Difference between revisions of "CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra"

From Notes_Wiki
(Created page with "<yambe:breadcrumb self="Install lets encrypt automated SSL certificate in Zimbra=">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadc...")
(No difference)

Revision as of 03:22, 14 February 2019

<yambe:breadcrumb self="Install lets encrypt automated SSL certificate in Zimbra=">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadcrumb>

CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra

SSL certificate setup

To setup lets encrypt SSL certificates use:

  1. First stop web and mailbox services as *zimbra user*:
    zmproxyctl stop
    zmmailboxdctl stop
  2. Download letsencrypt github package as *root user*
    yum -y install git epel-release
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
  3. Get letsencrypt certificates for domain using:
    ./letsencrypt-auto certonly --standalone -d mail.zimbra.sbarjatiya.com -d zimbra.sbarjatiya.com
    On various prompts use:
    1. Emergency email - saurabh@sbarjatiya.com
    2. Agree/Cancel - A
    3. Yes/No - Y
      The important file locations are:
      • /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/fullchain.pem
      • /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem
  4. Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example
    cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
    wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
    wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
  5. To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:
    cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
    cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem
    mkdir /opt/zimbra/ssl/letsencrypt
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/
    chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    ls -la /opt/zimbra/ssl/letsencrypt/
  6. Install certificates *as zimbra* user:
    cd /opt/zimbra/ssl/letsencrypt/
    /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
    #If above validation succeeds
    cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
    /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
    zmcontrol restart
  7. Open https://mail.zimbra.sbarjatiya.com:7071/zimbraAdmin/ and verify that certificate along with root "ISRG Root X1" and Intermediate "Lets Encrypt Authority X3" is coming up properly.
  8. Test certificates using:
    openssl s_client -starttls smtp -connect zimbra.sbarjatiya.com:25 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:465 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:443 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:993 -showcerts
    openssl s_client -starttls imap -connect zimbra.sbarjatiya.com:143 -showcerts


Listen on port 80 with forced HTTPS redirection

To configure Zimbra to listen on port 80 for forced HTTPS redirection use:

  1. Configure forced HTTPS redirection
    su - zimbra
    ~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
    zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
    Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions. Hence above steps are required


SSL certificate renewal configuration via crontab

This auto-renewal assumes that chain (Root and Intermediate) remains same.

  1. Create /root/renew-certificate.sh with:
    /root/letsencrypt/letsencrypt-auto renew
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem /opt/zimbra/ssl/letsencrypt/
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/cert.pem /opt/zimbra/ssl/letsencrypt/
    cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
    chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
    su - zimbra -c "zmcontrol restart"
  2. chmod +x /root/renew-certificate.sh
  3. For root user crontab (crontab -e) add:
    10 5 * * 0 /root/renew-certificate.sh
    where instead of 10 and 5 use a random value between 5 and 55 for minutes (first number) and random value between 1 and 5 for hour (second number)

<yambe:breadcrumb self="Install lets encrypt automated SSL certificate in Zimbra=">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadcrumb>