How to Install SSL Let’s Encrypt on Zimbra 8
Install SSL Let’s Encrypt di Zimbra 8.8.6 Centos 7
Install SSL Let’s Encrypt di Zimbra 8.8.6 Centos 7, Let’s Encrypt merupakan Certificate SSL yang valid, automated, open certificate authority dan free digunakan. Ini salah satu pilihan untuk memproteksi zimbra mail server. Berikut langkah instalasi
hostname: zimbra.saad.web.id
1. Validate dan Generate SSL
Matikan service proxy dan mailbox zimbra (user zimbra)
| 12 | zmproxyctl stopzmmailboxdctl stop |
Letakkan Clone folder letsencrypt pada /opt dengan perintah git, bila belum ada git. bisa install dengan perintah yum
| 1234 | yum install -y gitcd /optgit clone https://github.com/letsencrypt/letsencryptcd letsencrypt |
Masukkan perintah berikut untuk request certificate single hostname
| 1 | root@zimbra:~/tmp/letsencrypt# ./letsencrypt-auto certonly --standalone |
Masukkan perintah berikut untuk request certificate multi hostname dalam satu SSL
| 1 | root@zimbra:~/tmp/letsencrypt# ./letsencrypt-auto certonly --standalone -d apache.example.com -d zmail.example.com |
Masukkan akun email anda, untuk pemberitahuan dan pemulihan key
| 123 | Enter email address (used for urgent renewal and security notices) (Enter 'c' tocancel):admin@saad.web.id |
Ketik A. pada term of service. enter
| 123456 | Please read the Terms of Service athttps://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You mustagree in order to register with the ACME server athttps://acme-v02.api.letsencrypt.org/directory- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -(A)gree/(C)ancel: A |
Masukkan hostname. dalam hal ini yang digunakan zimbra.saad.web.id
| 12 | Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): zimbra.saad.web.id |
Tunggu proses validate, sampai muncul keterangan berikut
| 010203040506070809101112131415161718 | IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/zimbra.saad.web.id/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/zimbra.saad.web.id/privkey.pem Your cert will expire on 2019-05-27. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
Lokasi certificate pada /etc/letsencrypt/live/zimbra.saad.web.id/
ubah chain.pem dengan perintah
| 1 | nano /etc/letsencrypt/live/zimbra.saad.web.id/chain.pem |
tambahkan pada baris paling bawah certificate dibawah dan simpan. certificate di peroleh dari https://www.identrust.com/certificates/trustid/root-download-x3.html
| 0102030405060708091011121314151617181920 | -----BEGIN CERTIFICATE-----MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ-----END CERTIFICATE----- |
2. Verify certificate
Copy seluruh file /etc/letsencrypt/live/zimbra.saad.web.id ke dalam /opt/zimbra/ssl/letsencrypt
| 0102030405060708091011 | root@zimbra:~# mkdir /opt/zimbra/ssl/letsencryptroot@zimbra:~# cp /etc/letsencrypt/live/zimbra.saad.web.id/* /opt/zimbra/ssl/letsencrypt/root@zimbra:~# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*root@zimbra:~# ls -la /opt/zimbra/ssl/letsencrypt/total 24drwxr-xr-x 2 root root 4096 Jul 15 22:59 .drwxr-xr-x 8 zimbra zimbra 4096 Jul 15 22:59 ..-rw-r--r-- 1 zimbra zimbra 1809 Jul 15 22:59 cert.pem-rw-r--r-- 1 zimbra zimbra 2847 Jul 15 22:59 chain.pem-rw-r--r-- 1 zimbra zimbra 3456 Jul 15 22:59 fullchain.pem-rw-r--r-- 1 zimbra zimbra 1704 Jul 15 22:59 privkey.pem |
open folder /opt/zimbra/ssl/letsencrypt masukkan perintah berikut untuk verify ssl (user zimbra)
| 12 | cd /opt/zimbra/ssl/letsencrypt/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem |
Bila berhasil di verify maka akan muncul seperti dibawah ini
| 1234 | zimbra@zimbra:/opt/zimbra/ssl/letsencrypt/# /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem ** Verifying cert.pem against privkey.pemCertificate (cert.pem) and private key (privkey.pem) match.Valid Certificate: cert.pem: OK |
3. Deploy SSL
Backup terlebih dahulu folder ssl zimbra dengan perintah berikut:
| 1 | cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") |
Copy private key ke commercial key dengan perintah berikut
| 1 | cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key |
Deploy ssl dengan perintah berikut
| 1 | /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem |
Restart Zimbra
| 1 | zmcontrol restart |