Installing a LetsEncrypt SSL Certificate on Zimbra 8.6.0_GA_1153

Posted: November 24, 2017 in Linux

Thanks to https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

clip_image002

clip_image003

Installing Let’s Encrypt on a Zimbra Server

Let’s Encrypt must be installed on one Linux machine to obtain the proper SSL Certificate, CA Intermediate, and Private Key. It is not required that it be on the same Zimbra Server, but it could save time and help to obtain the renewals, etc.

· First Step is to stop the jetty or nginx service at Zimbra level

Login as zimbra

root@aafikry:~# su zimbra

 

clip_image004

zimbra@aafikry:/root$ zmproxyctl stop

Stopping nginx…done.

zimbra@aafikry:/root$ zmmailboxdctl stop

 

clip_image005

root@aafikry:~# git clone https://github.com/letsencrypt/letsencrypt

The program ‘git’ is currently not installed. You can install it by typing:

apt-get install git

root@aafikry:~# apt-get install git

clip_image006

root@aafikry:~# git clone https://github.com/letsencrypt/letsencrypt

clip_image007

root@aafikry:~# cd letsencrypt

root@aafikry:~/letsencrypt# ./letsencrypt-auto certonly –standalone

clip_image009

If you have error about varnish, you must stop service from varnish

clip_image010

root@aafikry:~/letsencrypt# service varnish stop

clip_image012

root@aafikry:~/letsencrypt# ./letsencrypt-auto certonly –standalone

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator standalone, Installer None

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to

cancel): fikry@aafikry.web.id

——————————————————————————-

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v01.api.letsencrypt.org/directory

——————————————————————————-

(A)gree/(C)ancel: A

——————————————————————————-

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let’s Encrypt project and the non-profit

organization that develops Certbot? We’d like to send you email about EFF and

our work to encrypt the web, protect its users and defend digital rights.

——————————————————————————-

(Y)es/(N)o: N

Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’

to cancel): mail.aafikry.web.id

Obtaining a new certificate

Performing the following challenges:

tls-sni-01 challenge for mail.aafikry.web.id

Waiting for verification…

Cleaning up challenges

IMPORTANT NOTES:

– Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/mail.aafikry.web.id/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/mail.aafikry.web.id/privkey.pem

Your cert will expire on 2018-02-22. To obtain a new or tweaked

version of this certificate in the future, simply run

letsencrypt-auto again. To non-interactively renew *all* of your

certificates, run "letsencrypt-auto renew"

– Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

clip_image014

Where are the SSL Certificate Files?

You can find all your files under /etc/letsencrypt/live/$domain, where $domain is the fqdn you used during the process:

root@aafikry:~/letsencrypt# cd /etc/letsencrypt/live/mail.aafikry.web.id/

root@aafikry:/etc/letsencrypt/live/mail.aafikry.web.id# ls –l

clip_image016

cert.pem is the certificate

chain.pem is the chain

fullchain.pem is the concatenation of cert.pem + chain.pem

privkey.pem is the private key

Please keep in mind that the private key is only for yo

Build the proper Intermediate CA plus Root CA

Let’s Encrypt is almost perfect, but during the files the process built, they just add the chain.pem file without the root CA. You must to use the IdenTrust root Certificate and merge it after the chain.pem

Your chain.pem before merge

clip_image017

Your chain.pem after merge

—–BEGIN CERTIFICATE—–
Your chain.pem
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
IdenTrust root Certificateidentrust
—–END CERTIFICATE—–

clip_image018

To sum up: chain.pem has to be concatened with the root CA. First the chain and the end of the file the root CA. The order is important.

Verify your commercial certificate.

Copy all the Let’s Encrypt folder with all files /etc/letsencrypt/live/$domain into /opt/zimbra/ssl/letsencrypt:

root@aafikry:/etc/letsencrypt/live/mail.aafikry.web.id# mkdir /opt/zimbra/ssl/letsencrypt

root@aafikry:/etc/letsencrypt/live/mail.aafikry.web.id# cp /etc/letsencrypt/live/mail.aafikry.web.id/* /opt/zimbra/ssl/letsencrypt/

clip_image020

Change owner

root@aafikry:/etc/letsencrypt/live/mail.aafikry.web.id# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

root@aafikry:/etc/letsencrypt/live/mail.aafikry.web.id# ls -la /opt/zimbra/ssl/letsencrypt/

clip_image022

Zimbra Collaboration 8.7 and above

As zimbra user

root@aafikry:/# su zimbra

zimbra@aafikry:/$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

/opt/zimbra/bin/zmcertmgr must be run as user root

clip_image024

Zimbra Collaboration 8.6 and previous

As root user

root@aafikry:/# cd /opt/zimbra/ssl/letsencrypt

root@aafikry:/opt/zimbra/ssl/letsencrypt# /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

** Verifying cert.pem against privkey.pem

Certificate (cert.pem) and private key (privkey.pem) match.

Valid Certificate: cert.pem: OK

clip_image026

Deploy the new Let’s Encrypt SSL certificate
Backup Zimbra SSL directory

Before deploying a good practice is to make a backup.

root@aafikry:/opt/zimbra/ssl/letsencrypt# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

Copy the private key under Zimbra SSL path

Before deploying the SSL Certificate, you need to move the privkey.pem under the Zimbra SSL commercial path, like this:

root@aafikry:/opt/zimbra/ssl/letsencrypt# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

clip_image028

Final SSL deployment

Then deploy the certificate as follows:

Zimbra Collaboration 8.7 and above

As zimbra user

root@aafikry:/opt/zimbra/ssl/letsencrypt# su zimbra

zimbra@aafikry:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

/opt/zimbra/bin/zmcertmgr must be run as user root

clip_image030

Zimbra Collaboration 8.6 and previous

As root user

root@aafikry:/opt/zimbra/ssl/letsencrypt# /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

** Verifying cert.pem against /opt/zimbra/ssl/zimbra/commercial/commercial.key

Certificate (cert.pem) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.

Valid Certificate: cert.pem: OK

** Copying cert.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt

** Appending ca chain chain.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt

** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca…done.

** NOTE: mailboxd must be restarted in order to use the imported certificate.

** Saving server config key zimbraSSLCertificate…done.

** Saving server config key zimbraSSLPrivateKey…done.

** Installing mta certificate and key…done.

** Installing slapd certificate and key…done.

** Installing proxy certificate and key…done.

** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.

** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.

** Installing CA to /opt/zimbra/conf/ca…done.

clip_image032

Then you need to restart the services, which will restart the nginx or jetty you stopped before:

root@aafikry:/opt/zimbra/ssl/letsencrypt# su zimbra

zimbra@aafikry:~/ssl/letsencrypt$ zmcontrol restart

clip_image033

Test the new SSL Certificate

The last step is to go to your Web Browser and open the URL of your Zimbra server where you installed the Let’s Encrypt SSL Certificate:

clip_image035

clip_image036

clip_image037

Thanks, CMIIW Smile

Leave a Reply

Your email address will not be published. Required fields are marked *