A public-key certificate is an electronic document that provides a reliable way for an entity to prove its identity. A trusted organization that issues these public-key certificates is known as a Certificate Authority (CA). A certificate authority acts as a trusted third party by both the owner of the certificate and those who rely on it.
The subject of such certificates is typically individuals and organizations while it can be a device like a computer which is the case in the context of an e-mail server. Certificate authorities can be commercial such as IdenTrust and DigiCert, or non-profit, like Let’s Encrypt.
In this article, you will see how to install and manage Let’s Encrypt certificates in Carbonio CE using Certbot on Ubuntu 20.04.
What is Let’s Encrypt?
Let’s Encrypt is a global Certificate Authority (CA) providing SSL/TLS certificates to individuals and organizations. Let’s Encrypt certificates are mostly used by websites to enable secure HTTPS connections. However, besides issuing SSL/TLS certificates for websites, Let’s Encrypt is commonly used as Domain Validation (DV) that can be used for any servers using a domain name such as e-mail servers.
Let’s Encrypt certificates remain valid for 90 days but you can renew the certificate at any time during this timespan without any charge that facilitates the setting up and maintaining TLS encryption.
What is Certbot?
Certbot is a free and open-source tool to facilitate obtaining SSL certificates from Let’s Encrypt and configure it onto your server. Certbot is also very useful to manage Let’s Encrypt certificates such as automating the renewal process.
Issue Certificates for Carbonio CE
We’re going to use Certbot to obtain and configure Let’s Encrypt certificates on our Server. The process is very straightforward. You install Certbot, issue the request for your server, obtain an SSL certificate, CA Intermediate, and Private Key for your domain, deploy it on your server, and you’re done.
Step 1: Installing Certbot
Note: Before installing Certbot, you need to remove certbot-auto
or any other related Certbot packages installed using an OS package manager like apt
and add the latest version maintained by the Certbot team since the one that comes with Ubuntu 20.04 is deprecated. we cannot be sure the command certbot
uses the snap as opposed to the one installed by your package manager.
After successfully removing the existing Certbot-auto, it’s time to install the latest version maintained by the Certbot on the machine.
To install latest version of certbot
, run the following commands
apt install snapd
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --version
Now execute the certbot
as follows:
certbot certonly --preferred-chain "ISRG Root X1" -d mail.sampleserver.xyz
After the verification, certificate files – certificate, public key, and the chain – are placed in the /etc/letsencrypt/mail.sampleserver.xyz/
directory.
Check the directory /etc/letsencrypt/live/mail.example.com/
. It should have following files:
cert.pem chain.pem fullchain.pem privkey.pem README
Step 3: Preparing Certificate
By generating the certificate in the last step, you should have now obtained privkey.pem, cert.pem, and chain.pem.
First copy your privkey.pem file from /etc/letsencrypt/live/mail.sampleserver.xyz/
to /opt/zextras/ssl/carbonio/commercial/
as commercial.key using the following command:
cp /etc/letsencrypt/live/mail.sampleserver.xyz/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key
Copy other certificate and chain to the /tmp
directory.
cp /etc/letsencrypt/live/mail.sampleserver.xyz/cert.pem /tmp
cp /etc/letsencrypt/live/mail.sampleserver.xyz/chain.pem /tmp
Now, acquire the ISRG Root X1 chain and concatenate it to your file.
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /tmp/chain.pem
Step 4: Deploying Certificate
Give access to the commercial.key file using
chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key
Now verify the certificate using
su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'
Note that the deployment should only be executed after completing the verification step successfully.
Finally, deploy the certificate and restart the services to finish the deployment
su - zextras -c 'zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem'
su - zextras -c 'zmcontrol restart'
Now check the status from your webmail interface.

You can find more information on the Carbonio Community Edition documentation webpage.