This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
internet:security:ssl_cert_letsencrypt_zimbra [2022/01/18 09:42] gcooper |
internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31] gcooper |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Using LetsEncrypt SSL Certificates with Zimbra ====== | ====== Using LetsEncrypt SSL Certificates with Zimbra ====== | ||
- | https://wiki.zimbra.com/ | + | See also **[[internet: |
- | https://github.com/ | + | **Howto**: |
- | + | ||
- | https:// | + | |
- | + | ||
- | https:// | + | |
- | + | ||
- | https:// | + | |
<note warning> | <note warning> | ||
Your Zimbra will be restarted during this process, taking users offline! | Your Zimbra will be restarted during this process, taking users offline! | ||
</ | </ | ||
- | |||
- | <note warning> | ||
<note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</ | <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</ | ||
- | < | + | < |
- | ===== Install acme.sh | + | ===== Troubleshooting |
- | < | + | Certbot logs to '' |
- | su - | + | |
- | mkdir /opt/zimbra/.acme.sh; chown zimbra: | + | |
- | su - zimbra | + | If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra ' |
- | cd / | + | |
- | wget -O - https:// | + | |
- | </ | + | |
- | ===== Configure for LetsEncrypt ===== | + | If a cert is expired, you must reissue a new cert. |
- | Set defalt CA to LetsEncrypt | + | If a certificate renewal fails, try reissuing a new cert instead. |
- | < | + | ===== Modifications ===== |
- | su - zimbra | + | |
- | cd .acme.sh/ | + | |
- | ./acme.sh --set-default-ca --preferred-chain " | + | |
- | </ | + | |
- | ===== Upgrade acme.sh ===== | + | <note tip> |
- | <file> | + | <note tip>You **can** modify the script to support **additional SANs**...</note> |
- | ./acme.sh --upgrade | + | |
- | </file> | + | |
- | ===== View Deployed Certs ===== | + | <note tip> |
- | + | ||
- | ==== Zimbra ==== | + | |
< | < | ||
- | / | + | # |
+ | # | ||
+ | # Modification to suppress e-mailed cron job notifications every day | ||
+ | MAILTO="" | ||
+ | # | ||
+ | # Modification for SAN certificate with multiple hostnames | ||
+ | # This may/will need to be adjusted for hostnames and possibly cert name | ||
+ | # If you followed the howto above using just the actual hostname, it will look like this | ||
+ | / | ||
+ | # | ||
+ | # Modification to test if cert was changed then exit script | ||
+ | if grep "not yet due for renewal" | ||
+ | exit 0 | ||
+ | fi | ||
+ | # | ||
+ | cp "/ | ||
+ | chown zimbra: | ||
+ | wget -O / | ||
+ | rm -f "/ | ||
+ | cp "/ | ||
+ | cat / | ||
+ | chown zimbra: | ||
+ | cd /tmp | ||
+ | su zimbra -c '/ | ||
+ | rm -f "/ | ||
</ | </ | ||
- | |||
- | ==== acme.sh ==== | ||
- | |||
- | < | ||
- | ./acme.sh --list | ||
- | </ | ||
- | |||
- | ===== Create or Renew Cert ===== | ||
- | |||
- | Use the '' | ||
- | |||
- | < | ||
- | acme.sh --issue --dns -d hostname.domain.tld -d san.domain.tld --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew | ||
- | </ | ||
- | |||
- | ===== Original Cert Deployment ===== | ||
- | |||
- | < | ||
- | acme.sh --deploy --deploy-hook zimbra -d hostname.domain.tld -d san.domain.tld | ||
- | </ | ||
- | |||
- | ===== Troubleshooting ===== | ||
- | |||
- | See also **[[internet: | ||
- | |||
- | If a cert is expired, you must reissue a new cert. | ||
- | |||
- | If a certificate renewal fails, try reissuing a new cert instead. | ||
- | |||
- | If you have trouble reissuing a new cert, recreate and deploy a new self-signed cert to get Zimbra ' | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | |||
- | Old Info | ||
- | |||
- | https:// | ||
- | |||
- | https:// | ||
- | |||
- | https:// | ||
- | |||
- | https:// | ||
- | |||
- | |||
- | zimbra@zimbra2: | ||
- | |||
- | [Wed Nov 10 20:24:04 MST 2021] It seems that you are using dns manual mode. Read this link first: https:// | ||
- | zimbra@zimbra2: | ||
- | [Wed Nov 10 20:25:27 MST 2021] Using CA: https:// | ||
- | [Wed Nov 10 20:25:28 MST 2021] Create account key ok. | ||
- | [Wed Nov 10 20:25:28 MST 2021] Registering account: https:// | ||
- | [Wed Nov 10 20:25:28 MST 2021] Registered | ||
- | [Wed Nov 10 20:25:28 MST 2021] ACCOUNT_THUMBPRINT=' | ||
- | [Wed Nov 10 20:25:28 MST 2021] Creating domain key | ||
- | [Wed Nov 10 20:25:28 MST 2021] The domain key is here: / | ||
- | [Wed Nov 10 20:25:28 MST 2021] Multi domain=' | ||
- | [Wed Nov 10 20:25:28 MST 2021] Getting domain auth token for each domain | ||
- | [Wed Nov 10 20:25:29 MST 2021] Getting webroot for domain=' | ||
- | [Wed Nov 10 20:25:30 MST 2021] Getting webroot for domain=' | ||
- | [Wed Nov 10 20:25:30 MST 2021] Add the following TXT record: | ||
- | [Wed Nov 10 20:25:30 MST 2021] Domain: ' | ||
- | [Wed Nov 10 20:25:30 MST 2021] TXT value: ' | ||
- | [Wed Nov 10 20:25:30 MST 2021] Please be aware that you prepend _acme-challenge. before your domain | ||
- | [Wed Nov 10 20:25:30 MST 2021] so the resulting subdomain will be: _acme-challenge.zimbra2.virtualarchitects.com | ||
- | [Wed Nov 10 20:25:30 MST 2021] Add the following TXT record: | ||
- | [Wed Nov 10 20:25:30 MST 2021] Domain: ' | ||
- | [Wed Nov 10 20:25:30 MST 2021] TXT value: ' | ||
- | [Wed Nov 10 20:25:30 MST 2021] Please be aware that you prepend _acme-challenge. before your domain | ||
- | [Wed Nov 10 20:25:30 MST 2021] so the resulting subdomain will be: _acme-challenge.zimbra.virtualarchitects.com | ||
- | [Wed Nov 10 20:25:30 MST 2021] Please add the TXT records to the domains, and re-run with --renew. | ||
- | [Wed Nov 10 20:25:30 MST 2021] Please add ' | ||
- | [Wed Nov 10 20:25:30 MST 2021] See: https:// | ||
- | zimbra@zimbra2: | ||
- | [Wed Nov 10 20:34:57 MST 2021] Renew: ' | ||
- | [Wed Nov 10 20:34:57 MST 2021] Using CA: https:// | ||
- | [Wed Nov 10 20:34:57 MST 2021] Multi domain=' | ||
- | [Wed Nov 10 20:34:57 MST 2021] Getting domain auth token for each domain | ||
- | [Wed Nov 10 20:34:57 MST 2021] Verifying: zimbra2.virtualarchitects.com | ||
- | [Wed Nov 10 20:34:58 MST 2021] Pending, The CA is processing your order, please just wait. (1/30) | ||
- | [Wed Nov 10 20:35:00 MST 2021] Success | ||
- | [Wed Nov 10 20:35:00 MST 2021] Verifying: zimbra.virtualarchitects.com | ||
- | [Wed Nov 10 20:35:01 MST 2021] Pending, The CA is processing your order, please just wait. (1/30) | ||
- | [Wed Nov 10 20:35:03 MST 2021] Success | ||
- | [Wed Nov 10 20:35:03 MST 2021] Verify finished, start to sign. | ||
- | [Wed Nov 10 20:35:03 MST 2021] Lets finalize the order. | ||
- | [Wed Nov 10 20:35:03 MST 2021] Le_OrderFinalize=' | ||
- | [Wed Nov 10 20:35:05 MST 2021] Downloading cert. | ||
- | [Wed Nov 10 20:35:05 MST 2021] Le_LinkCert=' | ||
- | [Wed Nov 10 20:35:05 MST 2021] Try rel: https:// | ||
- | [Wed Nov 10 20:35:05 MST 2021] Matched issuer in: https:// | ||
- | [Wed Nov 10 20:35:05 MST 2021] Cert success. | ||
- | -----BEGIN CERTIFICATE----- | ||
- | MIIFXjCCBEagAwIBAgISBOYjSZrLBxMOrhY657hexznjMA0GCSqGSIb3DQEBCwUA | ||
- | MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD | ||
- | EwJSMzAeFw0yMTExMTEwMjM1MDRaFw0yMjAyMDkwMjM1MDNaMCgxJjAkBgNVBAMT | ||
- | HXppbWJyYTIudmlydHVhbGFyY2hpdGVjdHMuY29tMIIBIjANBgkqhkiG9w0BAQEF | ||
- | AAOCAQ8AMIIBCgKCAQEAuYahvVpEfTwfdN0ywalrml7oJNhJxUX2IofWi0PikOvs | ||
- | QmuUosN0bLYB4ARLiSZ7hM+Sm7oKqf3/ | ||
- | FbWO1GaVhMreBqMiXzoTy9D6fHQrfPVUeDF1bMkNaaJRwIzDLvV76P9mjqePnKX9 | ||
- | s5MLjFIEY3R7FbSxgcevm6uJr0cvNL8Bxd+CRWxM3oj7vGhsalcy3Al2aX7Dx+Re | ||
- | G0Icj3Xrxg5Onol87yznT8OhG7rPXBabmgEMmIL6hGokKcDrJ3ZkKtRqHb+Tj8Gj | ||
- | yivtTvuG3HV46SEnwhhByVoewDRffCExU47+auehtQIDAQABo4ICdjCCAnIwDgYD | ||
- | VR0PAQH/ | ||
- | HRMBAf8EAjAAMB0GA1UdDgQWBBSFjCrAa7t2+5jG/ | ||
- | GDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB | ||
- | BQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov | ||
- | L3IzLmkubGVuY3Iub3JnLzBGBgNVHREEPzA9ghx6aW1icmEudmlydHVhbGFyY2hp | ||
- | dGVjdHMuY29tgh16aW1icmEyLnZpcnR1YWxhcmNoaXRlY3RzLmNvbTBMBgNVHSAE | ||
- | RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw | ||
- | Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2 | ||
- | AEalVet1+pEgMLWiiWn0830RLEF0vv1JuIWr8vxw/ | ||
- | RQIgCKpqWqmK9RFe1FgrLZfNt3hcvz0nIRmMTcV9GeFtHesCIQDYeWP7Zu7jKYEu | ||
- | rx3LV8ZsxM3slRUJiRDKdr/ | ||
- | KQaNsgiaN9kTAAABfQ0QMYwAAAQDAEcwRQIgBj9euaJoExyL0PhAHltebzXKfiEK | ||
- | HPFb02vJkxSFV4wCIQD31pTo6/ | ||
- | BgkqhkiG9w0BAQsFAAOCAQEAT/ | ||
- | 4W7DnvNT6d7qUoCL8sZicfSNFgGBaHt4dzIZuvYCOhiO+eDTVUUzfPHViPuogX8F | ||
- | hk41Abd5ND3N9Ep2tPiefT1YE1f5fjuMQy7RsNmQtSk07ODUR/ | ||
- | rGOTqjXy/ | ||
- | mEqyUPR+yxADn1nOPUS5xpaVXN0jbaF2dXWjrzjE0NMWGa1EkXLwFImz8D106LzH | ||
- | 3ug4SC/ | ||
- | -----END CERTIFICATE----- | ||
- | [Wed Nov 10 20:35:05 MST 2021] Your cert is in: / | ||
- | [Wed Nov 10 20:35:05 MST 2021] Your cert key is in: / | ||
- | [Wed Nov 10 20:35:05 MST 2021] The intermediate CA cert is in: / | ||
- | [Wed Nov 10 20:35:05 MST 2021] And the full chain certs is there: / | ||
- | zimbra@zimbra2: | ||
- | |||
- | |||
- | |||
- | acme.sh --deploy --deploy-hook zimbra -d zimbra2.virtualarchitects.com -d zimbra.virtualarchitects.com | ||
- | |||
- | zimbra@zimbra2: | ||
- | ** Verifying '/ | ||
- | Certificate '/ | ||
- | ** Verifying '/ | ||
- | Valid certificate chain: / | ||
- | ** Verifying '/ | ||
- | Certificate '/ | ||
- | ** Verifying '/ | ||
- | Valid certificate chain: / | ||
- | ** Copying '/ | ||
- | ** Copying '/ | ||
- | ** Appending ca chain '/ | ||
- | ** Importing cert '/ | ||
- | ** NOTE: restart mailboxd to use the imported certificate. | ||
- | ** Saving config key ' | ||
- | ** Saving config key ' | ||
- | ** Installing imapd certificate '/ | ||
- | ** Copying '/ | ||
- | ** Copying '/ | ||
- | ** Creating file '/ | ||
- | ** Creating keystore '/ | ||
- | ** Installing ldap certificate '/ | ||
- | ** Copying '/ | ||
- | ** Copying '/ | ||
- | ** Creating file '/ | ||
- | ** Creating keystore '/ | ||
- | ** Installing mta certificate '/ | ||
- | ** Copying '/ | ||
- | ** Copying '/ | ||
- | ** Installing proxy certificate '/ | ||
- | ** Copying '/ | ||
- | ** Copying '/ | ||
- | ** NOTE: restart services to use the new certificates. | ||
- | ** Cleaning up 9 files from '/ | ||
- | ** Removing / | ||
- | ** Removing / | ||
- | ** Removing / | ||
- | ** Removing / | ||
- | ** Removing / | ||
- | ** Removing / | ||
- | ** Removing / | ||
- | ** Removing / | ||
- | ** Removing / | ||
- | ** Copying CA to / | ||
- | ** Copying '/ | ||
- | ** Copying '/ | ||
- | ** Creating CA hash symlink ' | ||
- | ** Creating / | ||
- | ** Creating CA hash symlink ' | ||
- | ** Creating / | ||
- | ** Creating CA hash symlink ' | ||
- | ** Creating / | ||
- | ** Creating CA hash symlink ' | ||
- | Host zimbra2.virtualarchitects.com | ||
- | Stopping zmconfigd...Done. | ||
- | Stopping zimlet webapp...Done. | ||
- | Stopping zimbraAdmin webapp...Done. | ||
- | Stopping zimbra webapp...Done. | ||
- | Stopping service webapp...Done. | ||
- | Stopping stats...Done. | ||
- | Stopping mta...Done. | ||
- | Stopping spell...Done. | ||
- | Stopping snmp...Done. | ||
- | Stopping cbpolicyd...Done. | ||
- | Stopping archiving...Done. | ||
- | Stopping opendkim...Done. | ||
- | Stopping amavis...Done. | ||
- | Stopping antivirus...Done. | ||
- | Stopping antispam...Done. | ||
- | Stopping proxy...Done. | ||
- | Stopping memcached...Done. | ||
- | Stopping mailbox...Done. | ||
- | Stopping logger...Done. | ||
- | Stopping dnscache...Done. | ||
- | Stopping ldap...Done. | ||
- | Host zimbra2.virtualarchitects.com | ||
- | Starting ldap...Done. | ||
- | Starting zmconfigd...Done. | ||
- | Starting dnscache...Done. | ||
- | Starting logger...Done. | ||
- | Starting mailbox...Done. | ||
- | Starting memcached...Done. | ||
- | Starting proxy...Done. | ||
- | Starting amavis...Done. | ||
- | Starting antispam...Done. | ||
- | Starting antivirus...Done. | ||
- | Starting opendkim...Done. | ||
- | Starting snmp...Done. | ||
- | Starting spell...Done. | ||
- | Starting mta...Done. | ||
- | Starting stats...Done. | ||
- | Starting service webapp...Done. | ||
- | Starting zimbra webapp...Done. | ||
- | Starting zimbraAdmin webapp...Done. | ||
- | Starting zimlet webapp...Done. | ||
- | [Wed Nov 10 20:48:31 MST 2021] Success |