This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
internet:security:ssl_cert_letsencrypt_zimbra [2021/06/15 09:20] gcooper |
internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31] gcooper |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Using LetsEncrypt SSL Certificates with Zimbra ====== | ====== Using LetsEncrypt SSL Certificates with Zimbra ====== | ||
- | <note important> | + | See also **[[internet: |
- | https:// | + | **Howto**: |
- | https:// | + | <note warning> |
- | + | Your Zimbra will be restarted during this process, taking users offline! | |
- | https:// | + | |
</ | </ | ||
- | https:// | + | <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note> |
- | https:// | + | <note warning> |
- | + | ||
- | ===== Install CertBot ===== | + | |
- | + | ||
- | You can use the install wizard at the '' | + | |
- | + | ||
- | https:// | + | |
- | + | ||
- | ==== CentOS 7 ==== | + | |
- | + | ||
- | <file> | + | |
- | yum install certbot --enablerepo=epel | + | |
- | </ | + | |
- | + | ||
- | ==== Ubuntu 16.04 ==== | + | |
- | + | ||
- | :!: The PPA is for Ubuntu versions up to 18.04. | + | |
- | + | ||
- | < | + | |
- | apt-get update | + | |
- | apt-get install software-properties-common | + | |
- | add-apt-repository universe | + | |
- | add-apt-repository ppa: | + | |
- | apt-get update | + | |
- | apt-get install certbot | + | |
- | </ | + | |
- | + | ||
- | ==== Ubuntu 20.04 ==== | + | |
- | + | ||
- | < | + | |
- | apt-get update | + | |
- | apt-get install certbot | + | |
- | </ | + | |
- | + | ||
- | ===== Disable Packaged Auto Renewal ===== | + | |
- | + | ||
- | When installing '' | + | |
- | + | ||
- | < | + | |
- | systemctl stop certbot.timer && systemctl disable certbot.timer | + | |
- | + | ||
- | vim / | + | |
- | </ | + | |
- | + | ||
- | **Comment out the last line.** | + | |
- | + | ||
- | <note warning> | + | |
- | + | ||
- | ===== New LetsEncrypt Certificate ===== | + | |
- | + | ||
- | <note important> | + | |
- | + | ||
- | < | + | |
- | rm -f certbot_zimbra.sh | + | |
- | wget https:// | + | |
- | chmod +x certbot_zimbra.sh | + | |
- | ./ | + | |
- | </ | + | |
- | + | ||
- | ===== Renew LetsEncrypt Certificate ===== | + | |
- | + | ||
- | :!: If the existing certificate has **expired**, | + | |
- | + | ||
- | < | + | |
- | ./ | + | |
- | </ | + | |
- | + | ||
- | ===== Automatic Renewals ===== | + | |
- | + | ||
- | < | + | |
- | mv certbot_zimbra.sh / | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | vim / | + | |
- | </ | + | |
- | + | ||
- | < | + | |
- | # certbot_zimbra.sh requires bash and a path with /usr/sbin | + | |
- | SHELL=/ | + | |
- | PATH=/ | + | |
- | + | ||
- | # Replace / | + | |
- | 12 5 * * * root / | + | |
- | </ | + | |
- | + | ||
- | :!: Once your '' | + | |
- | + | ||
- | <file> | + | |
- | >> | + | |
- | </file> | + | |
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
- | < | + | Certbot logs to '' |
- | tail -f / | + | |
- | cat / | + | |
- | certbot certificates | + | If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra ' |
- | cat /etc/cron.d/ | + | If a cert is expired, you must reissue a new cert. |
- | cat / | + | If a certificate |
- | </ | + | |
- | + | ||
- | ==== Trouble Renewing ==== | + | |
- | + | ||
- | If you see an error like this in the log: | + | |
- | < | + | |
- | + | ||
- | WARNING: | + | |
- | </ | + | |
- | + | ||
- | :!: This is probably due to a **SAN hostname**. | + | |
- | + | ||
- | Try adding the missing line from the '' | + | |
- | + | ||
- | < | + | |
- | vim / | + | |
- | hostname.domain.tld | + | ===== Modifications ===== |
- | sanhostname.domain.tld | + | |
- | </ | + | |
- | Then re-run the '' | + | <note tip> |
- | < | + | < |
- | Use of '' | + | <note tip> |
< | < | ||
- | /usr/bin/ | + | # |
+ | # | ||
+ | # Modification to suppress e-mailed cron job notifications every day | ||
+ | MAILTO="" | ||
+ | # | ||
+ | # Modification for SAN certificate with multiple hostnames | ||
+ | # This may/will need to be adjusted for hostnames and possibly cert name | ||
+ | # If you followed the howto above using just the actual hostname, it will look like this | ||
+ | /usr/local/sbin/ | ||
+ | # | ||
+ | # Modification to test if cert was changed then exit script | ||
+ | if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then | ||
+ | exit 0 | ||
+ | fi | ||
+ | # | ||
+ | cp "/ | ||
+ | chown zimbra: | ||
+ | wget -O /tmp/ISRG-X1.pem https:// | ||
+ | rm -f "/etc/letsencrypt/ | ||
+ | cp "/ | ||
+ | cat / | ||
+ | chown zimbra: | ||
+ | cd /tmp | ||
+ | su zimbra -c '/ | ||
+ | rm -f "/ | ||
</ | </ |