Installing a LetsEncrypt SSL Certificate
Installing a Let's Encrypt SSL Certificate
Purpose
To use Zimbra with Let's Encrypt you have to use the --preferred-chain option.
You also need an up-to-date certbot, the ones packed in OS is too old. Consider using a snap. https://certbot.eff.org/lets-encrypt/ubuntufocal-apache.html
In a scripted way, this is how I use it now, I run all these commands on a dedicated Letsencrypt VM and mail4 is my Zimbra server.
/usr/local/bin/certbot --manual --force-renewal --preferred-chain "ISRG Root X1" --expand --manual-auth-hook /usr/local/sbin/hook.sh --manual-cleanup-hook /usr/local/sbin/cleanhook.sh --preferred-challenges dns -d "barrytest.tk" -d "*.barrytest.tk" -d "zimbratest.tk" -d "*.zimbratest.tk" certonly --manual-public-ip-logging-ok -n /usr/bin/scp -r /etc/letsencrypt/live/barrytest.tk/* root@mail4:/etc/letsencrypt/live/barrytest.tk/ /usr/bin/ssh root@mail4 'cp /etc/letsencrypt/live/barrytest.tk/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key' /usr/bin/ssh root@mail4 'chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key' /usr/bin/ssh root@mail4 'wget -O /tmp/ISRG-X1.pem 'https://letsencrypt.org/certs/isrgrootx1.pem.txt' /usr/bin/ssh root@mail4 'cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrytest.tk/chain.pem' /usr/bin/ssh zimbra@mail4 '/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrytest.tk/cert.pem /etc/letsencrypt/live/barrytest.tk/chain.pem'
Please note: You have to concatenate the isrgrootx1.pem CA certificate to the chain to make it work!!
Automatic methods
Since Letsencrypt has gone public several scripts were created to automate the deployment of free SSL certificates in Zimbra. In order of appearance:
- Vojtěch Myslivec on GitHub
- Grown from a long discussion on the forum Jim Dunphy developed a script based on Neilpang's acme.sh script
- A nearly fully automated script developed by Maxxer@YetOpen on GitHub