Installing a LetsEncrypt SSL Certificate: Difference between revisions

No edit summary
Line 3: Line 3:
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
=Installing a Let's Encrypt SSL Certificate=
=Installing a Let's Encrypt SSL Certificate=
{{KB|{{Unsupported}}|{{ZCS 8.8}}|{{ZCS 8.7}}|}}
{{KB|{{Unsupported}}|{{ZCS 9.0}}|{{ZCS 8.8}}|}}


==Purpose==
==Purpose==
Line 26: Line 26:
Please note: You have to concatenate the isrgrootx1.pem CA certificate to the chain to make it work!!
Please note: You have to concatenate the isrgrootx1.pem CA certificate to the chain to make it work!!


=Automatic methods=
{{Article Footer|Zimbra Collaboration 9.0, 8.8|22/09/2022}}
Since Letsencrypt has gone public several scripts were created to automate the deployment of free SSL certificates in Zimbra. In order of appearance:
 
* [https://github.com/VojtechMyslivec/letsencrypt-zimbra/ Vojtěch Myslivec on GitHub]
* Grown from a long discussion on the [https://forums.zimbra.org/viewtopic.php?f=15&t=60781 forum] [https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh Jim Dunphy developed a script] based on Neilpang's acme.sh script
* A nearly fully automated script developed by [https://github.com/yetopen/certbot-zimbra Maxxer@YetOpen on GitHub]
 
{{Article Footer|Zimbra Collaboration 8.6, 8.5|12/05/2015}}
{{NeedSME|Jorge|SME2|Copyeditor}}
{{NeedSME|Jorge|SME2|Copyeditor}}


[[Category:Certificates]]
[[Category:Certificates]]

Revision as of 09:58, 22 September 2021

Installing a Let's Encrypt SSL Certificate

   KB 22434        Last updated on 2021-09-22  




5.00
(one vote)

Purpose

To use Zimbra with Let's Encrypt you have to use the --preferred-chain option.

You also need an up-to-date certbot, the ones packed in OS is too old. Consider using a snap. https://certbot.eff.org/lets-encrypt/ubuntufocal-apache.html

In a scripted way, this is how I use it now, I run all these commands on a dedicated Letsencrypt VM and mail4 is my Zimbra server.

/usr/local/bin/certbot --manual --force-renewal --preferred-chain  "ISRG Root X1" --expand --manual-auth-hook /usr/local/sbin/hook.sh --manual-cleanup-hook /usr/local/sbin/cleanhook.sh --preferred-challenges dns -d "barrytest.tk" -d "*.barrytest.tk" -d "zimbratest.tk" -d "*.zimbratest.tk" certonly --manual-public-ip-logging-ok -n

/usr/bin/scp -r /etc/letsencrypt/live/barrytest.tk/* root@mail4:/etc/letsencrypt/live/barrytest.tk/
/usr/bin/ssh root@mail4 'cp /etc/letsencrypt/live/barrytest.tk/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key'
/usr/bin/ssh root@mail4 'chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key'
/usr/bin/ssh root@mail4 'wget -O /tmp/ISRG-X1.pem 'https://letsencrypt.org/certs/isrgrootx1.pem.txt'
/usr/bin/ssh root@mail4 'cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrytest.tk/chain.pem'
/usr/bin/ssh zimbra@mail4 '/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrytest.tk/cert.pem /etc/letsencrypt/live/barrytest.tk/chain.pem'

Please note: You have to concatenate the isrgrootx1.pem CA certificate to the chain to make it work!!

Verified Against: Zimbra Collaboration 9.0, 8.8 Date Created: 22/09/2022
Article ID: https://wiki.zimbra.com/index.php?title=Installing_a_LetsEncrypt_SSL_Certificate Date Modified: 2021-09-22



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Copyeditor Last edit by Barry de Graaff
Jump to: navigation, search