A public-key certificate is an electronic document that provides a reliable way for an entity to prove its identity. A trusted organization that issues these public-key certificates is known as a Certificate Authority (CA). A certificate authority acts as a trusted third party by both the owner of the certificate and those who rely on it.
The subject of such certificates is typically individuals and organizations while it can be a device like a computer which is the case in the context of an e-mail server. Certificate authorities can be commercial such as IdenTrust and DigiCert, or non-profit, like Let’s Encrypt.
In this article, you will see how to install and manage Let’s Encrypt certificates in Carbonio CE using Certbot on Ubuntu 20.04.
What is Let’s Encrypt?
Let’s Encrypt is a global Certificate Authority (CA) providing SSL/TLS certificates to individuals and organizations. Let’s Encrypt certificates are mostly used by websites to enable secure HTTPS connections. However, besides issuing SSL/TLS certificates for websites, Let’s Encrypt is commonly used as Domain Validation (DV) that can be used for any servers using a domain name such as e-mail servers.
Let’s Encrypt certificates remain valid for 90 days but you can renew the certificate at any time during this timespan without any charge that facilitates the setting up and maintaining TLS encryption.
What is Certbot?
Certbot is a free and open-source tool to facilitate obtaining SSL certificates from Let’s Encrypt and configure it onto your server. Certbot is also very useful to manage Let’s Encrypt certificates such as automating the renewal process.
Issue Certificates for Carbonio CE
We’re going to use Certbot to obtain and configure Let’s Encrypt certificates on our Server. The process is very straightforward. You install Certbot, issue the request for your server, obtain an SSL certificate, CA Intermediate, and Private Key for your domain, deploy it on your server, and done.
Step 1: Installing Certbot
We’re going to use Certbot to obtain and configure Let’s Encrypt certificates on our Server. The process is very straightforward. You install Certbot, issue the request for your server, obtain an SSL certificate, CA Intermediate, and Private Key for your domain, deploy it on your server, and done.
Note: Before installing Certbot, you need to remove certbot-auto
or any other related Certbot packages installed using an OS package manager like apt
and add the latest version maintained by the Certbot team since the one that comes with Ubuntu 20.04 is deprecated. we cannot be sure the command certbot
uses the snap as opposed to the one installed by your package manager.
After successfully removing the existing Certbot-auto, it’s time to install the latest version maintained by the Certbot tea machine. We recommend adding the Certbot personal package archive to your list of repositories as opposed to using snap.
To add the correct Certbot PPA, run the following commands
apt install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
Then update the repositories list using
apt update
Now your repositories list is modified therefore if prompted, the correct Certbot package will be installed on your system.
Then execute the following to ensure that the certbot command can be run
ln -s /snap/bin/certbot /usr/bin/certbot
Step 2: Generating Certificate
In this step, we are going to generate a Let’s Encrypt certificate using the certonly parameter. Note that you should use the –preferred-chain “ISRG Root X1” parameter in order to force the ISRG Root X1 certificate chain
certbot certonly --preferred-chain 'ISRG Root X1'
You can also have multiple hostnames with the same SSL using
certbot certonly --preferred-chain 'ISRG Root X1' -d example.com -d www.example.com
After the verification, certificate files – certificate, public key, and the chain – are placed in the /etc/letsencrypt/archive directory, however, the symbolic link to the most recent certificate files is created in the /etc/letsencrypt/live/ directory which is the path we use to refer to our certificate files during configuring.
If you had difficulties using Certbot in Ubuntu 20.04, you can read Certbot detailed instructions for Ubuntu 20.04 on their website.
Step 3: Preparing Certificate
By generating the certificate in the last step, you should have now obtained privkey.pem, cert.pem, and chain.pem.
First copy your privkey.pem file from /etc/letsencrypt/live/ to /opt/zextras/ssl/carbonio/commercial/ as commercial.key using the following command (substitute the Your_Domain with the name of your domain )
cp /etc/letsencrypt/live/Your_Domain/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key
Acquire the ISRG Root X1 chain and concatenate it to your file (substitute the Your_Domain with the name of your domain )
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/Your_Domain/chain.pem
Step 4: Deploying Certificate
First, make a copy of your prepared chain.pem and cert.pem files (substitute the Your_Domain with the name of your domain)
cp /etc/letsencrypt/live/Your_Domain/cert.pem /tmp
cp /etc/letsencrypt/live/Your_Domain/chain.pem /tmp
Give access to the commercial.key file using
chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key
Now verify the certificate using
su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'
Note that the deployment should only be executed after completing the verification step successfully.
Finally, deploy the certificate and restart the services to finish deployment
su - zextras -c 'zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem'
su - zextras -c 'zmcontrol restart'
You can find more information on the Carbonio Community Edition documentation webpage.