A public-key certificate is an electronic document that provides a reliable way for an entity to prove its identity. A trusted organization that issues these public-key certificates is known as a Certificate Authority (CA). A certificate authority acts as a trusted third party by both the owner of the certificate and those who rely on it.
The subject of such certificates is typically individuals and organizations while it can be a device like a computer which is the case in the context of an e-mail server. Certificate authorities can be commercial such as IdenTrust and DigiCert, or non-profit, like Let’s Encrypt.
In this article, you will see how to install and manage Let’s Encrypt certificates in Carbonio CE using Certbot on Ubuntu 20.04.
What is Let’s Encrypt?
Let’s Encrypt is a global Certificate Authority (CA) providing SSL/TLS certificates to individuals and organizations. Let’s Encrypt certificates are mostly used by websites to enable secure HTTPS connections. However, besides issuing SSL/TLS certificates for websites, Let’s Encrypt is commonly used as Domain Validation (DV) that can be used for any servers using a domain name such as e-mail servers.
Let’s Encrypt certificates remain valid for 90 days but you can renew the certificate at any time during this timespan without any charge that facilitates the setting up and maintaining TLS encryption.
What is Certbot?
Certbot is a free and open-source tool to facilitate obtaining SSL certificates from Let’s Encrypt and configure it onto your server. Certbot is also very useful to manage Let’s Encrypt certificates such as automating the renewal process.
Issue Certificates for Carbonio CE
We’re going to use Certbot to obtain and configure Let’s Encrypt certificates on our Server. The process is very straightforward. You install Certbot, issue the request for your server, obtain an SSL certificate, CA Intermediate, and Private Key for your domain, deploy it on your server, and you’re done.
Step 1: Installing Certbot
Note: Before installing Certbot, you need to remove certbot-auto or any other related Certbot packages installed using an OS package manager like apt and add the latest version maintained by the Certbot team since the one that comes with Ubuntu 20.04 is deprecated. we cannot be sure the command certbot uses the snap as opposed to the one installed by your package manager.
After successfully removing the existing Certbot-auto, it’s time to install the latest version maintained by the Certbot on the machine.
To install latest version of certbot, run the following commands
apt install snapd
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --versionNow execute the certbot as follows:
certbot certonly --preferred-chain "ISRG Root X1" -d mail.sampleserver.xyzAfter the verification, certificate files – certificate, public key, and the chain – are placed in the /etc/letsencrypt/mail.sampleserver.xyz/ directory.
Check the directory /etc/letsencrypt/live/mail.example.com/. It should have following files:
cert.pem chain.pem fullchain.pem privkey.pem READMEStep 3: Preparing Certificate
By generating the certificate in the last step, you should have now obtained privkey.pem, cert.pem, and chain.pem.
First copy your privkey.pem file from /etc/letsencrypt/live/mail.sampleserver.xyz/ to /opt/zextras/ssl/carbonio/commercial/ as commercial.key using the following command:
cp /etc/letsencrypt/live/mail.sampleserver.xyz/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.keyCopy other certificate and chain to the /tmp directory.
cp /etc/letsencrypt/live/mail.sampleserver.xyz/cert.pem /tmp
cp /etc/letsencrypt/live/mail.sampleserver.xyz/chain.pem /tmpNow, acquire the ISRG Root X1 chain and concatenate it to your file.
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /tmp/chain.pemStep 4: Deploying Certificate
Give access to the commercial.key file using
chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.keyNow verify the certificate using
su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'Note that the deployment should only be executed after completing the verification step successfully.
Finally, deploy the certificate and restart the services to finish the deployment
su - zextras -c 'zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem'
su - zextras -c 'zmcontrol restart'Now check the status from your webmail interface.
You can find more information on the Carbonio Community Edition documentation webpage.
