Automatically Renewing FREE SSL on Zimbra
September 17, 2020 – by Zsolt Agoston – last edited on September 30, 2020
Zimbra, like all secure servers that communicate on the internet, needs a publicly trusted SSL certificate to function correctly. Both client access and secure SMTP mail transmission depend on the SSL certificate, which is by default self-signed when the installation of a fresh server finishes.
This provides encryption from the very get-go, but being self-issued it is not trusted by other servers on the internet which causes warning messages for users when opening the access portal, and partner organizations possibly rejecting our emails as many email servers require perfectly functioning TLS encryption to send and receive messages.
- Replacing the Self Signed Certifica…
Replacing the Self Signed Certificate in OPNsense with Let’s Encrypt
We need a new certificate, signed by a public certification authority. There are many CAs out there that we can use, but we want to save money and get our SSL certificate for free.
Let’s Encrypt offers free certificates valid for 3 months, after which they are free to renew. We already covered how to get LE certificates for CentOS boxes, this time we incorporate that knowledge into a script to get and automatically renew the SSL certificate for our Zimbra server running on CentOS 8 ( for the installation guide click here ) Let’s get started!
1. Install the Let’s Encrypt Certbot
# Install Certbot on the linux box
yum install -y certbot
# Generate our first SSL cert. Subsequent certificates will be renewed by our script below
certbot certonly –standalone -d mail.protectigate.com -m zsolt@opentechtips.com –agree-tos -n
# Prepare the Zimbra directory for the new certificate
mkdir /opt/zimbra/ssl/letsencrypt
2. Install the Certificate and create the Script for auto-renewal
a. Create script as /root/ssl.sh
#Change work dir to /tmp
cd /tmp
#Renew cert if needed
certbot certonly –standalone -d mail.protectigate.com -m zsolt@opentechtips.com –agree-tos -n
# Stop the nginx Zimbra service
sudo -u zimbra /opt/zimbra/bin/zmproxyctl stop
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl stop
#Rename existing Zimbra letsencrypt folder and create new
if [[ -e /opt/zimbra/ssl/letsencrypt ]]; then
mv /opt/zimbra/ssl/letsencrypt /opt/zimbra/ssl/letsencrypt$(date +’%Y%m%d’)
mkdir /opt/zimbra/ssl/letsencrypt
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
fi
# Copy Let’s Encrypt SSL cert into Zimbra SSL dir
/bin/cp -rf /etc/letsencrypt/live/mail.protectigate.com/* /opt/zimbra/ssl/letsencrypt/
#Download the Let’s Encrypt root cert
wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt -O /opt/zimbra/ssl/letsencrypt/root.pem
#Merge the root cert into the chain file
cat /opt/zimbra/ssl/letsencrypt/root.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem
#Change owner of SSL files to Zimbra user
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
# Verify new SSL cert
sudo -u zimbra /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem
# Make backup of existing SSL
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date “+%Y%m%d”)
# Copy new priv key
/bin/cp -rf /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
# Install new SSL cert
sudo -u zimbra /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem
# Restart Zimbra services
sudo -u zimbra /opt/zimbra/bin/zmcontrol restart
b. Make script executable: chmod +x /root/ssl.sh
3. Create cron job to run the script every 3 month
Now that we have our script ready, we create a cron job to run it every month, renewing the certificate if it is about to expire.
#Create new cron job that runs on the 1st every month at 2am
(crontab -l && echo “0 2 1 * * /bin/sh /root/ssl.sh”) | crontab –
4. Verify
Visiting our management portal the address bar is green, showing that the SSL certificate for our encrypted traffic is trusted. The same applies to the client portal and encrypted SMTP traffic, they are all covered by the new signed key-pair. Enjoy!