yum install -y certbot
# Generate our first SSL cert. Subsequent certificates will be renewed by our script below
certbot certonly –standalone -d mail.ycit.co.kr -m yc@yc.kr –agree-tos -n
# Prepare the Zimbra directory for the new certificate
mkdir /opt/zimbra/ssl/letsencrypt
Create script as /root/ssl.sh chmod +x /root/ssl.sh
#Change work dir to /tmp
cd /tmp
#Renew cert if needed
certbot certonly –standalone -d mail.ycit.co.kr -m yc@yc.kr –agree-tos -n
# Stop the nginx Zimbra service
sudo -u zimbra /opt/zimbra/bin/zmproxyctl stop
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl stop
#Rename existing Zimbra letsencrypt folder and create new
if [[ -e /opt/zimbra/ssl/letsencrypt ]]; then
mv /opt/zimbra/ssl/letsencrypt /opt/zimbra/ssl/letsencrypt$(date +’%Y%m%d’)
mkdir /opt/zimbra/ssl/letsencrypt
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
fi
# Copy Let’s Encrypt SSL cert into Zimbra SSL dir
/bin/cp -rf /etc/letsencrypt/live/mail.protectigate.com/* /opt/zimbra/ssl/letsencrypt/
#Download the Let’s Encrypt root cert
wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt -O /opt/zimbra/ssl/letsencrypt/root.pem
#Merge the root cert into the chain file
cat /opt/zimbra/ssl/letsencrypt/root.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem
#Change owner of SSL files to Zimbra user
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
# Verify new SSL cert
sudo -u zimbra /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem
# Make backup of existing SSL
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date “+%Y%m%d”)
# Copy new priv key
/bin/cp -rf /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
# Install new SSL cert
sudo -u zimbra /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem
# Restart Zimbra services
sudo -u zimbra /opt/zimbra/bin/zmcontrol restart
Create cron job to run the script every 3 month
#Create new cron job that runs on the 1st every month at 2am
(crontab -l && echo “0 2 1 * * /bin/sh /root/ssl.sh”) | crontab –