Installing a LetsEncrypt SSL Certificate

Revision as of 08:31, 23 September 2021 by Barry de Graaff (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Installing a Let's Encrypt SSL Certificate

   KB 22434        Last updated on 2021-09-23  




5.00
(one vote)

Purpose

Let’s Encrypt is a way to obtain trusted and free TLS certificates. To obtain certificates you can use a program called Certbot. You can find instructions for setting up certbot at https://certbot.eff.org/instructions. If you already use Let’s Encrypt on Zimbra keep reading as this post will explain how to keep using Let’s Encrypt after the expiration of IdentTrust DST Root CA X3 on September 30!

In many cases it is easiest to set-up a dedicated VM to take care of the deployment of Let’s Encrypt certificates to all the systems you intent to use with TLS certificates.

If you want to use Zimbra it is recommended you use the snap version of Certbot as that supports the --preferred-chain "ISRG Root X1" option which is needed to make it work with Zimbra.

Installing the obtained certificate on Zimbra

Make sure to request a certificate with the --preferred-chain "ISRG Root X1" option. In case you already have a certificate but you have not used the option, you have to do a force renewal with the --force-renewal --preferred-chain "ISRG Root X1" options.

After you have received the certificate from Let’s Encrypt you can deploy it on Zimbra like this:

As user root or sudo:

cp /etc/letsencrypt/live/barrydegraaff.tk/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.tk/chain.pem

As user zimbra or sudo su zimbra -:

cd ~
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem

The output should be similar to:

root@zimbra91:~# su zimbra -
zimbra@zimbra91:/root$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem
** Verifying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.tk/cert.pem: OK
zimbra@zimbra91:/root$ cd ~
zimbra@zimbra91:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem
** Verifying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.tk/cert.pem: OK
** Copying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra91.barrydegraaff.tk...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra91.barrydegraaff.tk...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/e50a23da.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'e50a23da.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'

Finally restart Zimbra as user zimbra or sudo su zimbra -:

zmcontrol restart

Please note: You have to concatenate the isrgrootx1.pem CA certificate to the chain to make it work!! That’s it for using Let’s Encrypt on Zimbra!

Further reading


Verified Against: Zimbra Collaboration 9.0, 8.8 Date Created: 22/09/2022
Article ID: https://wiki.zimbra.com/index.php?title=Installing_a_LetsEncrypt_SSL_Certificate Date Modified: 2021-09-23



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Copyeditor Last edit by Barry de Graaff
Jump to: navigation, search