{"id":751,"date":"2021-04-16T23:24:56","date_gmt":"2021-04-16T17:24:56","guid":{"rendered":"https:\/\/mellowhost.com\/blog\/?p=751"},"modified":"2021-04-16T23:28:24","modified_gmt":"2021-04-16T17:28:24","slug":"how-to-manually-install-lets-encrypt-ssl-in-zimbra","status":"publish","type":"post","link":"https:\/\/mellowhost.com\/blog\/how-to-manually-install-lets-encrypt-ssl-in-zimbra.html","title":{"rendered":"How to manually install\/renew Let’s Encrypt SSL in Zimbra"},"content":{"rendered":"\n

If you are having trouble installing Let’s Encrypt SSL with the certbot-zimbra.sh file, then probably you would need to follow this tutorial. To follow this tutorial, we first need to install certbot. certbot has a built in web server to allow you get the certificate without actually installing an extra web server or through Zimbra web server (nginx to be specific). <\/p>\n\n\n\n

First, we install certbot with the following:<\/p>\n\n\n\n

\/\/ install epel-release first\nyum install epel-release\n\/\/ install certbot from epel\nyum install certbot<\/pre>\n\n\n\n
Once done, you may now use the following command to ensure certbot is working:<\/p>\n\n\n\n
# certbot --help\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...\n\nCertbot can obtain and install HTTPS\/TLS\/SSL certificates.  By default,\nit will attempt to use a webserver both for obtaining and installing the\ncertificate. The most common SUBCOMMANDS and flags are:\n\nobtain, install, and renew certificates:\n    (default) run   Obtain & install a certificate in your current webserver\n    certonly        Obtain or renew a certificate, but do not install it\n    renew           Renew all previously obtained certificates that are near\nexpiry\n    enhance         Add security enhancements to your existing configuration\n   -d DOMAINS       Comma-separated list of domains to obtain a certificate for\n\n  (the certbot apache plugin is not installed)\n  --standalone      Run a standalone webserver for authentication\n  --nginx           Use the Nginx plugin for authentication & installation\n  --webroot         Place files in a server's webroot folder for authentication\n  --manual          Obtain certificates interactively, or using shell script\nhooks\n\n   -n               Run non-interactively\n  --test-cert       Obtain a test certificate from a staging server\n  --dry-run         Test \"renew\" or \"certonly\" without saving any certificates\nto disk\n\nmanage certificates:\n    certificates    Display information about certificates you have from Certbot\n    revoke          Revoke a certificate (supply --cert-name or --cert-path)\n    delete          Delete a certificate (supply --cert-name)\n\nmanage your account:\n    register        Create an ACME account\n    unregister      Deactivate an ACME account\n    update_account  Update an ACME account\n  --agree-tos       Agree to the ACME server's Subscriber Agreement\n   -m EMAIL         Email address for important account notifications\n\nMore detailed help:\n\n  -h, --help [TOPIC]    print this message, or detailed help on a topic;\n                        the available TOPICS are:\n\n   all, automation, commands, paths, security, testing, or any of the\n   subcommands or plugins (certonly, renew, install, register, nginx,\n   apache, standalone, webroot, etc.)\n  -h all                print a detailed help page including all topics\n  --version             print the version number\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -<\/pre>\n\n\n\n
Once you ensure certbot is installed, now you may use certbot to get the certificate, using the certbot –standalone tag. Remember to stop zimbra first, as Zimbra also runs a nginx web server, that would prevent certbot to use standalone or it’s own web server to verify certificate.<\/p>\n\n\n\n
\/\/ from root, run\n[root@mailapp ~]# service zimbra stop\n\n\/\/ wait until zimbra stops, once done, use the following to get certificate for your domain\/hostname in place of mail.domain.com\n[root@mailapp ~]# certbot certonly --standalone -d mail.domain.com<\/pre>\n\n\n\n
This would get your certificate and save it in:<\/p>\n\n\n\n
\/etc\/letsencrypt\/live\/mail.domain.com<\/pre>\n\n\n\n
Now, that folder would contain 4 files. Something like the following:<\/p>\n\n\n\n
]# ls -la \/etc\/letsencrypt\/live\/mail.domain.com\/\ntotal 16\ndrwxr-xr-x 2 root root 4096 Apr 16 11:30 .\ndrwx------ 4 root root 4096 Feb 10  2020 ..\nlrwxrwxrwx 1 root root   40 Apr 16 11:30 cert.pem -> ..\/..\/archive\/mail.domain.com\/cert8.pem\nlrwxrwxrwx 1 root root   41 Apr 16 11:30 chain.pem -> ..\/..\/archive\/mail.domain.com\/chain8.pem\nlrwxrwxrwx 1 root root   45 Apr 16 11:30 fullchain.pem -> ..\/..\/archive\/mail.domain.com\/fullchain8.pem\nlrwxrwxrwx 1 root root   43 Apr 16 11:30 privkey.pem -> ..\/..\/archive\/mail.domain.com\/privkey8.pem<\/pre>\n\n\n\n
As you can see, these files are symbolically linked to another files, depends on how many time you are running certbot. Each time, it generates a number liker cert8.pem, the next one would be cert9.pem and so on. So the orignal files are here:<\/p>\n\n\n\n
\/etc\/letsencrypt\/archive\/mail.domain.com\/cert8.pem\n\/etc\/letsencrypt\/archive\/mail.domain.com\/chain8.pem\n\/etc\/letsencrypt\/archive\/mail.domain.com\/fullchain8.pem\n\/etc\/letsencrypt\/archive\/mail.domain.com\/privkey8.pem<\/pre>\n\n\n\n
Now, we have our certificates. We need to follow a couple of steps to make sure everything is set correctly. <\/p>\n\n\n\n
First, zimbra SSL files are stored here<\/p>\n\n\n\n
\/etc\/zimbra\/ssl\/letsencrypt<\/pre>\n\n\n\n
We clean all old pem files<\/p>\n\n\n\n
rm -f \/etc\/zimbra\/ssl\/letsencrypt\/*<\/pre>\n\n\n\n
Now, copy the pem files we got to this folder with the following:<\/p>\n\n\n\n
cp \/etc\/letsencrypt\/archive\/mail.domain.com\/cert8.pem \/opt\/zimbra\/ssl\/letsencrypt\/cert.pem\ncp \/etc\/letsencrypt\/archive\/mail.domain.com\/chain8.pem \/opt\/zimbra\/ssl\/letsencrypt\/chain.pem\ncp \/etc\/letsencrypt\/archive\/mail.domain.com\/fullchain8.pem \/opt\/zimbra\/ssl\/letsencrypt\/fullchain.pem\ncp \/etc\/letsencrypt\/archive\/mail.domain.com\/privkey8.pem \/opt\/zimbra\/ssl\/letsencrypt\/privkey.pem<\/pre>\n\n\n\n
Check, how we are renaming all the files with number to file name without number, like cert8.pem is moved as cert.pem here. <\/p>\n\n\n\n
Now, change the ownership of these files to zimbra with the following:<\/p>\n\n\n\n
chown -Rf zimbra:zimbra \/opt\/zimbra\/ssl\/letsencrypt\/*<\/pre>\n\n\n\n
Now, we are done from root, change your ownership to zimbra<\/p>\n\n\n\n
su - zimbra<\/pre>\n\n\n\n
First job, is to change your directory to the ‘\/opt\/zimbra\/ssl\/letsencrypt\/’<\/p>\n\n\n\n
cd \/opt\/zimbra\/ssl\/letsencrypt\/<\/pre>\n\n\n\n
Let’s Encrypt files are very much ready to use, only with one problem. Let’s Encrypt do not add it’s root CA certificate with it’s chain.pem file. We need to do this. First open the certificate with nano editor as following:<\/p>\n\n\n\n
nano chain.pem<\/pre>\n\n\n\n
Now, at the end of the file, add the following section:<\/p>\n\n\n\n
-----BEGIN CERTIFICATE-----\nMIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA\/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\nPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\nEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM\/IUmTrE4O\nrz5Iy2Xu\/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\nOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\nxiqKqy69cK3FCxolkHRyxXtqqzTWMIn\/5WgTe1QLyNau7Fqckh49ZLOMxt+\/yUFw\n7BZy1SbsOFU5Q9D8\/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\naeQQmxkqtilX4+U9m5\/wAl0CAwEAAaNCMEAwDwYDVR0TAQH\/BAUwAwEB\/zAOBgNV\nHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX\/xBVghYkQMA0GCSqG\nSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\nikugdB\/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\nAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\nR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir\/md2cXjbDaJWFBM5\nJDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\nOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n-----END CERTIFICATE-----<\/pre>\n\n\n\n
After adding the above, your chain.pem file should look like the following<\/p>\n\n\n\n
-----BEGIN CERTIFICATE-----\nyour chain pem encrypted certificate here\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA\/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\nPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\nEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM\/IUmTrE4O\nrz5Iy2Xu\/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\nOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\nxiqKqy69cK3FCxolkHRyxXtqqzTWMIn\/5WgTe1QLyNau7Fqckh49ZLOMxt+\/yUFw\n7BZy1SbsOFU5Q9D8\/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\naeQQmxkqtilX4+U9m5\/wAl0CAwEAAaNCMEAwDwYDVR0TAQH\/BAUwAwEB\/zAOBgNV\nHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX\/xBVghYkQMA0GCSqG\nSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\nikugdB\/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\nAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\nR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir\/md2cXjbDaJWFBM5\nJDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\nOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n-----END CERTIFICATE-----<\/pre>\n\n\n\n
Now, save the file (CTRL + o) and exit (CTRL + x)<\/p>\n\n\n\n
We need to do one more thing before we are ready to verify and deploy the certificate. We need to set the letencrypt private key that we used to generate the certificate as commercial.key of zimbra. You may do this with the following two commands:<\/p>\n\n\n\n
rm -f \/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key\ncp \/opt\/zimbra\/ssl\/letsencrypt\/privkey.pem \/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key<\/pre>\n\n\n\n
Now, you are ready to complete the job. First verify if everything is alright with the following:<\/p>\n\n\n\n
[zimbra@mailapp letsencrypt]$ \/opt\/zimbra\/bin\/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem\n** Verifying 'cert.pem' against 'privkey.pem'\nCertificate 'cert.pem' and private key 'privkey.pem' match.\n** Verifying 'cert.pem' against 'chain.pem'\nValid certificate chain: cert.pem: OK<\/pre>\n\n\n\n
If everything is ok, you may now deploy certificate with the following command:<\/p>\n\n\n\n
\/opt\/zimbra\/bin\/zmcertmgr deploycrt comm cert.pem chain.pem<\/pre>\n\n\n\n
Once the certificate is deployed successfully, get out from the zimbra user to root user with the following command<\/p>\n\n\n\n
exit<\/pre>\n\n\n\n
Now, you may start\/restart zimbra with the following command:<\/p>\n\n\n\n
service zimbra restart<\/pre>\n\n\n\n
If everything went right, you should now be able to go to your zimbra domain, and under the lock sign on the left of the domain shown in browser, you may click on it to see the extended date of ssl expiry. Sweet!<\/p>\n","protected":false},"excerpt":{"rendered":"
If you are having trouble installing Let’s Encrypt SSL with the certbot-zimbra.sh file, then probably you would need to follow this tutorial. To follow this tutorial, we first need to install certbot. certbot has a built in web server to allow you get the certificate without actually installing an extra web server or through Zimbra … Continue reading “How to manually install\/renew Let’s Encrypt SSL in Zimbra”<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,356,331],"tags":[382,561,560,562],"_links":{"self":[{"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/posts\/751"}],"collection":[{"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/comments?post=751"}],"version-history":[{"count":2,"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/posts\/751\/revisions"}],"predecessor-version":[{"id":753,"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/posts\/751\/revisions\/753"}],"wp:attachment":[{"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/media?parent=751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/categories?post=751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mellowhost.com\/blog\/wp-json\/wp\/v2\/tags?post=751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}