User Tools
This is an old revision of the document!
Table of Contents
Using LetsEncrypt SSL Certificates with Zimbra
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
Install CertBot
You can use the install wizard at the certbot home page, or use your OS package manager.
CentOS 7
yum install certbot --enablerepo=epel
Ubuntu 16.04
The PPA is for Ubuntu versions up to 18.04.
apt-get update apt-get install software-properties-common add-apt-repository universe add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot
Ubuntu 20.04
apt-get update apt-get install certbot
Disable Packaged Auto Renewal
When installing certbot via packages, we must disable auto-renewals configured in cron by the package installation:
systemctl stop certbot.timer && systemctl disable certbot.timer vim /etc/cron.d/certbot
Comment out the last line.
New LetsEncrypt Certificate
-e san.domain.tld flags.
rm -f certbot_zimbra.sh wget https://github.com/YetOpen/certbot-zimbra/raw/master/certbot_zimbra.sh chmod +x certbot_zimbra.sh ./certbot_zimbra.sh -n -c
Renew LetsEncrypt Certificate
If the existing certificate has expired, you probably need to generate a new cert.
./certbot_zimbra.sh -d
Automatic Renewals
mv certbot_zimbra.sh /usr/local/bin/
vim /etc/cron.d/letsencrypt
# certbot_zimbra.sh requires bash and a path with /usr/sbin SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt 12 5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
Once your cron job has run successfully a few times (maybe after the first successful renewal), you can suppress unwanted e-mail messages every time the cron job runs by adding this to the end of the cron entry:
>> /dev/null 2>&1
Troubleshooting
tail -f /var/log/letsencrypt/letsencrypt.log cat /var/log/letsencrypt/letsencrypt.log certbot certificates cat /etc/cron.d/letsencrypt cat /etc/letsencrypt/renewal/hostname.domain.tld.conf
View Deployed Certs
su - zimbra /opt/zimbra/bin/zmcertmgr viewdeployedcrt all
Trouble Renewing
If you see an error like this in the log:
WARNING:certbot.renewal:Attempting to renew cert (hostname.domain.tld) from /etc/letsencrypt/renewal/hostname.domain.tld.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for hostname.domain.tld
This is probably due to a SAN hostname.
Try adding the missing line from the [webroot_map] section:
vim /etc/letsencrypt/renewal/hostname.domain.tld.conf
hostname.domain.tld = /opt/zimbra/data/nginx/html sanhostname.domain.tld = /opt/zimbra/data/nginx/html
Then re-run the cron command from /etc/cron.d/letsencrypt:
Use of deploy-hook should only restart Zimbra if the renewal is successful, whereas renew-hook would cause it to restart even if the renewal fails.
/usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
