Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » mail » zimbra » zimbra_ssl
Trace:
internet:mail:zimbra:zimbra_ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
internet:mail:zimbra:zimbra_ssl [2018/09/08 11:24]
gcooper 		internet:mail:zimbra:zimbra_ssl [2022/11/03 10:09] (current)
gcooper
Line 1: Line 1:
-====== Zimbra SSL - Redirection and Certificates ======+====== Zimbra SSL - Redirection and Commercial Certificates ======
  
-**LetsEncrypt**https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate+See also **[[internet:mail:zimbra:zimbra_ssl_letsencrypt|Using LetsEncrypt SSL Certificates with Zimbra]]**
  
 **Useful for Wildcard Certs**: https://www.digicert.com/csr-creation-ssl-installation-zimbra.htm **Useful for Wildcard Certs**: https://www.digicert.com/csr-creation-ssl-installation-zimbra.htm
Line 128: Line 128:
 ==== Quickie Renew Expired Self-Signed SSL Certificate ==== ==== Quickie Renew Expired Self-Signed SSL Certificate ====
  
-Log in as root and create new certificate:+Create new certificate:
  
 <file> <file>
 +su - zimbra
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650  /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 
 /opt/zimbra/bin/zmcertmgr deploycrt self /opt/zimbra/bin/zmcertmgr deploycrt self
- 
-su - zimbra 
 zmcontrol restart zmcontrol restart
 </file> </file>
Line 165: Line 164:
 </file> </file>
  
-===== Let's Encrypt ===== 
- 
-https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate 
- 
-==== Install ==== 
- 
-FIXME Not documented well the first time through... 
- 
-:!: Do this after hours or on Sunday! 
- 
-Stop some Zimbra services first or it will fail: 
- 
-<file> 
-su - zimbra -c 'zmproxyctl stop' 
-su - zimbra -c 'zmmailboxdctl stop' 
-</file> 
- 
-As ''root'': 
- 
-<file> 
-cd ~ 
-git clone https://github.com/letsencrypt/letsencrypt 
-cd letsencrypt 
-./letsencrypt-auto certonly --standalone -d zimbra.example.com -d xmpp.example.com 
-</file> 
- 
-Enter a valid e-mail address for notifications. 
- 
-Agree to the Terms of Service. 
- 
-Check the files:  
- 
-<file> 
-ls -al /etc/letsencrypt/live/ 
- 
-ls -al /etc/letsencrypt/live/zimbra.example.com/ 
-</file> 
- 
-https://www.identrust.com/certificates/trustid/root-download-x3.html 
- 
-Edit the chain file and add the root CA cert (copied from the link above) at the end: 
- 
-<file> 
-vim /etc/letsencrypt/live/zimbra.example.com/chain.pem 
-</file> 
- 
-It will look similar to this: 
- 
-<file> 
------BEGIN CERTIFICATE----- 
-your chain cert 
------END CERTIFICATE----- 
------BEGIN CERTIFICATE----- 
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ 
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT 
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow 
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD 
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB 
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O 
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq 
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b 
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD 
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV 
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG 
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr 
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz 
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo 
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ 
------END CERTIFICATE----- 
-</file> 
- 
-Install the new cert, still as ''root'': 
- 
-<file> 
-mkdir /opt/zimbra/ssl/letsencrypt 
- 
-cp /etc/letsencrypt/live/zimbra.example.com/* /opt/zimbra/ssl/letsencrypt/ 
- 
-chown -r zimbra:zimbra /opt/zimbra/ssl/letsencrypt 
- 
-ls -al /opt/zimbra/ssl/ 
-ls -al /opt/zimbra/ssl/letsencrypt/ 
-</file> 
- 
-As the ''zimbra'' user: 
- 
-<file> 
-su - zimbra 
- 
-cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") 
- 
-cd /opt/zimbra/ssl/letsencrypt 
-/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem 
- 
-cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key 
- 
-/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem 
- 
-zmcontrol restart 
-</file> 
- 
-==== Renewal ==== 
- 
-As ''root'': 
- 
-<file> 
-su - zimbra -c 'zmproxyctl stop' 
-su - zimbra -c 'zmmailboxdctl stop' 
- 
-cd ~/letsencrypt 
-./letsencrypt-auto certonly --standalone -d zimbra.example.com -d xmpp.example.com 
- 
-su - zimbra -c 'zmproxyctl start' 
-su - zimbra -c 'zmmailboxdctl start' 
-</file> 
- 
-FIXME https://www.identrust.com/certificates/trustid/root-download-x3.html 
- 
-Edit the chain file and add the root CA cert (copied from the link above) at the end: 
- 
-FIXME This step probably already done? 
- 
-<file> 
-vim /opt/zimbra/ssl/letsencrypt/chain.pem 
-</file> 
- 
-It will look similar to this: 
- 
-<file> 
------BEGIN CERTIFICATE----- 
-your chain cert 
------END CERTIFICATE----- 
------BEGIN CERTIFICATE----- 
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ 
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT 
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow 
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD 
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB 
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O 
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq 
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b 
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD 
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV 
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG 
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr 
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz 
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo 
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ 
------END CERTIFICATE----- 
-</file> 
- 
-Copy the new files to Zimbra and change the ownership: 
- 
-<file> 
-cp /etc/letsencrypt/live/zimbra.virtualarchitects.com/*.pem /opt/zimbra/ssl/letsencrypt/ 
-chown -R zimbra.zimbra /opt/zimbra/ssl/letsencrypt 
-ls -al /opt/zimbra/ssl/letsencrypt/ 
-</file> 
- 
-As the ''zimbra'' user, back up the old cert, then verify and install the new one: 
- 
-<file> 
-su - zimbra 
- 
-cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") 
- 
-cd /opt/zimbra/ssl/letsencrypt 
-/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem 
- 
-cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key 
- 
-/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem 
- 
-zmcontrol restart 
-</file> 
internet/mail/zimbra/zimbra_ssl.1536427492.txt.gz · Last modified: 2018/09/08 11:24 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki