Differences

This shows you the differences between two versions of the page.

--- internet:security:ssl_cert_letsencrypt_zimbra [2022/01/17 10:41]
gcooper
+++ — (current)
@@ Line 1: / Line 1: @@
-====== Using LetsEncrypt SSL Certificates with Zimbra ======
-FIXME More notes than howto...
-https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
-https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh
-<note tip>When creating or renewing without a DNS API, you run an 'issue' command, then ADD records to your DNS, then rerun the 'issue' command with the --renew flag.</note>
-<note warning>When using DNS auth for LetsEncrypt, you cannot automatically renew unless your DNS is hosted by a provider with a supported API.</note>
-<note warning>
-Your Zimbra will be restarted during this process, taking users offline!
-</note>
-<note tip>Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.</note>
-===== Install acme.sh =====
-<file>
-su -
-mkdir /opt/zimbra/.acme.sh; chown zimbra:zimbra /opt/zimbra/.acme.sh
-su - zimbra
-cd /opt/zimbra/.acme.sh
-wget -O -  https://get.acme.sh | sh
-</file>
-===== Configure for LetsEncrypt =====
-Set defalt CA to LetsEncrypt
-<file>
-su - zimbra
-cd .acme.sh/
-./acme.sh --set-default-ca --preferred-chain "ISRG" --server letsencrypt
-</file>
-===== Upgrade acme.sh =====
-<file>
-./acme.sh --upgrade
-</file>
-===== View Deployed Certs =====
-==== Zimbra ====
-<file>
-/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
-</file>
-==== acme.sh ====
-<file>
-./acme.sh --list
-</file>
-===== Create or Renew Cert =====
-Use the ''--renew'' flag for renewals.  This will also deploy the updated cert.
-<file>
-acme.sh --issue --dns -d hostname.domain.tld -d san.domain.tld --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
-</file>
-===== Original Cert Deployment =====
-<file>
-acme.sh --deploy --deploy-hook zimbra -d hostname.domain.tld -d san.domain.tld
-</file>
-===== Install CertBot =====
-You can use the install wizard at the ''certbot'' home page, or use your OS package manager.
-https://certbot.eff.org
-==== CentOS 7 ====
-<file>
-yum install certbot --enablerepo=epel
-</file>
-==== Ubuntu 16.04 ====
-:!: The PPA is for Ubuntu versions up to 18.04.
-<file>
-apt-get update
-apt-get install software-properties-common
-add-apt-repository universe
-add-apt-repository ppa:certbot/certbot
-apt-get update
-apt-get install certbot
-</file>
-==== Ubuntu 20.04 ====
-<file>
-apt-get update
-apt-get install certbot
-</file>
-===== Disable Packaged Auto Renewal =====
-When installing ''certbot'' via packages, we must disable auto-renewals configured in ''cron'' by the package installation:
-<file>
-systemctl stop certbot.timer && systemctl disable certbot.timer
-vim /etc/cron.d/certbot
-</file>
-**Comment out the last line.**
-<note warning>Installing or renewing a certificate will cause Zimbra to restart, breaking client connections temporarily.</note>
-===== New LetsEncrypt Certificate =====
-<note important>You can specify **SAN hostnames** with (optional and multiple) ''-e san.domain.tld'' flags.</note>
-<file>
-rm -f certbot_zimbra.sh
-wget https://github.com/YetOpen/certbot-zimbra/raw/master/certbot_zimbra.sh
-chmod +x certbot_zimbra.sh
-./certbot_zimbra.sh -n -c
-</file>
-===== Renew LetsEncrypt Certificate =====
-:!: If the existing certificate has **expired**, you probably need to generate a **new** cert.
-<file>
-./certbot_zimbra.sh -d
-</file>
-===== Automatic Renewals =====
-<file>
-mv certbot_zimbra.sh /usr/local/bin/
-</file>
-<file>
-vim /etc/cron.d/letsencrypt
-</file>
-<file>
-# certbot_zimbra.sh requires bash and a path with /usr/sbin
-SHELL=/bin/bash
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-# Replace /usr/bin/certbot with the location of your certbot binary, use this to find it: which certbot-auto certbot letsencrypt
-5 * * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
-</file>
-:!: Once your ''cron'' job has run successfully a few times (maybe after the first successful renewal), you can suppress unwanted e-mail messages every time the cron job runs by adding this to the end of the ''cron'' entry:
-<file>
->> /dev/null 2>&1
-</file>
-===== Troubleshooting =====
-<file>
-tail -f /var/log/letsencrypt/letsencrypt.log
-cat /var/log/letsencrypt/letsencrypt.log
-certbot certificates
-cat /etc/cron.d/letsencrypt
-cat /etc/letsencrypt/renewal/hostname.domain.tld.conf
-</file>
-==== View Deployed Certs ====
-<file>
-su - zimbra
-/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
-</file>
-==== Trouble Renewing ====
-If you see an error like this in the log:
-<file>
-WARNING:certbot.renewal:Attempting to renew cert (hostname.domain.tld) from /etc/letsencrypt/renewal/hostname.domain.tld.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for hostname.domain.tld
-</file>
-:!: This is probably due to a **SAN hostname**.
-Try adding the missing line from the ''[webroot_map]'' section:
-<file>
-vim /etc/letsencrypt/renewal/hostname.domain.tld.conf
-</file>
-<file>
-hostname.domain.tld = /opt/zimbra/data/nginx/html
-sanhostname.domain.tld = /opt/zimbra/data/nginx/html
-</file>
-Then re-run the ''cron'' command from ''/etc/cron.d/letsencrypt'':
-<note warning>This will probably cause Zimbra to restart which will break client connections.
-Use of ''deploy-hook'' should only restart Zimbra if the renewal is successful, whereas ''renew-hook'' would cause it to restart even if the renewal fails.</note>
-<file>
-/usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --deploy-hook "/usr/local/bin/certbot_zimbra.sh -d"
-</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools