Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » ssl_cert_letsencrypt_zimbra
Trace:
internet:security:ssl_cert_letsencrypt_zimbra

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
internet:security:ssl_cert_letsencrypt_zimbra [2022/01/17 10:51]
gcooper 		internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31]
gcooper
Line 1: Line 1:
 ====== Using LetsEncrypt SSL Certificates with Zimbra ====== ====== Using LetsEncrypt SSL Certificates with Zimbra ======
  
-https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt+See also **[[internet:mail:zimbra:zimbra_ssl#self-signed_certificates|Zimbra Self-Signed SSL Certs]]**
  
-https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh +**Howto**: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
- +
-<note warning>When using DNS auth for LetsEncrypt, you cannot automatically renew unless your DNS is hosted by a provider with a supported API.</note>+
  
 <note warning> <note warning>
Line 13: Line 11:
 <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note> <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note>
  
-<note tip>When creating or renewing without a DNS APIyou run an 'issue' command, then ADD records to your DNS, then rerun the 'issue' command with the --renew flag.</note>+<note warning>The single-server portion of the howto is fantastic.  Howeverit only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.</note>
  
-===== Install acme.sh =====+===== Troubleshooting =====
  
-<file> +Certbot logs to ''/var/log/letsencrypt/letsencrypt.log''.
-su -  +
-mkdir /opt/zimbra/.acme.sh; chown zimbra:zimbra /opt/zimbra/.acme.sh+
  
-su zimbra +If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra 'working' again Then re-implement a LetsEncrypt cert.
-cd /opt/zimbra/.acme.sh +
-wget -O -  https://get.acme.sh | sh +
-</file>+
  
-===== Configure for LetsEncrypt =====+If a cert is expired, you must reissue a new cert.
  
-Set defalt CA to LetsEncrypt+If a certificate renewal fails, try reissuing a new cert instead.
  
-<file> +===== Modifications =====
-su - zimbra +
-cd .acme.sh/ +
-./acme.sh --set-default-ca --preferred-chain "ISRG" --server letsencrypt +
-</file>+
  
-===== Upgrade acme.sh =====+<note tip>**Suppress daily cron e-mail message**...</note>
  
-<file> +<note tip>You **can** modify the script to support additional SANs...</note>
-./acme.sh --upgrade +
-</file>+
  
-===== View Deployed Certs ===== +<note tip>Adjust script to **only run if certificate is updated**...</note>
- +
-==== Zimbra ====+
  
 <file> <file>
-/opt/zimbra/bin/zmcertmgr viewdeployedcrt all+#!/bin/bash 
 +
 +# Modification to suppress e-mailed cron job notifications every day 
 +MAILTO="" 
 +
 +# Modification for SAN certificate with multiple hostnames 
 +# This may/will need to be adjusted for hostnames and possibly cert name 
 +# If you followed the howto above using just the actual hostname, it will look like this 
 +/usr/local/sbin/certbot certonly --cert-name zimbra2.yourdomain.tld -d zimbra2.yourdomain.tld -d zimbra.yourdomain.tld --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email 
 +
 +# Modification to test if cert was changed then exit script 
 +if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then 
 +   exit 0 
 +fi 
 +
 +cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key 
 +chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key 
 +wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt 
 +rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
 +cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
 +cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem" 
 +chown zimbra:zimbra /etc/letsencrypt -R 
 +cd /tmp 
 +su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"' 
 +rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
 </file> </file>
- 
-==== acme.sh ==== 
- 
-<file> 
-./acme.sh --list 
-</file> 
- 
-===== Create or Renew Cert ===== 
- 
-Use the ''--renew'' flag for renewals.  This will also deploy the updated cert. 
- 
-<file> 
-acme.sh --issue --dns -d hostname.domain.tld -d san.domain.tld --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew 
-</file> 
- 
-===== Original Cert Deployment ===== 
- 
-<file> 
-acme.sh --deploy --deploy-hook zimbra -d hostname.domain.tld -d san.domain.tld 
-</file> 
- 
-===== Troubleshooting ===== 
- 
-See also [[internet:mail:zimbra:zimbra_ssl#self-signed_certificates|Zimbra Self-Signed SSL Certs]] 
- 
-If a cert is expired, you must reissue a new cert. 
- 
-If a certificate renewal fails, try reissuing a new cert instead. 
- 
-If you have trouble reissuing a new cert, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert. 
- 
- 

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki