Free SSL Certificates Using Let’s Encrypt and Certbot for Carbonio Community Edition | Carbonio CE

A public-key certificate is an electronic document that provides a reliable way for an entity to prove its identity. A trusted organization that issues these public-key certificates is known as a Certificate Authority (CA). A certificate authority acts as a trusted third party by both the owner of the certificate and those who rely on it.

The subject of such certificates is typically individuals and organizations while it can be a device like a computer which is the case in the context of an e-mail server. Certificate authorities can be commercial such as IdenTrust and DigiCert, or non-profit, like Let’s Encrypt.

In this article, you will see how to install and manage Let’s Encrypt certificates in Carbonio CE using Certbot on Ubuntu 20.04.

What is Let’s Encrypt?

Let’s Encrypt is a global Certificate Authority (CA) providing SSL/TLS certificates to individuals and organizations. Let’s Encrypt certificates are mostly used by websites to enable secure HTTPS connections. However, besides issuing SSL/TLS certificates for websites, Let’s Encrypt is commonly used as Domain Validation (DV) that can be used for any servers using a domain name such as e-mail servers.

Let’s Encrypt certificates remain valid for 90 days but you can renew the certificate at any time during this timespan without any charge that facilitates the setting up and maintaining TLS encryption.

What is Certbot?

Certbot is a free and open-source tool to facilitate obtaining SSL certificates from Let’s Encrypt and configure it onto your server. Certbot is also very useful to manage Let’s Encrypt certificates such as automating the renewal process.

Issue Certificates for Carbonio CE

We’re going to use Certbot to obtain and configure Let’s Encrypt certificates on our Server. The process is very straightforward. You install Certbot, issue the request for your server, obtain an SSL certificate, CA Intermediate, and Private Key for your domain, deploy it on your server, and you’re done.

Step 1: Installing Certbot

Note: Before installing Certbot, you need to remove certbot-auto or any other related Certbot packages installed using an OS package manager like apt and add the latest version maintained by the Certbot team since the one that comes with Ubuntu 20.04 is deprecated. we cannot be sure the command certbot uses the snap as opposed to the one installed by your package manager.

After successfully removing the existing Certbot-auto, it’s time to install the latest version maintained by the Certbot on the machine.

To install latest version of certbot, run the following commands

apt install snapd
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --version

Now execute the certbot as follows:

certbot certonly --preferred-chain "ISRG Root X1" -d mail.sampleserver.xyz

After the verification, certificate files – certificate, public key, and the chain – are placed in the /etc/letsencrypt/mail.sampleserver.xyz/ directory.

Check the directory /etc/letsencrypt/live/mail.example.com/. It should have following files:

cert.pem  chain.pem  fullchain.pem  privkey.pem  README

Step 3: Preparing Certificate

By generating the certificate in the last step, you should have now obtained privkey.pem, cert.pem, and chain.pem.

First copy your privkey.pem file from /etc/letsencrypt/live/mail.sampleserver.xyz/ to /opt/zextras/ssl/carbonio/commercial/ as commercial.key using the following command:

cp /etc/letsencrypt/live/mail.sampleserver.xyz/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key

Copy other certificate and chain to the /tmp directory.

cp /etc/letsencrypt/live/mail.sampleserver.xyz/cert.pem /tmp
cp /etc/letsencrypt/live/mail.sampleserver.xyz/chain.pem /tmp

Now, acquire the ISRG Root X1 chain and concatenate it to your file.

wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /tmp/chain.pem

Step 4: Deploying Certificate

Give access to the commercial.key file using

chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key

Now verify the certificate using

su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'

Note that the deployment should only be executed after completing the verification step successfully.

Finally, deploy the certificate and restart the services to finish the deployment

su - zextras -c 'zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem'
su - zextras -c 'zmcontrol restart'

Now check the status from your webmail interface.

Let' encrypt on Carbonio CE 22.10.0

You can find more information on the Carbonio Community Edition documentation webpage.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Telegram & Data Controllers: Extra-EEA Data Transfer Might Still Happen | Blog
What is Personal Data? The GDPR's Definition | Blog