), and then do a git clone of the project on the folder we want
 
** Note: On RedHat/CentOS 6 you will need to enable the EPEL repository before install.
 
git clone https://github.com/letsencrypt/letsencrypt
 
cd letsencrypt
 
* Let's now run Let's Encrypt in auto mode and use the certonly option, because for now the project can't automatically install the cert on Zimbra servers.
 
root@zimbra86:~/tmp/letsencrypt# ./letsencrypt-auto certonly
 
** (This step only happens the first time. This process will not occur when renewing the SSL Certificate if using the same machine.) The process will download all of the OS dependencies that Let's Encrypt needs, and after a few minutes:
 
<pre>Creating virtual environment...
 
Updating letsencrypt and virtual environment dependencies...../root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
 
  InsecurePlatformWarning
 
./root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
 
  InsecurePlatformWarning
 
</pre>
 
*** The process will ask for an Email Address in case of emergency contact or to recover the lost key.
 
  
[[File:Letsencrypt-002.png]]
+
<pre>zimbra@le-test:~$ source ~/bin/zmshutil; zmsetvars
 +
zimbra@le-test:~$ zmhostname
 +
le-test.zimbra.tech
 +
zimbra@le-test:~$ hostname --fqdn
 +
le-test.zimbra.tech</pre>
 +
Next you should have set up a CAA DNS record so that Let’s Encrypt can issue certificates for your domain, to check run the following and make sure <code>0 issue &quot;letsencrypt.org&quot;</code> is in the output of the command:
  
*** The process will ask if we agree with the ToS.
+
<pre>zimbra@le-test:~$ sudo apt install -y net-tools dnsutils
 +
zimbra@le-test:~$ dig +short type257 $(hostname --d)
 +
0 issuewild &quot;letsencrypt.org&quot;
 +
0 issue &quot;letsencrypt.org&quot;</pre>
 +
Next check if Zimbra listens on port 80, Let’s Encrypt needs to be able to run a temporary webserver on port 80, so it can not be used by Zimbra. This is not an issue as most browsers now try https first. The following command should not have any output:
  
[[File:Letsencrypt-003.png]]
+
<pre>netstat -tulpn | grep &quot;:80 &quot;</pre>
 +
In case your Zimbra is listening on port 80, you have to switch the proxy mode like this:
  
**** In case we run a renewal, or a request for a new FQDN, the process will just take a few seconds.
+
<pre>sudo su zimbra -
Updating letsencrypt and virtual environment dependencies.......
+
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly
+
zmprov ms `zmhostname` zimbraMailMode https
*** Let's Encrypt will prompt for the domain to protect, in this lab case (zimbra86.zimbra.io):
+
/opt/zimbra/bin/zmtlsctl https
 +
/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`</pre>
 +
If you are having trouble setting up Zimbra you can use our automated installer that will take care of Let’s Encrypt also: https://github.com/Zimbra/zinstaller
  
[[File:Letsencrypt-004.png]]
+
Further reading:
  
* The process will take a few seconds to validate and then will end:
+
* https://wiki.zimbra.com/wiki/CLI_zmtlsctl_to_set_Web_Server_Mode
<pre>IMPORTANT NOTES:
+
* https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy_and_memcached
- Congratulations! Your certificate and chain have been saved at
 
  /etc/letsencrypt/live/zimbra86.zimbra.io/fullchain.pem. Your cert
 
  will expire on 2016-03-04. To obtain a new version of the
 
  certificate in the future, simply run Let's Encrypt again.
 
- If like Let's Encrypt, please consider supporting our work by:
 
  
  Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate
+
= Installing Certbot =
  Donating to EFF:                    https://eff.org/donate-le</pre>
 
  
===Where are the SSL Certificate Files?===
+
Certbot in the Ubuntu repositories is too old and cannot be used for Zimbra. The newer version can be installed via snap or pip. Run below commands to install Cerbot and obtain a certificate:
You can find all your files under '''/etc/letsencrypt/live/$domain''', where $domain is the fqdn you used during the process:
 
<pre>root@zimbra86:/etc/letsencrypt/live/zimbra86.zimbra.io# ls -al
 
total 8
 
drwxr-xr-x 2 root root 4096 Dec  5 16:46 .
 
drwx------ 3 root root 4096 Dec  5 16:46 ..
 
lrwxrwxrwx 1 root root  42 Dec  5 16:46 cert.pem -> ../../archive/zimbra86.zimbra.io/cert1.pem
 
lrwxrwxrwx 1 root root  43 Dec  5 16:46 chain.pem -> ../../archive/zimbra86.zimbra.io/chain1.pem
 
lrwxrwxrwx 1 root root  47 Dec  5 16:46 fullchain.pem -> ../../archive/zimbra86.zimbra.io/fullchain1.pem
 
lrwxrwxrwx 1 root root  45 Dec  5 16:46 privkey.pem -> ../../archive/zimbra86.zimbra.io/privkey1.pem</pre>
 
  
===Build the proper Intermediate CA plus Root CA===
+
<pre>apt install -y python3 python3-venv libaugeas0
Let's Encrypt is almost perfect, but during the files the process built, they just add the chain.pem file without the root CA.
+
python3 -m venv /opt/certbot/
You must to use the IdenTrust root Certificate and merge it after the chain.pem
+
/opt/certbot/bin/pip install --upgrade pip
* [https://www.identrust.com/certificates/trustid/root-download-x3.html https://www.identrust.com/certificates/trustid/root-download-x3.html]
+
/opt/certbot/bin/pip install certbot
Your chain.pem should look like:
+
ln -s /opt/certbot/bin/certbot /usr/local/sbin/certbot
<pre>
+
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --preferred-chain  &quot;ISRG Root X1&quot; --agree-tos --register-unsafely-without-email</pre>
-----BEGIN CERTIFICATE-----
+
= Zimbra deployment =
MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
 
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
 
Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
 
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
 
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
 
ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
 
BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
 
PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
 
dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
 
gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
 
4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
 
EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
 
BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
 
b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
 
ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
 
MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
 
AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
 
MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
 
LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
 
pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
 
v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
 
ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
 
ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
 
6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
 
f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
 
-----END CERTIFICATE-----
 
-----BEGIN CERTIFICATE-----
 
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
 
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
 
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
 
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
 
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
 
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
 
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
 
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
 
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
 
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
 
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
 
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
 
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
 
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
 
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
 
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
 
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
 
-----END CERTIFICATE-----</pre>
 
  
===Verify your commercial certificate. ===
+
Create the following script that deploys the Let’s Encrypt certificate on Zimbra:
Move to the Let's Encrypt folder with all files '''/etc/letsencrypt/live/$domain''' and then launch the next command as '''root''':
 
root@zimbra86:/etc/letsencrypt/live/zimbra86.zimbra.io# /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
 
** Verifying cert.pem against privkey.pem
 
Certificate (cert.pem) and private key (privkey.pem) match.
 
Valid Certificate: cert.pem: OK
 
===Deploy the new Let's Encrypt SSL certificate===
 
====Copy the private key under Zimbra SSL path====
 
Before deploy the SSL Certificate, you need to move the privkey.pem under the Zimbra SSL commercial path, like this:
 
cp /etc/letsencrypt/live/zimbra86.zimbra.io/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
 
====Final SSL deployment====
 
Then deploy the certificate as follows:
 
<pre>root@zimbra86:/etc/letsencrypt/live/zimbra86.zimbra.io# /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
 
** Verifying cert.pem against /opt/zimbra/ssl/zimbra/commercial/commercial.key
 
Certificate (cert.pem) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 
Valid Certificate: cert.pem: OK
 
** Copying cert.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 
** Appending ca chain chain.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
 
** NOTE: mailboxd must be restarted in order to use the imported certificate.
 
** Saving server config key zimbraSSLCertificate...failed.
 
** Saving server config key zimbraSSLPrivateKey...failed.
 
** Installing mta certificate and key...done.
 
** Installing slapd certificate and key...done.
 
** Installing proxy certificate and key...done.
 
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
 
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
 
** Installing CA to /opt/zimbra/conf/ca...done.</pre>
 
  
Then you need to restart the services, which will restart the nginx or jetty you stopped before:
+
<pre>cat &gt;&gt; /usr/local/sbin/letsencrypt-zimbra &lt;&lt; EOF
zmcontrol restart
+
#!/bin/bash
 +
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --manual-public-ip-logging-ok -n --preferred-chain  &quot;ISRG Root X1&quot; --agree-tos --register-unsafely-without-email
 +
cp &quot;/etc/letsencrypt/live/$(hostname --fqdn)/privkey.pem&quot; /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
 +
rm -f &quot;/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem&quot;
 +
cp &quot;/etc/letsencrypt/live/$(hostname --fqdn)/chain.pem&quot; &quot;/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem&quot;
 +
cat /tmp/ISRG-X1.pem &gt;&gt; &quot;/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem&quot;
 +
chown zimbra:zimbra /etc/letsencrypt -R
 +
cd /tmp
 +
su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm &quot;/etc/letsencrypt/live/$(hostname --fqdn)/cert.pem&quot; &quot;/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem&quot;'
 +
rm -f &quot;/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem&quot;
 +
EOF</pre>
 +
Set the correct permission, set up a cron job and run the deployment:
  
===Test the new SSL Certificate===
+
<pre>chmod +rx /usr/local/sbin/letsencrypt-zimbra
Last step is go to your Web Browser and open the URL of your Zimbra server where you installed the Let's Encrypt SSL Certificate:
+
ln -s /usr/local/sbin/letsencrypt-zimbra /etc/cron.daily/letsencrypt-zimbra
 +
/etc/cron.daily/letsencrypt-zimbra</pre>
 +
Finally restart Zimbra to load the new certificate:
  
[[File:Letsencrypt-006.png|1024px]]
+
<pre>sudo su zimbra -c '/opt/zimbra/bin/zmcontrol restart'</pre>
 +
'''''The cron job will renew your certificate about 1 month prior to the expiration date, you need to manually restart Zimbra before the renewal date to load the new certificate.'''''
  
You can expand the Certificate Information to see the new SSL Certificate your server is using:
+
= Manual installation of Let’s Encrypt on Zimbra =
  
[[File:Letsencrypt-007.png]]
+
Make sure to request a certificate with the <code>--preferred-chain  &quot;ISRG Root X1&quot;</code> option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the <code>--force-renewal --preferred-chain  &quot;ISRG Root X1&quot;</code> options.
  
===Building Multi-SAN SSL Certificate and complex scenarios===
+
After you have received the certificate from Let’s Encrypt you can deploy it on Zimbra like this:
You can do almost everything you need, like Subject Alt Names, different domains, etc. But to see more about this, you are encourage to visit [https://letsencrypt.org/ the web of the official project].
 
  
==Additional Content==
+
As user root or sudo:
* Let's Encrypt User Manual - https://letsencrypt.readthedocs.org/en/latest/using.html
 
* Let's Encrypt Official Project - https://letsencrypt.org/
 
  
{{Article Footer|Zimbra Collaboration 8.6, 8.5|12/05/2015}}
+
<pre>cp /etc/letsencrypt/live/barrydegraaff.nl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
{{NeedSME|Jorge|SME2|Copyeditor}}
+
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
 +
cat /tmp/ISRG-X1.pem &gt;&gt; /etc/letsencrypt/live/barrydegraaff.nl/chain.pem</pre>
 +
As user zimbra or <code>sudo su zimbra -</code>:
 +
 
 +
<pre>cd ~
 +
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
 +
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem</pre>
 +
The output should be similar to:
 +
 
 +
<pre>root@zimbra9:~# su zimbra -
 +
zimbra@zimbra9:/root$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
 +
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
 +
Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
 +
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem'
 +
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK
 +
zimbra@zimbra9:/root$ cd ~
 +
zimbra@zimbra9:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
 +
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
 +
Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
 +
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem'
 +
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK
 +
** Copying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
 +
** Copying '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
 +
** Appending ca chain '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
 +
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
 +
** NOTE: restart mailboxd to use the imported certificate.
 +
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra9.barrydegraaff.nl...ok
 +
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra9.barrydegraaff.nl...ok
 +
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
 +
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
 +
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
 +
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
 +
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
 +
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
 +
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
 +
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
 +
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
 +
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
 +
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
 +
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
 +
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
 +
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
 +
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
 +
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
 +
** NOTE: restart services to use the new certificates.
 +
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
 +
** Removing /opt/zimbra/conf/ca/ca.key
 +
** Removing /opt/zimbra/conf/ca/e50a23da.0
 +
** Removing /opt/zimbra/conf/ca/ca.pem
 +
** Copying CA to /opt/zimbra/conf/ca
 +
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
 +
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
 +
** Creating CA hash symlink 'e50a23da.0' -&gt; 'ca.pem'
 +
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
 +
** Creating CA hash symlink '8d33f237.0' -&gt; 'commercial_ca_1.crt'
 +
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
 +
** Creating CA hash symlink '4042bcee.0' -&gt; 'commercial_ca_2.crt'</pre>
 +
Finally restart Zimbra as user zimbra or <code>sudo su zimbra -</code>:
 +
 
 +
<pre>zmcontrol restart</pre>
 +
= Using DANE =
 +
 
 +
You have to use Certbot with the <code>--reuse-key</code> option, see https://blog.zimbra.com/2022/04/zimbra-skillz-enable-dane-verification-for-incoming-email-in-zimbra/
 +
 
 +
= Using multiple https domains with SNI =
 +
 
 +
Refer to: https://blog.zimbra.com/2022/06/zimbra-skillz-how-to-use-zimbra-with-multiple-https-domains-server-name-indication-sni/
 +
 
 +
= Further reading =
 +
 
 +
* https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry
 +
 
 +
 
 +
 
 +
{{Article Footer|Zimbra Collaboration 9.0, 8.8|22/09/2022}}
  
 
[[Category:Certificates]]
 
[[Category:Certificates]]

Latest revision as of 08:18, 1 July 2022

Installing a Let's Encrypt SSL Certificate

   KB 22434        Last updated on 2022-07-1  




5.00
(one vote)

This article is a step-by-step instruction on setting up a Zimbra with Let’s Encrypt certificates.

If you are running a multi server installation of Zimbra it is recommended you set-up a dedicated VM for obtaining the Let’s Encrypt certificate and follow the steps under Manual installation of Let’s Encrypt on Zimbra.

Prerequisites

This guide assumes you are using Ubuntu 20 and you have set up a correct hostname and DNS, to check run the following as user zimbra and verify zmhostname is the same as hostname --fqdn:

zimbra@le-test:~$ source ~/bin/zmshutil; zmsetvars
zimbra@le-test:~$ zmhostname
le-test.zimbra.tech
zimbra@le-test:~$ hostname --fqdn
le-test.zimbra.tech

Next you should have set up a CAA DNS record so that Let’s Encrypt can issue certificates for your domain, to check run the following and make sure 0 issue "letsencrypt.org" is in the output of the command:

zimbra@le-test:~$ sudo apt install -y net-tools dnsutils
zimbra@le-test:~$ dig +short type257 $(hostname --d)
0 issuewild "letsencrypt.org"
0 issue "letsencrypt.org"

Next check if Zimbra listens on port 80, Let’s Encrypt needs to be able to run a temporary webserver on port 80, so it can not be used by Zimbra. This is not an issue as most browsers now try https first. The following command should not have any output:

netstat -tulpn | grep ":80 "

In case your Zimbra is listening on port 80, you have to switch the proxy mode like this:

sudo su zimbra -
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov ms `zmhostname` zimbraMailMode https
/opt/zimbra/bin/zmtlsctl https
/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`

If you are having trouble setting up Zimbra you can use our automated installer that will take care of Let’s Encrypt also: https://github.com/Zimbra/zinstaller

Further reading:

Installing Certbot

Certbot in the Ubuntu repositories is too old and cannot be used for Zimbra. The newer version can be installed via snap or pip. Run below commands to install Cerbot and obtain a certificate:

apt install -y python3 python3-venv libaugeas0
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot
ln -s /opt/certbot/bin/certbot /usr/local/sbin/certbot
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email

Zimbra deployment

Create the following script that deploys the Let’s Encrypt certificate on Zimbra:

cat >> /usr/local/sbin/letsencrypt-zimbra << EOF
#!/bin/bash
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email
cp "/etc/letsencrypt/live/$(hostname --fqdn)/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cp "/etc/letsencrypt/live/$(hostname --fqdn)/chain.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R
cd /tmp
su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/$(hostname --fqdn)/cert.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"'
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
EOF

Set the correct permission, set up a cron job and run the deployment:

chmod +rx /usr/local/sbin/letsencrypt-zimbra
ln -s /usr/local/sbin/letsencrypt-zimbra /etc/cron.daily/letsencrypt-zimbra
/etc/cron.daily/letsencrypt-zimbra

Finally restart Zimbra to load the new certificate:

sudo su zimbra -c '/opt/zimbra/bin/zmcontrol restart'

The cron job will renew your certificate about 1 month prior to the expiration date, you need to manually restart Zimbra before the renewal date to load the new certificate.

Manual installation of Let’s Encrypt on Zimbra

Make sure to request a certificate with the --preferred-chain "ISRG Root X1" option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the --force-renewal --preferred-chain "ISRG Root X1" options.

After you have received the certificate from Let’s Encrypt you can deploy it on Zimbra like this:

As user root or sudo:

cp /etc/letsencrypt/live/barrydegraaff.nl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.nl/chain.pem

As user zimbra or sudo su zimbra -:

cd ~
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem

The output should be similar to:

root@zimbra9:~# su zimbra -
zimbra@zimbra9:/root$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK
zimbra@zimbra9:/root$ cd ~
zimbra@zimbra9:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK
** Copying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra9.barrydegraaff.nl...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra9.barrydegraaff.nl...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/e50a23da.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'e50a23da.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'

Finally restart Zimbra as user zimbra or sudo su zimbra -:

zmcontrol restart

Using DANE

You have to use Certbot with the --reuse-key option, see https://blog.zimbra.com/2022/04/zimbra-skillz-enable-dane-verification-for-incoming-email-in-zimbra/

Using multiple https domains with SNI

Refer to: https://blog.zimbra.com/2022/06/zimbra-skillz-how-to-use-zimbra-with-multiple-https-domains-server-name-indication-sni/

Further reading


Verified Against: Zimbra Collaboration 9.0, 8.8 Date Created: 22/09/2022
Article ID: https://wiki.zimbra.com/index.php?title=Installing_a_LetsEncrypt_SSL_Certificate Date Modified: 2022-07-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search