This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
internet:security:ssl_cert_letsencrypt_zimbra [2022/08/02 09:26] gcooper |
internet:security:ssl_cert_letsencrypt_zimbra [2022/09/06 12:31] gcooper |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Using LetsEncrypt SSL Certificates with Zimbra ====== | ====== Using LetsEncrypt SSL Certificates with Zimbra ====== | ||
- | FIXME Need eval the latest info from Barry de Graaff (first link) | + | See also **[[internet: |
- | **Latest**: https:// | + | **Howto**: https:// |
- | + | ||
- | https:// | + | |
- | + | ||
- | https:// | + | |
- | + | ||
- | https:// | + | |
- | + | ||
- | https:// | + | |
- | + | ||
- | https:// | + | |
<note warning> | <note warning> | ||
Your Zimbra will be restarted during this process, taking users offline! | Your Zimbra will be restarted during this process, taking users offline! | ||
</ | </ | ||
- | |||
- | <note warning> | ||
<note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</ | <note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</ | ||
- | < | + | < |
- | ===== Install acme.sh | + | ===== Troubleshooting |
- | < | + | Certbot logs to '' |
- | su - | + | |
- | mkdir /opt/zimbra/.acme.sh; chown zimbra: | + | |
- | su - zimbra | + | If you have trouble reissuing a new cert, or **if Zimbra won't start**, recreate and deploy a new self-signed cert to get Zimbra ' |
- | cd / | + | |
- | wget -O - https:// | + | |
- | </ | + | |
- | ===== Configure for LetsEncrypt ===== | + | If a cert is expired, you must reissue a new cert. |
- | Set defalt CA to LetsEncrypt | + | If a certificate renewal fails, try reissuing a new cert instead. |
- | < | + | ===== Modifications ===== |
- | su - zimbra | + | |
- | cd .acme.sh/ | + | |
- | ./acme.sh --set-default-ca --preferred-chain " | + | |
- | </ | + | |
- | ===== Upgrade acme.sh ===== | + | <note tip> |
- | <file> | + | <note tip>You **can** modify the script to support **additional SANs**...</note> |
- | ./acme.sh --upgrade | + | |
- | </file> | + | |
- | ===== View Deployed Certs ===== | + | <note tip> |
- | + | ||
- | ==== Zimbra ==== | + | |
< | < | ||
- | / | + | # |
+ | # | ||
+ | # Modification to suppress e-mailed cron job notifications every day | ||
+ | MAILTO="" | ||
+ | # | ||
+ | # Modification for SAN certificate with multiple hostnames | ||
+ | # This may/will need to be adjusted for hostnames and possibly cert name | ||
+ | # If you followed the howto above using just the actual hostname, it will look like this | ||
+ | / | ||
+ | # | ||
+ | # Modification to test if cert was changed then exit script | ||
+ | if grep "not yet due for renewal" | ||
+ | exit 0 | ||
+ | fi | ||
+ | # | ||
+ | cp "/ | ||
+ | chown zimbra: | ||
+ | wget -O / | ||
+ | rm -f "/ | ||
+ | cp "/ | ||
+ | cat / | ||
+ | chown zimbra: | ||
+ | cd /tmp | ||
+ | su zimbra -c '/ | ||
+ | rm -f "/ | ||
</ | </ | ||
- | |||
- | ==== acme.sh ==== | ||
- | |||
- | < | ||
- | ./acme.sh --list | ||
- | </ | ||
- | |||
- | ===== Create or Renew Cert ===== | ||
- | |||
- | Use the '' | ||
- | |||
- | < | ||
- | acme.sh --issue --dns -d hostname.domain.tld -d san.domain.tld --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew | ||
- | </ | ||
- | |||
- | ===== Original Cert Deployment ===== | ||
- | |||
- | < | ||
- | acme.sh --deploy --deploy-hook zimbra -d hostname.domain.tld -d san.domain.tld | ||
- | </ | ||
- | |||
- | ===== Troubleshooting ===== | ||
- | |||
- | See also **[[internet: | ||
- | |||
- | If a cert is expired, you must reissue a new cert. | ||
- | |||
- | If a certificate renewal fails, try reissuing a new cert instead. | ||
- | |||
- | If you have trouble reissuing a new cert, recreate and deploy a new self-signed cert to get Zimbra ' | ||
- |