Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » ssl_cert_letsencrypt_zimbra
Trace:
internet:security:ssl_cert_letsencrypt_zimbra

This is an old revision of the document!

Table of Contents

Using LetsEncrypt SSL Certificates with Zimbra

See also Zimbra Self-Signed SSL Certs

Howto: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

Your Zimbra will be restarted during this process, taking users offline!
Be sure to include all Subject Alternative Hostnames (SANs) that you need on the certificate.
The single-server portion of the howto is fantastic. However, it only works for the actual hostname and doesn't include any SANs (alternate hostnames) you might need.

Troubleshooting

Certbot logs to /var/log/letsencrypt/letsencrypt.log.

If you have trouble reissuing a new cert, or if Zimbra won't start, recreate and deploy a new self-signed cert to get Zimbra 'working' again. Then re-implement a LetsEncrypt cert.

If a cert is expired, you must reissue a new cert.

If a certificate renewal fails, try reissuing a new cert instead.

Modifications

Suppress daily cron e-mail message
You can modify the script to support additional SANs
Adjust script to only run if certificate is updated
#!/bin/bash
#
# Modification to suppress e-mailed cron job notifications every day
MAILTO=""
#
# Modification for SAN certificate with multiple hostnames
# This may/will need to be adjusted for hostnames and possibly cert name
# If you followed the howto above using just the actual hostname, it will look like this
/usr/local/sbin/certbot certonly --cert-name zimbra2.yourdomain.tld -d zimbra2.yourdomain.tld -d zimbra.yourdomain.tld --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email
#
# Modification to test if cert was changed then exit script
if grep "not yet due for renewal" /var/log/letsencrypt/letsencrypt.log; then
   exit 0
fi
#
cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
cp "/etc/letsencrypt/live/zimbra.yourdomain.tld/chain.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R
cd /tmp
su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/zimbra3.virtualarchitects.com/cert.pem" "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"'
rm -f "/etc/letsencrypt/live/zimbra.yourdomain.tld/chainZimbra.pem"
internet/security/ssl_cert_letsencrypt_zimbra.1662489086.txt.gz · Last modified: 2022/09/06 12:31 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki