How to install and update Let’s encrypt for Zimbra

Using certificates to secure your data and mail traffic is something that is extremely important. We have seen, in the ” Zimbra SSL/TLS Commercial Certificate ” article, how they work and what the security protocols and certificates are. In this article, however, we’re going to see specifically how to install and renew Let’s Enrcypt.

Let’s Encrypt is a CA that provides free X.509 cryptographic certificates for TLS encryption (HTTPS). The process of issuing certificates is fully automated.

Let’s Encrypt Issuance

We recommend making a Let’s Encrypt request on a server with Zimbra in order to obtain an SSL certificate, CA Intermediate and Private Key. To do this, you need to stop the mail server service (ports 80 and 443):

zmproxyctl stop
zmmailboxdctl stop

Then you can download the Let’s Encrypt package and go to the letsencrypt directory: 

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

 Now you can run the automatic Let’s Encrypt script, using the certonly parameter. 

./letsencrypt-auto certonly --standalone

Please note that it doesn’t work on Ubuntu, returning the following error: “Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit Certbot website to check for other alternatives.”

The script will set up a temporary WEB server for checking and issuing a certificate, if necessary, agreeing with the license and notifying an e-mail.
If you need to have multiple hostnames on the same SSL, then you should instead use Multi-SAN, SSL, where “-d” is your domains:

./letsencrypt-auto certonly --standalone -d domain.sample.com -d domain2.sample.com

If everything goes well with verification, then the certificate (certificate + public key + chain) will be issued in the following format: /etc/letencrypt/live/address/ 

Now it’s time to restart the service and begin installing the signed certificate. To implement the certificate in Zimbra you need to add the “root CA” chain. Create a file with “root CA” and the lines of the file “fullchain1.pem“)

root CA: (https://www.identrust.com/certificates/trustid/root-download-x3.html)

When the file has been created, check the files with the following command:

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem FULL_CHAIN.pem

After that, we recommend you to backup your current certificates and then copy the private key, named “commercial.key” to the “/opt/zimbra/ssl/zimbra/commercial” directory:

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") 2cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

 Install the certificate and restart the services to verify Deployment

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Restart the service

zmcontrol restart

Renewing certificates

To renew a certificate, you need to follow these steps:

Stop Zimbra:

/etc/init.d/zimbra stop

We receive new certificates and start the mail server 

certbot certonly --standalone -d mail.example.com
/etc/init.d/zimbra start

Received certificates will need to be uploaded to Zimbra. Copy the certificates: 

cp /etc/letsencrypt/live/zimbra86.zimbra.io/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
cd /opt/zimbra/ssl/letsencrypt/

Add the Let’s encrypt intermediate certificate to the end of the chain.pem file.

If you don’t add the intermediate certificate, you will get an error at the verification stage: ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

Check the installed keys and certificates: 

su - zimbra
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

If the verification was successful, then install the updated certificates : 

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

To apply the installed certificate, restart all Zimbra services: 

/etc/init.d/zimbra restart

That’s all. You’re done! 

Automation

Those who wish to automate the process of installing new certificates can use a special script published on the GitHub site .
For everything to work, you need to:

  • Install the Certbot utility using command: yum -y install certbot
  • Clone the specified branch using the command: git clone https://github.com/penzoiders/zimbra-auto-letsencrypt.git
  • Edit the letsencrypt-zimbra.conf file, so that it matches your system
  • Go to the folder with the script and use it: ./zimbra-auto-letsencrypt.sh

Please note that the script will not only renew the certificate itself, but also restart all services that are required. The use of a script can be fully automated by configuring its execution after a certain time interval.

Technical writer at Zextras. Linux and technology enthusiast. He describes himself as an atypical and polyhedric IT expert, thanks to a creative and open minded attitude, and to the experience gained over time as an IT technician, system engineer and developer.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Zimbra Collaboration Suite and Anti-Phishing
How to setup External Active Directory Authentication