Difference between revisions of "CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra"

From Notes_Wiki
(Created page with "<yambe:breadcrumb self="Install lets encrypt automated SSL certificate in Zimbra=">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadc...")
 
m
Line 88: Line 88:
# Create /root/renew-certificate.sh with:
# Create /root/renew-certificate.sh with:
#:<pre>
#:<pre>
#::  su - zimbra -c "zmcontrol stop"
#::  /root/letsencrypt/letsencrypt-auto renew
#::  /root/letsencrypt/letsencrypt-auto renew
#::  cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem /opt/zimbra/ssl/letsencrypt/
#::  cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem /opt/zimbra/ssl/letsencrypt/
Line 94: Line 95:
#::  chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
#::  chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
#::  su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
#::  su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
#::  su - zimbra -c "zmcontrol restart"
#::  su - zimbra -c "zmcontrol start"
#:</pre>
#:</pre>
# <tt>chmod +x /root/renew-certificate.sh</tt>
# <tt>chmod +x /root/renew-certificate.sh</tt>

Revision as of 16:14, 10 March 2019

<yambe:breadcrumb self="Install lets encrypt automated SSL certificate in Zimbra=">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadcrumb>

CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra

SSL certificate setup

To setup lets encrypt SSL certificates use:

  1. First stop web and mailbox services as *zimbra user*:
    zmproxyctl stop
    zmmailboxdctl stop
  2. Download letsencrypt github package as *root user*
    yum -y install git epel-release
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
  3. Get letsencrypt certificates for domain using:
    ./letsencrypt-auto certonly --standalone -d mail.zimbra.sbarjatiya.com -d zimbra.sbarjatiya.com
    On various prompts use:
    1. Emergency email - saurabh@sbarjatiya.com
    2. Agree/Cancel - A
    3. Yes/No - Y
      The important file locations are:
      • /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/fullchain.pem
      • /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem
  4. Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example
    cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
    wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
    wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
  5. To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:
    cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
    cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem
    mkdir /opt/zimbra/ssl/letsencrypt
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/
    chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    ls -la /opt/zimbra/ssl/letsencrypt/
  6. Install certificates *as zimbra* user:
    cd /opt/zimbra/ssl/letsencrypt/
    /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
    #If above validation succeeds
    cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
    /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
    zmcontrol restart
  7. Open https://mail.zimbra.sbarjatiya.com:7071/zimbraAdmin/ and verify that certificate along with root "ISRG Root X1" and Intermediate "Lets Encrypt Authority X3" is coming up properly.
  8. Test certificates using:
    openssl s_client -starttls smtp -connect zimbra.sbarjatiya.com:25 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:465 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:443 -showcerts
    openssl s_client -connect zimbra.sbarjatiya.com:993 -showcerts
    openssl s_client -starttls imap -connect zimbra.sbarjatiya.com:143 -showcerts


Refer:


Listen on port 80 with forced HTTPS redirection

To configure Zimbra to listen on port 80 for forced HTTPS redirection use:

  1. Configure forced HTTPS redirection
    su - zimbra
    ~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
    zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
    Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions. Hence above steps are required

Refer:


SSL certificate renewal configuration via crontab

This auto-renewal assumes that chain (Root and Intermediate) remains same.

  1. Create /root/renew-certificate.sh with:
    su - zimbra -c "zmcontrol stop"
    /root/letsencrypt/letsencrypt-auto renew
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem /opt/zimbra/ssl/letsencrypt/
    cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/cert.pem /opt/zimbra/ssl/letsencrypt/
    cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
    chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
    su - zimbra -c "zmcontrol start"
  2. chmod +x /root/renew-certificate.sh
  3. For root user crontab (crontab -e) add:
    10 5 * * 0 /root/renew-certificate.sh
    where instead of 10 and 5 use a random value between 5 and 55 for minutes (first number) and random value between 1 and 5 for hour (second number)



<yambe:breadcrumb self="Install lets encrypt automated SSL certificate in Zimbra=">CentOS_7.x_Install_SSL_certificate_in_Zimbra|Install SSL certificate in Zimbra</yambe:breadcrumb>