Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » ssl_cert_letsencrypt_zimbra
Trace: outlook_vacation contacts
internet:security:ssl_cert_letsencrypt_zimbra

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
internet:security:ssl_cert_letsencrypt_zimbra [2022/01/17 10:47]
gcooper 		internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31]
gcooper
Line 1: Line 1:
 ====== Using LetsEncrypt SSL Certificates with Zimbra ====== ====== Using LetsEncrypt SSL Certificates with Zimbra ======
  
-FIXME More notes than howto...+See also **[[internet:mail:zimbra:zimbra_ssl#self-signed_certificates|Zimbra Self-Signed SSL Certs]]**
  
-https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt +**Howto**: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
- +
-https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh +
- +
-<note tip>When creating or renewing without a DNS API, you run an 'issue' command, then ADD records to your DNS, then rerun the 'issue' command with the --renew flag.</note> +
- +
-<note warning>When using DNS auth for LetsEncrypt, you cannot automatically renew unless your DNS is hosted by a provider with a supported API.</note>+
  
 <note warning> <note warning>
Line 17: Line 11:
 <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note> <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note>
  
-===== Install acme.sh =====+<note warning>The single-server portion of the howto is fantastic However, it only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.</note>
  
-<file> +===== Troubleshooting =====
-su -  +
-mkdir /opt/zimbra/.acme.sh; chown zimbra:zimbra /opt/zimbra/.acme.sh+
  
-su - zimbra +Certbot logs to ''/var/log/letsencrypt/letsencrypt.log''.
-cd /opt/zimbra/.acme.sh +
-wget -O -  https://get.acme.sh | sh +
-</file>+
  
-===== Configure for LetsEncrypt =====+If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert.
  
-Set defalt CA to LetsEncrypt+If a cert is expired, you must reissue a new cert.
  
-<file> +If a certificate renewal fails, try reissuing a new cert instead.
-su - zimbra +
-cd .acme.sh/ +
-./acme.sh --set-default-ca --preferred-chain "ISRG" --server letsencrypt +
-</file>+
  
-===== Upgrade acme.sh =====+===== Modifications =====
  
-<file> +<note tip>**Suppress daily cron e-mail message**...</note>
-./acme.sh --upgrade +
-</file>+
  
-===== View Deployed Certs =====+<note tip>You **can** modify the script to support **additional SANs**...</note>
  
-==== Zimbra ====+<note tip>Adjust script to **only run if certificate is updated**...</note>
  
 <file> <file>
-/opt/zimbra/bin/zmcertmgr viewdeployedcrt all+#!/bin/bash 
 +
 +# Modification to suppress e-mailed cron job notifications every day 
 +MAILTO="" 
 +
 +# Modification for SAN certificate with multiple hostnames 
 +# This may/will need to be adjusted for hostnames and possibly cert name 
 +# If you followed the howto above using just the actual hostname, it will look like this 
 +/usr/local/sbin/certbot certonly --cert-name zimbra2.yourdomain.tld -d zimbra2.yourdomain.tld -d zimbra.yourdomain.tld --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email 
 +
 +# Modification to test if cert was changed then exit script 
 +if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then 
 +   exit 0 
 +fi 
 +
 +cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key 
 +chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key 
 +wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt 
 +rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
 +cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem" 
 +cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem" 
 +chown zimbra:zimbra /etc/letsencrypt -R 
 +cd /tmp 
 +su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"' 
 +rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
 </file> </file>
- 
-==== acme.sh ==== 
- 
-<file> 
-./acme.sh --list 
-</file> 
- 
-===== Create or Renew Cert ===== 
- 
-Use the ''--renew'' flag for renewals.  This will also deploy the updated cert. 
- 
-<file> 
-acme.sh --issue --dns -d hostname.domain.tld -d san.domain.tld --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew 
-</file> 
- 
-===== Original Cert Deployment ===== 
- 
-<file> 
-acme.sh --deploy --deploy-hook zimbra -d hostname.domain.tld -d san.domain.tld 
-</file> 
- 
-===== Troubleshooting ===== 
- 
-If a cert is expired, you must reissue a new cert. 
- 
-If a certificate renewal fails, try reissuing a new cert instead. 
- 
-If you have trouble reissuing a new cert, recreate and deploy a new self-signed cert to get Zimbra 'working' again.  Then re-implement a LetsEncrypt cert. 
- 
- 

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki