CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra

CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra

Listen on port 80 with forced HTTPS redirection

To configure Zimbra to listen on port 80 for forced HTTPS redirection use:

    Configure forced HTTPS redirection

            su - zimbra

            ~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https  -H `zmhostname`

            zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect

            Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions.
            Hence above steps are required

Refer:

    https://blog.christosoft.de/2015/06/zimbra-redirect-http-to-https/

CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra
SSL certificate setup

To setup lets encrypt SSL certificates use:

    First stop web and mailbox services as *zimbra user*:

            zmproxyctl stop

            zmmailboxdctl stop

    Download letsencrypt github package as *root user*

            yum -y install git epel-release

            git clone https://github.com/letsencrypt/letsencrypt

            cd letsencrypt

    Get letsencrypt certificates for domain using:

            ./letsencrypt-auto certonly --standalone -d mail.zimbra.ycit.co.kr -d zimbra.ycit.co.kr -d mail.ycit.co.kr

            On various prompts use:

        Emergency email - admini@ycit.co.kr
        
        Agree/Cancel - A
        
        Yes/No - Y

            The important file locations are:

            /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/fullchain.pem

            /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/privkey.pem

    Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example

            cd /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/

            wget https://letsencrypt.org/certs/isrgrootx1.pem.txt

            wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt


    To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:

            cd /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/

            cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem


            mkdir /opt/zimbra/ssl/letsencrypt

            cp /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/* /opt/zimbra/ssl/letsencrypt/

            chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

            ls -la /opt/zimbra/ssl/letsencrypt/

    Install certificates *as zimbra* user:

            cd /opt/zimbra/ssl/letsencrypt/

            /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem

            #If above validation succeeds

            cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

            /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem

            zmcontrol restart

    Recently the above validations have started to fail with error: (Fix submitted by Dmitry Gusakov)

            [zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem

            ** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'

            Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.

            ** Verifying 'cert.pem' against 'combined.pem'

            ERROR: Unable to validate certificate chain: cert.pem: CN = mail.zimbra.ycit.co.kr

            error 20 at 0 depth lookup:unable to get local issuer certificate

            #OR

            [zimbra@mail letsencrypt]$     /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem

            ** Verifying 'cert.pem' against 'privkey.pem'

            Certificate 'cert.pem' and private key 'privkey.pem' match.

            ** Verifying 'cert.pem' against 'combined.pem'

            ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let's Encrypt, CN = R3

            error 2 at 1 depth lookup:unable to get issuer certificate

        If case of above you can solve it by modiying steps to generate combined.pem to

                cd /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/

                wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

                cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem

                cp /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/* /opt/zimbra/ssl/letsencrypt/

                chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

            After this try the verifycrt step again and this time it should work

    Open https://mail.zimbra.sbarjatiya.com:7071/zimbraAdmin/ and verify that certificate along with root "ISRG Root X1" and 
    Intermediate "Lets Encrypt Authority X3" is coming up properly.
    Test certificates using:

            openssl s_client -starttls smtp -connect zimbra.ycit.co.kr:25 -showcerts

            openssl s_client -connect zimbra.ycit.co.kr:465 -showcerts

            openssl s_client -connect zimbra.ycit.co.kr:443 -showcerts

            openssl s_client -connect zimbra.ycit.co.kr:993 -showcerts

            openssl s_client -starttls imap -connect zimbra.ycit.co.kr:143 -showcerts

    You can also test certificate setup using https://www.ssllabs.com/ssltest/ If the old lets-encrypt root / intermediate expire then zimbra might open properly in a few browsers (or incognito mode) while giving error in other moddes. Such issues can be determined using SSL labs test. Then they can be fixed by redownloading lets-encrypt certificates from https://letsencrypt.org/certificates/ After re-downloaing updated certificates need to do:

            cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem

            cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/

            chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

        Follow this by zmcertmgr verifycrt and deploycrt steps


Refer:

    https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate


Listen on port 80 with forced HTTPS redirection

To configure Zimbra to listen on port 80 for forced HTTPS redirection use:

    Configure forced HTTPS redirection

            su - zimbra

            ~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https  -H `zmhostname`

            zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect

            Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions.
            Hence above steps are required

Refer:

    https://blog.christosoft.de/2015/06/zimbra-redirect-http-to-https/


SSL certificate renewal configuration via crontab

This auto-renewal assumes that chain (Root and Intermediate) remains same.

    Create /root/renew-certificate.sh with:

            su - zimbra -c "zmcontrol stop"

            /root/letsencrypt/letsencrypt-auto renew

            cp /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/privkey.pem /opt/zimbra/ssl/letsencrypt/

            cp /etc/letsencrypt/live/mail.zimbra.ycit.co.kr/cert.pem /opt/zimbra/ssl/letsencrypt/

            cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

            chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

            su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"

            su - zimbra -c "zmcontrol start"

    chmod +x /root/renew-certificate.sh
    For root user crontab (crontab -e) add:

            10 5 * * 0 /root/renew-certificate.sh

            where instead of 10 and 5 use a random value between 5 and 55 for minutes (first number) and random value between 1 and 5 for hour (second number)



<yambe:breadcrumb self="Install lets encrypt automated SSL certificate in Zimbra=">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadcrumb>