Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » ssl_cert_letsencrypt_zimbra
Trace:
internet:security:ssl_cert_letsencrypt_zimbra

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
internet:security:ssl_cert_letsencrypt_zimbra [2021/06/15 09:20]
gcooper 		— (current)
Line 1: Line 1:
-====== Using LetsEncrypt SSL Certificates with Zimbra ====== 
  
-<note important>This may be a better way, **simpler** and with **no dependencies**: 
- 
-https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt 
- 
-https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh 
- 
-https://forums.zimbra.org/viewtopic.php?f=15&t=60781 
-</note> 
- 
-https://lorenzo.mile.si/letsencrypt-zimbra-the-easy-way/ 
- 
-https://github.com/YetOpen/certbot-zimbra 
- 
-===== Install CertBot ===== 
- 
-You can use the install wizard at the ''certbot'' home page, or use your OS package manager. 
- 
-https://certbot.eff.org 
- 
-==== CentOS 7 ==== 
- 
-<file> 
-yum install certbot --enablerepo=epel 
-</file> 
- 
-==== Ubuntu 16.04 ==== 
- 
-:!: The PPA is for Ubuntu versions up to 18.04. 
- 
-<file> 
-apt-get update 
-apt-get install software-properties-common 
-add-apt-repository universe 
-add-apt-repository ppa:certbot/certbot 
-apt-get update 
-apt-get install certbot 
-</file> 
- 
-==== Ubuntu 20.04 ==== 
- 
-<file> 
-apt-get update 
-apt-get install certbot 
-</file> 
- 
-===== Disable Packaged Auto Renewal ===== 
- 
-When installing ''certbot'' via packages, we must disable auto-renewals configured in ''cron'' by the package installation: 
- 
-<file> 
-systemctl stop certbot.timer && systemctl disable certbot.timer 
- 
-vim /etc/cron.d/certbot 
-</file> 
- 
-**Comment out the last line.** 
- 
-<note warning>Installing or renewing a certificate will cause Zimbra to restart, breaking client connections temporarily.</note> 
- 
-===== New LetsEncrypt Certificate ===== 
- 
-<note important>You can specify **SAN hostnames** with (optional and multiple) ''-e san.domain.tld'' flags.</note> 
- 
-<file> 
-rm -f certbot_zimbra.sh 
-wget https://github.com/YetOpen/certbot-zimbra/raw/master/certbot_zimbra.sh 
-chmod +x certbot_zimbra.sh 
-./certbot_zimbra.sh -n -c 
-</file> 
- 
-===== Renew LetsEncrypt Certificate ===== 
- 
-:!: If the existing certificate has **expired**, you probably need to generate a **new** cert. 
- 
-<file> 
-./certbot_zimbra.sh -d 
-</file> 
- 
-===== Automatic Renewals ===== 
- 
-<file> 
-mv certbot_zimbra.sh /usr/local/bin/ 
-</file> 
- 
-<file> 
-vim /etc/cron.d/letsencrypt 
-</file> 
- 
-<file> 
-# certbot_zimbra.sh requires bash and a path with /usr/sbin 
-SHELL=/bin/bash 
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 
- 
-# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt 
-12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d" 
-</file> 
- 
-:!: Once your ''cron'' job has run successfully a few times (maybe after the first successful renewal), you can suppress unwanted e-mail messages every time the cron job runs by adding this to the end of the ''cron'' entry: 
- 
-<file> 
->> /dev/null 2>&1 
-</file> 
- 
-===== Troubleshooting ===== 
- 
-<file> 
-tail -f /var/log/letsencrypt/letsencrypt.log 
-cat /var/log/letsencrypt/letsencrypt.log 
- 
-certbot certificates 
- 
-cat /etc/cron.d/letsencrypt 
- 
-cat /etc/letsencrypt/renewal/hostname.domain.tld.conf 
-</file> 
- 
-==== Trouble Renewing ==== 
- 
-If you see an error like this in the log: 
-<file> 
- 
-WARNING:certbot.renewal:Attempting to renew cert (hostname.domain.tld) from /etc/letsencrypt/renewal/hostname.domain.tld.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for hostname.domain.tld 
-</file> 
- 
-:!: This is probably due to a **SAN hostname**. 
- 
-Try adding the missing line from the ''[webroot_map]'' section: 
- 
-<file> 
-vim /etc/letsencrypt/renewal/hostname.domain.tld.conf 
- 
-hostname.domain.tld = /opt/zimbra/data/nginx/html 
-sanhostname.domain.tld = /opt/zimbra/data/nginx/html 
-</file> 
- 
-Then re-run the ''cron'' command from ''/etc/cron.d/letsencrypt'': 
- 
-<note warning>This will probably cause Zimbra to restart which will break client connections. 
- 
-Use of ''deploy-hook'' should only restart Zimbra if the renewal is successful, whereas ''renew-hook'' would cause it to restart even if the renewal fails.</note> 
- 
-<file> 
-/usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d" 
-</file> 
internet/security/ssl_cert_letsencrypt_zimbra.1623770447.txt.gz · Last modified: 2021/06/15 09:20 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki