Installing a Let's Encrypt SSL Certificate

KB 22434	Last updated on 2021-09-22	Last updated by Barry de Graaff	5.00 (one vote)	Verified in: ZCS 9.0 ZCS 8.8
- This article is a Community contribution and may include unsupported customizations.

KB 22434	Last updated on 2021-09-22
5.00 (one vote)
- This article is a Community contribution and may include unsupported customizations.

Purpose

To use Zimbra with Let's Encrypt you have to use the --preferred-chain option.

You also need an up-to-date certbot, the ones packed in OS is too old. Consider using a snap. https://certbot.eff.org/lets-encrypt/ubuntufocal-apache.html

In a scripted way, this is how I use it now, I run all these commands on a dedicated Letsencrypt VM and mail4 is my Zimbra server.

/usr/local/bin/certbot --manual --force-renewal --preferred-chain  "ISRG Root X1" --expand --manual-auth-hook /usr/local/sbin/hook.sh --manual-cleanup-hook /usr/local/sbin/cleanhook.sh --preferred-challenges dns -d "barrytest.tk" -d "*.barrytest.tk" -d "zimbratest.tk" -d "*.zimbratest.tk" certonly --manual-public-ip-logging-ok -n

/usr/bin/scp -r /etc/letsencrypt/live/barrytest.tk/* root@mail4:/etc/letsencrypt/live/barrytest.tk/
/usr/bin/ssh root@mail4 'cp /etc/letsencrypt/live/barrytest.tk/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key'
/usr/bin/ssh root@mail4 'chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key'
/usr/bin/ssh root@mail4 'wget -O /tmp/ISRG-X1.pem 'https://letsencrypt.org/certs/isrgrootx1.pem.txt'
/usr/bin/ssh root@mail4 'cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrytest.tk/chain.pem'
/usr/bin/ssh zimbra@mail4 '/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrytest.tk/cert.pem /etc/letsencrypt/live/barrytest.tk/chain.pem'

Please note: You have to concatenate the isrgrootx1.pem CA certificate to the chain to make it work!!