회사_ ssl 인증하기_zimbra
certbot --version
port 80 open 시킨후 실행 port 충돌 확인
nginx stop 시킴. 방화벽 80, 443, 포트 활성화시킴.
cd /root
certbot certonly --standalone -d mail.ycit.co.kr
cd /root
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
certbot certonly –standalone -d mail.ycit.co.kr
certbot certonly --standalone -d mail.ycit.co.kr
u 선택 리뉴얼 선택
su zimbra
zmproxyctl stop
To setup lets encrypt SSL certificates use:
First stop web and mailbox services as *zimbra user*:
zmproxyctl stop
zmmailboxdctl stop
Download letsencrypt github package as *root user*
yum -y install git epel-release
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Get letsencrypt certificates for domain using:
./certbot-auto certonly --standalone -d mail.ycit.co.kr
On various prompts use:
Emergency email - mc_05@eycit.co.kr
Agree/Cancel - A
Yes/No - Y
The important file locations are:
/etc/letsencrypt/live/mail.ycit.co.kr/fullchain.pem
/etc/letsencrypt/live/mail.ycit.co.kr/privkey.pem
Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example
cd /etc/letsencrypt/live/mail.ycit.co.kr/
wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:
cd /etc/letsencrypt/live/mail.ycit.co.kr/
cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/mail.ycit.co.kr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
Install certificates *as zimbra* user:
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
#If above validation succeeds
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
zmcontrol restart
Recently the above validations have started to fail with error: (Fix submitted by Dmitry Gusakov)
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'combined.pem'
ERROR: Unable to validate certificate chain: cert.pem: CN = mail.zimbra.sbarjatiya.com
error 20 at 0 depth lookup:unable to get local issuer certificate