Differences

This shows you the differences between two versions of the page.

--- internet:security:ssl_cert_letsencrypt_zimbra [2021/06/15 09:41]
gcooper
+++ internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31]
gcooper
@@ Line 1: / Line 1: @@
 ====== Using LetsEncrypt SSL Certificates with Zimbra ======
-<note important>This may be a better way, **simpler** and with **no dependencies**:
+See also **[[internet:mail:zimbra:zimbra_ssl#self-signed_certificates|Zimbra Self-Signed SSL Certs]]**
-https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
+**Howto**: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
-https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh
+<note warning>
+Your Zimbra will be restarted during this process, taking users offline!
-https://forums.zimbra.org/viewtopic.php?f=15&t=60781
 </note>
-https://lorenzo.mile.si/letsencrypt-zimbra-the-easy-way/
+<note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note>
-https://github.com/YetOpen/certbot-zimbra
+<note warning>The single-server portion of the howto is fantastic.  However, it only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.</note>
-===== Install CertBot =====
-You can use the install wizard at the ''certbot'' home page, or use your OS package manager.
-https://certbot.eff.org
-==== CentOS 7 ====
-<file>
-yum install certbot --enablerepo=epel
-</file>
-==== Ubuntu 16.04 ====
-:!: The PPA is for Ubuntu versions up to 18.04.
-<file>
-apt-get update
-apt-get install software-properties-common
-add-apt-repository universe
-add-apt-repository ppa:certbot/certbot
-apt-get update
-apt-get install certbot
-</file>
-==== Ubuntu 20.04 ====
-<file>
-apt-get update
-apt-get install certbot
-</file>
-===== Disable Packaged Auto Renewal =====
-When installing ''certbot'' via packages, we must disable auto-renewals configured in ''cron'' by the package installation:
-<file>
-systemctl stop certbot.timer && systemctl disable certbot.timer
-vim /etc/cron.d/certbot
-</file>
-**Comment out the last line.**
-<note warning>Installing or renewing a certificate will cause Zimbra to restart, breaking client connections temporarily.</note>
-===== New LetsEncrypt Certificate =====
-<note important>You can specify **SAN hostnames** with (optional and multiple) ''-e san.domain.tld'' flags.</note>
-<file>
-rm -f certbot_zimbra.sh
-wget https://github.com/YetOpen/certbot-zimbra/raw/master/certbot_zimbra.sh
-chmod +x certbot_zimbra.sh
-./certbot_zimbra.sh -n -c
-</file>
-===== Renew LetsEncrypt Certificate =====
-:!: If the existing certificate has **expired**, you probably need to generate a **new** cert.
-<file>
-./certbot_zimbra.sh -d
-</file>
-===== Automatic Renewals =====
-<file>
-mv certbot_zimbra.sh /usr/local/bin/
-</file>
-<file>
-vim /etc/cron.d/letsencrypt
-</file>
-<file>
-# certbot_zimbra.sh requires bash and a path with /usr/sbin
-SHELL=/bin/bash
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt
-5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
-</file>
-:!: Once your ''cron'' job has run successfully a few times (maybe after the first successful renewal), you can suppress unwanted e-mail messages every time the cron job runs by adding this to the end of the ''cron'' entry:
-<file>
->> /dev/null 2>&1
-</file>
 ===== Troubleshooting =====
-<file>
+Certbot logs to ''/var/log/letsencrypt/letsencrypt.log''.
-tail -f /var/log/letsencrypt/letsencrypt.log
-cat /var/log/letsencrypt/letsencrypt.log
-certbot certificates
+If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert.
-cat /etc/cron.d/letsencrypt
+If a cert is expired, you must reissue a new cert.
-cat /etc/letsencrypt/renewal/hostname.domain.tld.conf
+If a certificate renewal fails, try reissuing a new cert instead.
-</file>
-View deployed certs as ''zimbra'' user:
-<file>
-su - zimbra
-/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
-</file>
-==== Trouble Renewing ====
-If you see an error like this in the log:
-<file>
-WARNING:certbot.renewal:Attempting to renew cert (hostname.domain.tld) from /etc/letsencrypt/renewal/hostname.domain.tld.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for hostname.domain.tld
-</file>
-:!: This is probably due to a **SAN hostname**.
-Try adding the missing line from the ''[webroot_map]'' section:
-<file>
-vim /etc/letsencrypt/renewal/hostname.domain.tld.conf
-hostname.domain.tld = /opt/zimbra/data/nginx/html
+===== Modifications =====
-sanhostname.domain.tld = /opt/zimbra/data/nginx/html
-</file>
-Then re-run the ''cron'' command from ''/etc/cron.d/letsencrypt'':
+<note tip>**Suppress daily cron e-mail message**...</note>
-<note warning>This will probably cause Zimbra to restart which will break client connections.
+<note tip>You **can** modify the script to support additional SANs...</note>
-Use of ''deploy-hook'' should only restart Zimbra if the renewal is successful, whereas ''renew-hook'' would cause it to restart even if the renewal fails.</note>
+<note tip>Adjust script to **only run if certificate is updated**...</note>
 <file>
-/usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
+#!/bin/bash
+#
+# Modification to suppress e-mailed cron job notifications every day
+MAILTO=""
+#
+# Modification for SAN certificate with multiple hostnames
+# This may/will need to be adjusted for hostnames and possibly cert name
+# If you followed the howto above using just the actual hostname, it will look like this
+/usr/local/sbin/certbot certonly --cert-name zimbra2.yourdomain.tld -d zimbra2.yourdomain.tld -d zimbra.yourdomain.tld --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email
+#
+# Modification to test if cert was changed then exit script
+if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then
+   exit 0
+fi
+#
+cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
+chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
+wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
+rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
+cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
+cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem"
+chown zimbra:zimbra /etc/letsencrypt -R
+cd /tmp
+su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"'
+rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
 </file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools