How to install and update Let’s encrypt for Zimbra | Zimbra
June 29, 2021 by Michele FerronIn Zextras Suite & Zimbra OSE
Using certificates to secure your data and mail traffic is something that is extremely important. We have seen, in the ” Zimbra SSL/TLS Commercial Certificate ” article, how they work and what the security protocols and certificates are. In this article, however, we’re going to see specifically how to install and renew Let’s Enrcypt.
Let’s Encrypt is a CA that provides free X.509 cryptographic certificates for TLS encryption (HTTPS). The process of issuing certificates is fully automated.
Let’s Encrypt Issuance
We recommend making a Let’s Encrypt request on a server with Zimbra in order to obtain an SSL certificate, CA Intermediate and Private Key. To do this, you need to stop the mail server service (ports 80 and 443):zmproxyctl stop zmmailboxdctl stop
Then you can download the Let’s Encrypt package and go to the letsencrypt directory: git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
Now you can run the automatic Let’s Encrypt script, using the certonly parameter. ./letsencrypt-auto certonly --standalone
Please note that it doesn’t work on Ubuntu, returning the following error: “Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit Certbot website to check for other alternatives.”
The script will set up a temporary WEB server for checking and issuing a certificate, if necessary, agreeing with the license and notifying an e-mail.
If you need to have multiple hostnames on the same SSL, then you should instead use Multi-SAN, SSL, where “-d
” is your domains:./letsencrypt-auto certonly --standalone -d domain.sample.com -d domain2.sample.com
If everything goes well with verification, then the certificate (certificate + public key + chain) will be issued in the following format: “/etc/letencrypt/live/address/
“
Now it’s time to restart the service and begin installing the signed certificate. To implement the certificate in Zimbra you need to add the “root CA” chain. Create a file with “root CA” and the lines of the file “fullchain1.pem
“)root CA: (https://www.identrust.com/certificates/trustid/root-download-x3.html)
When the file has been created, check the files with the following command:/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem FULL_CHAIN.pem
After that, we recommend you to backup your current certificates and then copy the private key, named “commercial.key” to the “/opt/zimbra/ssl/zimbra/commercial” directory:cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") 2cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
Install the certificate and restart the services to verify Deployment/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
Restart the servicezmcontrol restart
Renewing certificates
To renew a certificate, you need to follow these steps:
Stop Zimbra:/etc/init.d/zimbra stop
We receive new certificates and start the mail server certbot certonly --standalone -d mail.example.com /etc/init.d/zimbra start
Received certificates will need to be uploaded to Zimbra. Copy the certificates: cp /etc/letsencrypt/live/zimbra86.zimbra.io/* /opt/zimbra/ssl/letsencrypt/ chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/ cd /opt/zimbra/ssl/letsencrypt/
Add the Let’s encrypt intermediate certificate to the end of the chain.pem file.
If you don’t add the intermediate certificate, you will get an error at the verification stage: ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate
Check the installed keys and certificates: su - zimbra cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
If the verification was successful, then install the updated certificates : /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
To apply the installed certificate, restart all Zimbra services: /etc/init.d/zimbra restart
That’s all. You’re done!
Automation
Those who wish to automate the process of installing new certificates can use a special script published on the GitHub site .
For everything to work, you need to:
- Install the Certbot utility using command:
yum -y install certbot
- Clone the specified branch using the command:
git clone https://github.com/penzoiders/zimbra-auto-letsencrypt.git
- Edit the
letsencrypt-zimbra.conf
file, so that it matches your system - Go to the folder with the script and use it:
./zimbra-auto-letsencrypt.sh
Please note that the script will not only renew the certificate itself, but also restart all services that are required. The use of a script can be fully automated by configuring its execution after a certain time interval.