User Tools
internet:security:ssl_cert_letsencrypt_zimbra
This is an old revision of the document!
Table of Contents
Using LetsEncrypt SSL Certificates with Zimbra
More notes than howto…
https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh
When using DNS auth for LetsEncrypt, you cannot automatically renew unless your DNS is hosted by a provider with a supported API.
Your Zimbra will be restarted during this process, taking users offline!
Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.
When creating or renewing without a DNS API, you run an 'issue' command, then ADD records to your DNS, then rerun the 'issue' command with the –renew flag.
Install acme.sh
su - mkdir /opt/zimbra/.acme.sh; chown zimbra:zimbra /opt/zimbra/.acme.sh su - zimbra cd /opt/zimbra/.acme.sh wget -O - https://get.acme.sh | sh
Configure for LetsEncrypt
Set defalt CA to LetsEncrypt
su - zimbra cd .acme.sh/ ./acme.sh --set-default-ca --preferred-chain "ISRG" --server letsencrypt
Upgrade acme.sh
./acme.sh --upgrade
View Deployed Certs
Zimbra
/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
acme.sh
./acme.sh --list
Create or Renew Cert
Use the –renew flag for renewals. This will also deploy the updated cert.
acme.sh --issue --dns -d hostname.domain.tld -d san.domain.tld --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
Original Cert Deployment
acme.sh --deploy --deploy-hook zimbra -d hostname.domain.tld -d san.domain.tld
Troubleshooting
If a cert is expired, you must reissue a new cert.
If a certificate renewal fails, try reissuing a new cert instead.
If you have trouble reissuing a new cert, recreate and deploy a new self-signed cert to get Zimbra 'working' again. Then re-implement a LetsEncrypt cert.
internet/security/ssl_cert_letsencrypt_zimbra.1642441695.txt.gz · Last modified: 2022/01/17 10:48 by gcooper
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
