Post Views: 99
CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra
SSL certificate setup
To setup lets encrypt SSL certificates use:
First stop web and mailbox services as *zimbra user*:
zmproxyctl stop
zmmailboxdctl stop
Download letsencrypt github package as *root user*
yum -y install git epel-release
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Get letsencrypt certificates for domain using:
./certbot-auto certonly --standalone -d mail.ycit.co.kr -d ycit.co.kr
On various prompts use:
Emergency email - mc_05@eycit.co.kr
Agree/Cancel - A
Yes/No - Y
The important file locations are:
/etc/letsencrypt/live/mail.ycit.co.kr/fullchain.pem
/etc/letsencrypt/live/mail.ycit.co.kr/privkey.pem
Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example
cd /etc/letsencrypt/live/mail.ycit.co.kr/
wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:
cd /etc/letsencrypt/live/mail.ycit.co.kr/
cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/mail.ycit.co.kr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
Install certificates *as zimbra* user:
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
#If above validation succeeds
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
zmcontrol restart
Recently the above validations have started to fail with error: (Fix submitted by Dmitry Gusakov)
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'combined.pem'
ERROR: Unable to validate certificate chain: cert.pem: CN = mail.zimbra.sbarjatiya.com
error 20 at 0 depth lookup:unable to get local issuer certificate
#OR
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'combined.pem'
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup:unable to get issuer certificate
If case of above you can solve it by modiying steps to generate combined.pem to
cd /etc/letsencrypt/live/mail.ycit.co.kr/
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem
cp /etc/letsencrypt/live/mail.ycit.co.kr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
After this try the verifycrt step again and this time it should work
Open https://mail.ycit.co.kr:7071/zimbraAdmin/ and verify that certificate along with root "ISRG Root X1" and Intermediate "Lets Encrypt Authority X3" is coming up properly.
Test certificates using:
openssl s_client -starttls smtp -connect mail.ycit.co.kr:25 -showcerts
openssl s_client -connect mail.ycit.co.kr -showcerts
openssl s_client -connect mail.ycit.co.kr:443 -showcerts
openssl s_client -connect mail.ycit.co.kr:993 -showcerts
openssl s_client -starttls imap -connect mail.ycit.co.kr:143 -showcerts
You can also test certificate setup using https://www.ssllabs.com/ssltest/ If the old lets-encrypt root / intermediate expire then zimbra might open properly in a few browsers (or incognito mode) while giving error in other moddes. Such issues can be determined using SSL labs test. Then they can be fixed by redownloading lets-encrypt certificates from https://letsencrypt.org/certificates/ After re-downloaing updated certificates need to do:
cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem
cp /etc/letsencrypt/live/mail.ycit.co.kr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
Follow this by zmcertmgr verifycrt and deploycrt steps
Refer:
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
Listen on port 80 with forced HTTPS redirection
To configure Zimbra to listen on port 80 for forced HTTPS redirection use:
Configure forced HTTPS redirection
su - zimbra
~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `mail.ycit.co.kr`
zmprov ms `mail.ycit.co.kr` zimbraReverseProxyMailMode redirect
Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions. Hence above steps are required
Refer:
Zimbra: Redirect http to https
SSL certificate renewal configuration via crontab
This auto-renewal assumes that chain (Root and Intermediate) remains same.
Create /root/renew-certificate.sh with:
su - zimbra -c "zmcontrol stop"
/root/letsencrypt/letsencrypt-auto renew
cp /etc/letsencrypt/live/mail.ycit.co.kr/privkey.pem /opt/zimbra/ssl/letsencrypt/
cp /etc/letsencrypt/live/mail.ycit.co.kr/cert.pem /opt/zimbra/ssl/letsencrypt/
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
su - zimbra -c "zmcontrol start"
chmod +x /root/renew-certificate.sh
For root user crontab (crontab -e) add:
10 5 * * 0 /root/renew-certificate.sh
where instead of 10 and 5 use a random value between 5 and 55 for minutes (first number) and random value between 1 and 5 for hour (second number)
Home > CentOS > CentOS 7.x > Email configuration > Zimbra configuration > CentOS 7.x Install SSL certificate in Zimbra > CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra
