CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra

From Notes_Wiki

Home > CentOS > CentOS 7.x > Email configuration > Zimbra configuration > CentOS 7.x Install SSL certificate in Zimbra > CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra

SSL certificate setup

To setup lets encrypt SSL certificates use:

  1. First stop web and mailbox services as *zimbra user*:
    zmproxyctl stop
    zmmailboxdctl stop
  2. Download letsencrypt github package as *root user*
    yum -y install git epel-release
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
  3. Get letsencrypt certificates for domain using:
    ./letsencrypt-auto certonly --standalone -d mail.zimbra.sbarjatiya.com -d zimbra.sbarjatiya.com
    On various prompts use:
    1. Emergency email - saurabh@example.com
    2. Agree/Cancel - A
    3. Yes/No - Y
      The important file locations are:
      • /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/fullchain.pem
      • /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem
  4. Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example
    cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
    wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
    wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
  5. To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:
    cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
    cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem
    mkdir /opt/zimbra/ssl/letsencrypt
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/
    chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    ls -la /opt/zimbra/ssl/letsencrypt/
  6. Install certificates *as zimbra* user:
    cd /opt/zimbra/ssl/letsencrypt/
    /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
    #If above validation succeeds
    cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
    /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
    zmcontrol restart
  7. Recently the above validations have started to fail with error: (Fix submitted by Dmitry Gusakov)
    [zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
    ** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
    Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
    ** Verifying 'cert.pem' against 'combined.pem'
    ERROR: Unable to validate certificate chain: cert.pem: CN = mail.zimbra.sbarjatiya.com
    error 20 at 0 depth lookup:unable to get local issuer certificate
    #OR
    [zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
    ** Verifying 'cert.pem' against 'privkey.pem'
    Certificate 'cert.pem' and private key 'privkey.pem' match.
    ** Verifying 'cert.pem' against 'combined.pem'
    ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let's Encrypt, CN = R3
    error 2 at 1 depth lookup:unable to get issuer certificate
    If case of above you can solve it by modiying steps to generate combined.pem to
    cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
    wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
    cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/
    chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    After this try the verifycrt step again and this time it should work
  8. Open https://mail.zimbra.sbarjatiya.com:7071/zimbraAdmin/ and verify that certificate along with root "ISRG Root X1" and Intermediate "Lets Encrypt Authority X3" is coming up properly.
  9. Test certificates using:
    openssl s_client -starttls smtp -connect zimbra.sbarjatiya.com:25 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:465 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:443 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:993 -showcerts
    openssl s_client -starttls imap -connect zimbra.sbarjatiya.com:143 -showcerts
  10. You can also test certificate setup using https://www.ssllabs.com/ssltest/ If the old lets-encrypt root / intermediate expire then zimbra might open properly in a few browsers (or incognito mode) while giving error in other moddes. Such issues can be determined using SSL labs test. Then they can be fixed by redownloading lets-encrypt certificates from https://letsencrypt.org/certificates/ After re-downloaing updated certificates need to do:
    cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/
    chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    Follow this by zmcertmgr verifycrt and deploycrt steps


Refer:


Listen on port 80 with forced HTTPS redirection

To configure Zimbra to listen on port 80 for forced HTTPS redirection use:

  1. Configure forced HTTPS redirection
    su - zimbra
    ~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
    zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
    Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions. Hence above steps are required

Refer:


SSL certificate renewal configuration via crontab

This auto-renewal assumes that chain (Root and Intermediate) remains same.

  1. Create /root/renew-certificate.sh with:
    su - zimbra -c "zmcontrol stop"
    /root/letsencrypt/letsencrypt-auto renew
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem /opt/zimbra/ssl/letsencrypt/
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/cert.pem /opt/zimbra/ssl/letsencrypt/
    cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
    chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
    su - zimbra -c "zmcontrol start"
  2. chmod +x /root/renew-certificate.sh
  3. For root user crontab (crontab -e) add:
    10 5 * * 0 /root/renew-certificate.sh
    where instead of 10 and 5 use a random value between 5 and 55 for minutes (first number) and random value between 1 and 5 for hour (second number)



Home > CentOS > CentOS 7.x > Email configuration > Zimbra configuration > CentOS 7.x Install SSL certificate in Zimbra > CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra