CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra
Listen on port 80 with forced HTTPS redirection
To configure Zimbra to listen on port 80 for forced HTTPS redirection use:
Configure forced HTTPS redirection
su - zimbra
~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions.
Hence above steps are required
Refer:
https://blog.christosoft.de/2015/06/zimbra-redirect-http-to-https/
CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra
SSL certificate setup
To setup lets encrypt SSL certificates use:
First stop web and mailbox services as *zimbra user*:
zmproxyctl stop
zmmailboxdctl stop
Download letsencrypt github package as *root user*
yum -y install git epel-release
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Get letsencrypt certificates for domain using:
./letsencrypt-auto certonly --standalone -d mail.zimbra.ycit.co.kr -d zimbra.ycit.co.kr -d mail.ycit.co.kr
On various prompts use:
Emergency email - admini@ycit.co.kr
Agree/Cancel - A
Yes/No - Y
The important file locations are:
/etc/letsencrypt/live/mail.zimbra.ycit.co.kr/fullchain.pem
/etc/letsencrypt/live/mail.zimbra.ycit.co.kr/privkey.pem
Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example
cd /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/
wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:
cd /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/
cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
Install certificates *as zimbra* user:
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
#If above validation succeeds
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
zmcontrol restart
Recently the above validations have started to fail with error: (Fix submitted by Dmitry Gusakov)
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'combined.pem'
ERROR: Unable to validate certificate chain: cert.pem: CN = mail.zimbra.ycit.co.kr
error 20 at 0 depth lookup:unable to get local issuer certificate
#OR
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'combined.pem'
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup:unable to get issuer certificate
If case of above you can solve it by modiying steps to generate combined.pem to
cd /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem
cp /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
After this try the verifycrt step again and this time it should work
Open https://mail.zimbra.sbarjatiya.com:7071/zimbraAdmin/ and verify that certificate along with root "ISRG Root X1" and
Intermediate "Lets Encrypt Authority X3" is coming up properly.
Test certificates using:
openssl s_client -starttls smtp -connect zimbra.ycit.co.kr:25 -showcerts
openssl s_client -connect zimbra.ycit.co.kr:465 -showcerts
openssl s_client -connect zimbra.ycit.co.kr:443 -showcerts
openssl s_client -connect zimbra.ycit.co.kr:993 -showcerts
openssl s_client -starttls imap -connect zimbra.ycit.co.kr:143 -showcerts
You can also test certificate setup using https://www.ssllabs.com/ssltest/ If the old lets-encrypt root / intermediate expire then zimbra might open properly in a few browsers (or incognito mode) while giving error in other moddes. Such issues can be determined using SSL labs test. Then they can be fixed by redownloading lets-encrypt certificates from https://letsencrypt.org/certificates/ After re-downloaing updated certificates need to do:
cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem
cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
Follow this by zmcertmgr verifycrt and deploycrt steps
Refer:
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
Listen on port 80 with forced HTTPS redirection
To configure Zimbra to listen on port 80 for forced HTTPS redirection use:
Configure forced HTTPS redirection
su - zimbra
~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions.
Hence above steps are required
Refer:
https://blog.christosoft.de/2015/06/zimbra-redirect-http-to-https/
SSL certificate renewal configuration via crontab
This auto-renewal assumes that chain (Root and Intermediate) remains same.
Create /root/renew-certificate.sh with:
su - zimbra -c "zmcontrol stop"
/root/letsencrypt/letsencrypt-auto renew
cp /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/privkey.pem /opt/zimbra/ssl/letsencrypt/
cp /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/cert.pem /opt/zimbra/ssl/letsencrypt/
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
su - zimbra -c "zmcontrol start"
chmod +x /root/renew-certificate.sh
For root user crontab (crontab -e) add:
10 5 * * 0 /root/renew-certificate.sh
where instead of 10 and 5 use a random value between 5 and 55 for minutes (first number) and random value between 1 and 5 for hour (second number)
<yambe:breadcrumb self="Install lets encrypt automated SSL certificate in Zimbra=">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadcrumb>