User Tools
This is an old revision of the document!
Table of Contents
Zimbra SSL - Redirection and Certificates
LetsEncrypt: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
Useful for Wildcard Certs: https://www.digicert.com/csr-creation-ssl-installation-zimbra.htm
http://wiki.zimbra.com/wiki/Transfer_SSL_certificates_between_servers
http://wiki.zimbra.com/wiki/SSL_certificates_per_domain
http://jamesreubenknowles.com/adding-a-godaddy-ssl-certificate-to-zimbra-7-1360
Certificate Checker
Force the Use of SSL
Newer Zimbra installers default to installing the proxy component.
No Proxy
http://wiki.zimbra.com/wiki/CLI_zmtlsctl_to_set_Web_Server_Mode
This will redirect all HTTP connections to HTTPS:
su - zimbra zmtlsctl redirect exit reboot
With Proxy
http://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy#Protocol_Requirements_Including_HTTPS_Redirect
zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect reboot
Commercial Certificates
If you have problems when installing or renewing a commercial cert, try installing a self-signed cert first, then install the commercial cert.
If you continue to have problems, consider using the CLI.
http://www.andrewklau.com/adding-my-own-wildcard-ssl-certificate-to-zimbra-collabration-server-8/
http://www.sononaco.com/blog/wildcard-comodo-ssl-chains-and-zimbra/
https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools
Zimbra Admin → Configure → Certificates → (gear icon) → Install Certificates
Comodo commercial certificate example
- Run the certificate wizard and generate a CSR
- If renewing, you can just use the existing CSR
- Order the SSL certificate using the CSR you just created
- Run the certificate wizard again to install the commercial cert you purchased
- Add a second intermediate CA certificate field if necessary
- Click the link
Add Intermediate CA
- Load the new server certificate
mail_yourdomain_com.crt
- Load the root CA certificate
AddTrustExternalCARoot.crt
- Load the first intermediate cert that came with your server certificate
COMODORSAAddTrustCA.crt
- Load the Second intermediate cert that came with your server certificate
COMODORSADomainValidationSecureServerCA.crt
- Click
Install
If any errors are thrown, double-check that you are using the correct root and intermediate certificates. That's usually where the problem lies.
Comodo
If the GUI cert installation fails, create and install a new self-signed cert, reboot, then use the CLI to install the new cert.
https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration
Generate the CSR (certificate signing request and the private key) using Zimbra Admin Console (ZAC):
ZAC → Configure → Certificates → YourZimbraHostName → Gear Icon → Install New Certificate
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames "name2.example.com,example.com"
Purchase the SSL certificate using the CSR just created.
Create the file commercial_ca.crt by concatenating the 3 files that Comodo sent to you. CLI example:
cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > commercial_ca.crt
Install the SSL certificate, as user root:
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Self-Signed Certificates
If your self-signed cert expires, or if you have problems when installing a commercial cert, you can use the following script to rebuild the SSL configuration and implement a self-signed certificate.
Newest Quickie Renew Expired Self-Signed SSL Certificate
Check for expired certificates, run the following command as the zimbra user:
/opt/zimbra/libexec/zmcheckexpiredcerts -days 1 -verbose
Run the following commands run as the zimbra user to regenerate the self-signed SSL certificates:
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new' su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca' su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self -new'
Quickie Renew Expired Self-Signed SSL Certificate
Log in as root and create new certificate:
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 /opt/zimbra/bin/zmcertmgr deploycrt self su - zimbra zmcontrol restart
SSL Rebuild Script
################################################## # Regenerate SSL Cert ################################################## su - zimbra -c 'zmcontrol stop' rm -rf /opt/zimbra/ssl/* rm -rf /opt/zimbra/ssl/.rnd # Java version dependent? /opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/lib/jvm/openjdk-1.8.0_172-zimbra/jre/lib/security/cacerts -storepass changeit /opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'` su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new' su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca -localonly' su - zimbra -c '/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650' su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self' su - zimbra -c 'zmcontrol start' su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self' su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca' su - zimbra -c 'zmupdateauthkeys' su - zimbra -c '/opt/zimbra/bin/zmcertmgr viewdeployedcrt'
Let's Encrypt
Install
Not documented well the first time through…
Do this after hours or on Sunday!
Stop some Zimbra services first or it will fail:
su - zimbra -c 'zmproxyctl stop' su - zimbra -c 'zmmailboxdctl stop'
As root:
cd ~ git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly --standalone -d zimbra.example.com -d xmpp.example.com
Enter a valid e-mail address for notifications.
Agree to the Terms of Service.
Check the files:
ls -al /etc/letsencrypt/live/ ls -al /etc/letsencrypt/live/zimbra.example.com/
https://www.identrust.com/certificates/trustid/root-download-x3.html
Edit the chain file and add the root CA cert (copied from the link above) at the end:
vim /etc/letsencrypt/live/zimbra.example.com/chain.pem
It will look similar to this:
-----BEGIN CERTIFICATE----- your chain cert -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
Install the new cert, still as root:
mkdir /opt/zimbra/ssl/letsencrypt cp /etc/letsencrypt/live/zimbra.example.com/* /opt/zimbra/ssl/letsencrypt/ chown -r zimbra:zimbra /opt/zimbra/ssl/letsencrypt ls -al /opt/zimbra/ssl/ ls -al /opt/zimbra/ssl/letsencrypt/
As the zimbra user:
su - zimbra cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") cd /opt/zimbra/ssl/letsencrypt /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem zmcontrol restart
Renewal
As root:
su - zimbra -c 'zmproxyctl stop' su - zimbra -c 'zmmailboxdctl stop' cd ~/letsencrypt ./letsencrypt-auto certonly --standalone -d zimbra.example.com -d xmpp.example.com
https://www.identrust.com/certificates/trustid/root-download-x3.html
Edit the chain file and add the root CA cert (copied from the link above) at the end:
vim /opt/zimbra/ssl/letsencrypt/chain.pem
It will look similar to this:
-----BEGIN CERTIFICATE----- your chain cert -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
Copy the new files to Zimbra and change the ownership:
cp /etc/letsencrypt/live/zimbra.virtualarchitects.com/*.pem /opt/zimbra/ssl/letsencrypt/ chown -R zimbra.zimbra /opt/zimbra/ssl/letsencrypt ls -al /opt/zimbra/ssl/letsencrypt/
As the zimbra user, back up the old cert, then verify and install the new one:
su - zimbra cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") cd /opt/zimbra/ssl/letsencrypt /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem zmcontrol restart
