Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » ssl_cert_letsencrypt_zimbra
Trace:
internet:security:ssl_cert_letsencrypt_zimbra

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31]
gcooper 		— (current)
Line 1: Line 1:
-====== Using LetsEncrypt SSL Certificates with Zimbra ====== 
  
-See also **[[internet:mail:zimbra:zimbra_ssl#self-signed_certificates|Zimbra Self-Signed SSL Certs]]** 
- 
-**Howto**: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate 
- 
-<note warning> 
-Your Zimbra will be restarted during this process, taking users offline! 
-</note> 
- 
-<note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note> 
- 
-<note warning>The single-server portion of the howto is fantastic.  However, it only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.</note> 
- 
-===== Troubleshooting ===== 
- 
-Certbot logs to ''/var/log/letsencrypt/letsencrypt.log''. 
- 
-If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert. 
- 
-If a cert is expired, you must reissue a new cert. 
- 
-If a certificate renewal fails, try reissuing a new cert instead. 
- 
-===== Modifications ===== 
- 
-<note tip>**Suppress daily cron e-mail message**...</note> 
- 
-<note tip>You **can** modify the script to support **additional SANs**...</note> 
- 
-<note tip>Adjust script to **only run if certificate is updated**...</note> 
- 
-<file> 
-#!/bin/bash 
-# 
-# Modification to suppress e-mailed cron job notifications every day 
-MAILTO="" 
-# 
-# Modification for SAN certificate with multiple hostnames 
-# This may/will need to be adjusted for hostnames and possibly cert name 
-# If you followed the howto above using just the actual hostname, it will look like this 
-/usr/local/sbin/certbot certonly --cert-name zimbra2.yourdomain.tld -d zimbra2.yourdomain.tld -d zimbra.yourdomain.tld --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email 
-# 
-# Modification to test if cert was changed then exit script 
-if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then 
-   exit 0 
-fi 
-# 
-cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key 
-chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key 
-wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt 
-rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
-cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
-cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem" 
-chown zimbra:zimbra /etc/letsencrypt -R 
-cd /tmp 
-su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"' 
-rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
-</file> 

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki