Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » ssl_cert_letsencrypt_zimbra
Trace:
internet:security:ssl_cert_letsencrypt_zimbra

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
internet:security:ssl_cert_letsencrypt_zimbra [2022/01/17 10:41]
gcooper 		internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31]
gcooper
Line 1: Line 1:
 ====== Using LetsEncrypt SSL Certificates with Zimbra ====== ====== Using LetsEncrypt SSL Certificates with Zimbra ======
  
-FIXME More notes than howto...+See also **[[internet:mail:zimbra:zimbra_ssl#self-signed_certificates|Zimbra Self-Signed SSL Certs]]**
  
-https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt +**Howto**: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
- +
-https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh +
- +
-<note tip>When creating or renewing without a DNS API, you run an 'issue' command, then ADD records to your DNS, then rerun the 'issue' command with the --renew flag.</note> +
- +
-<note warning>When using DNS auth for LetsEncrypt, you cannot automatically renew unless your DNS is hosted by a provider with a supported API.</note>+
  
 <note warning> <note warning>
Line 17: Line 11:
 <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note> <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note>
  
-===== Install acme.sh ===== +<note warning>The single-server portion of the howto is fantastic.  However, it only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.</note>
- +
-<file> +
-su -  +
-mkdir /opt/zimbra/.acme.sh; chown zimbra:zimbra /opt/zimbra/.acme.sh +
- +
-su - zimbra +
-cd /opt/zimbra/.acme.sh +
-wget -O -  https://get.acme.sh | sh +
-</file> +
- +
-===== Configure for LetsEncrypt ===== +
- +
-Set defalt CA to LetsEncrypt +
- +
-<file> +
-su - zimbra +
-cd .acme.sh/ +
-./acme.sh --set-default-ca --preferred-chain "ISRG" --server letsencrypt +
-</file> +
- +
-===== Upgrade acme.sh ===== +
- +
-<file> +
-./acme.sh --upgrade +
-</file> +
- +
-===== View Deployed Certs ===== +
- +
-==== Zimbra ==== +
- +
-<file> +
-/opt/zimbra/bin/zmcertmgr viewdeployedcrt all +
-</file> +
- +
-==== acme.sh ==== +
- +
-<file> +
-./acme.sh --list +
-</file> +
- +
-===== Create or Renew Cert ===== +
- +
-Use the ''--renew'' flag for renewals.  This will also deploy the updated cert. +
- +
-<file> +
-acme.sh --issue --dns -d hostname.domain.tld -d san.domain.tld --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew +
-</file> +
- +
-===== Original Cert Deployment ===== +
- +
-<file> +
-acme.sh --deploy --deploy-hook zimbra -d hostname.domain.tld -d san.domain.tld +
-</file> +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
- +
-===== Install CertBot ===== +
- +
-You can use the install wizard at the ''certbot'' home page, or use your OS package manager. +
- +
-https://certbot.eff.org +
- +
-==== CentOS 7 ==== +
- +
-<file> +
-yum install certbot --enablerepo=epel +
-</file> +
- +
-==== Ubuntu 16.04 ==== +
- +
-:!: The PPA is for Ubuntu versions up to 18.04. +
- +
-<file> +
-apt-get update +
-apt-get install software-properties-common +
-add-apt-repository universe +
-add-apt-repository ppa:certbot/certbot +
-apt-get update +
-apt-get install certbot +
-</file> +
- +
-==== Ubuntu 20.04 ==== +
- +
-<file> +
-apt-get update +
-apt-get install certbot +
-</file> +
- +
-===== Disable Packaged Auto Renewal ===== +
- +
-When installing ''certbot'' via packages, we must disable auto-renewals configured in ''cron'' by the package installation: +
- +
-<file> +
-systemctl stop certbot.timer && systemctl disable certbot.timer +
- +
-vim /etc/cron.d/certbot +
-</file> +
- +
-**Comment out the last line.** +
- +
-<note warning>Installing or renewing a certificate will cause Zimbra to restart, breaking client connections temporarily.</note> +
- +
-===== New LetsEncrypt Certificate ===== +
- +
-<note important>You can specify **SAN hostnames** with (optional and multiple''-e san.domain.tld'' flags.</note> +
- +
-<file> +
-rm -f certbot_zimbra.sh +
-wget https://github.com/YetOpen/certbot-zimbra/raw/master/certbot_zimbra.sh +
-chmod +x certbot_zimbra.sh +
-./certbot_zimbra.sh -n -c +
-</file> +
- +
-===== Renew LetsEncrypt Certificate ===== +
- +
-:!: If the existing certificate has **expired**, you probably need to generate a **new** cert. +
- +
-<file> +
-./certbot_zimbra.sh -d +
-</file> +
- +
-===== Automatic Renewals ===== +
- +
-<file> +
-mv certbot_zimbra.sh /usr/local/bin/ +
-</file> +
- +
-<file> +
-vim /etc/cron.d/letsencrypt +
-</file> +
- +
-<file> +
-# certbot_zimbra.sh requires bash and a path with /usr/sbin +
-SHELL=/bin/bash +
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +
- +
-# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt +
-12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d" +
-</file> +
- +
-:!: Once your ''cron'' job has run successfully a few times (maybe after the first successful renewal), you can suppress unwanted e-mail messages every time the cron job runs by adding this to the end of the ''cron'' entry: +
- +
-<file> +
->> /dev/null 2>&+
-</file>+
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
  
-<file> +Certbot logs to ''/var/log/letsencrypt/letsencrypt.log''.
-tail -f /var/log/letsencrypt/letsencrypt.log +
-cat /var/log/letsencrypt/letsencrypt.log+
  
-certbot certificates+If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert.
  
-cat /etc/cron.d/letsencrypt+If a cert is expired, you must reissue a new cert.
  
-cat /etc/letsencrypt/renewal/hostname.domain.tld.conf +If a certificate renewal fails, try reissuing a new cert instead.
-</file>+
  
-==== View Deployed Certs ==== +===== Modifications =====
- +
-<file> +
-su - zimbra +
-/opt/zimbra/bin/zmcertmgr viewdeployedcrt all +
-</file> +
- +
-==== Trouble Renewing ==== +
- +
-If you see an error like this in the log: +
-<file> +
- +
-WARNING:certbot.renewal:Attempting to renew cert (hostname.domain.tld) from /etc/letsencrypt/renewal/hostname.domain.tld.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for hostname.domain.tld +
-</file> +
- +
-:!: This is probably due to a **SAN hostname**. +
- +
-Try adding the missing line from the ''[webroot_map]'' section: +
- +
-<file> +
-vim /etc/letsencrypt/renewal/hostname.domain.tld.conf +
-</file> +
- +
-<file> +
-hostname.domain.tld = /opt/zimbra/data/nginx/html +
-sanhostname.domain.tld = /opt/zimbra/data/nginx/html +
-</file>+
  
-Then re-run the ''cron'' command from ''/etc/cron.d/letsencrypt'':+<note tip>**Suppress daily cron e-mail message**...</note>
  
-<note warning>This will probably cause Zimbra to restart which will break client connections.+<note tip>You **can** modify the script to support **additional SANs**...</note>
  
-Use of ''deploy-hook'' should only restart Zimbra if the renewal is successful, whereas ''renew-hook'' would cause it to restart even if the renewal fails.</note>+<note tip>Adjust script to **only run if certificate is updated**...</note>
  
 <file> <file>
-/usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"+#!/bin/bash 
 +
 +# Modification to suppress e-mailed cron job notifications every day 
 +MAILTO="" 
 +
 +# Modification for SAN certificate with multiple hostnames 
 +# This may/will need to be adjusted for hostnames and possibly cert name 
 +# If you followed the howto above using just the actual hostname, it will look like this 
 +/usr/local/sbin/certbot certonly --cert-name zimbra2.yourdomain.tld -d zimbra2.yourdomain.tld -d zimbra.yourdomain.tld --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email 
 +
 +# Modification to test if cert was changed then exit script 
 +if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then 
 +   exit 0 
 +fi 
 +
 +cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key 
 +chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key 
 +wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt 
 +rm -"/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
 +cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
 +cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem" 
 +chown zimbra:zimbra /etc/letsencrypt -R 
 +cd /tmp 
 +su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"' 
 +rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
 </file> </file>

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki