Install Let’s Encrypt certificate for new domain in Zimbra


SystemMen - Install Let’s Encrypt certificate for new domain in Zimbra. Previously, I wrote an article about using certbot-zimbra. It is used to automatically install Let’s Encrypt SSL for Zimbra mail server.

With that article, you can successfully do a completely new Zimbra mail server. But when you add a new mail domain to the server, you may face the problem.

Let’s Encrypt SSL certificate for new domain

From version 8.7, Zimbra has supported many SSL certificates for multiple domains operating on a Zimbra mail system.

install-lets-encrypt-certificate-for-new-domain-in-zimbra Install Let’s Encrypt certificate for new domain in Zimbra
Use certbot-zimbra to install Let’s Encrypt SSL certificate for new domain in ZImbra.

Here I will guide you how to install SSL certificate for the new domain.

Warning: First of all, every time you use the certbot-zimbra, it will restart the Zimbra service. So you should do it at night.

With certbot-zimbra, you use the -n option to install a new certificate for the mail domain. But if the server already has one (or more) domains, now you want to run one more domain then what?

You need to use the -e option, ie --extra-domain: additional domains being requested. Can be used multiple times.

What if you don’t use the -e option? certbot-zimbra will install the SSL certificate for the new domain instead of the original root domain of the server. And then, you will get an error restarting the LDAP SSL service.

The command:

# certbot_zimbra.sh -n -d mail.yourdomain.com -e mail.yourseconddomain.com

The SSL installation process for the new domain takes place as follows.

[root@mail ~]# certbot_zimbra.sh -n -d mail.yourdomain.com -e mail.yourseconddomain.com
Detected mail.yourdomain.com as Zimbra hostname
These additional domains will be part of the requested certificate:  mail.yourseconddomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
   Your cert will expire on 2019-09-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
** Copying '/opt/zimbra/ssl/letsencrypt/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.yourdomain.com…ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.yourdomain.com…ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/b8c8cdf8.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'b8c8cdf8.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Host mail.yourdomain.com
	Stopping zmconfigd…Done.
	Stopping imapd…Done.
	Stopping zimlet webapp…Done.
	Stopping zimbraAdmin webapp…Done.
	Stopping zimbra webapp…Done.
	Stopping service webapp…Done.
	Stopping stats…Done.
	Stopping mta…Done.
	Stopping spell…Done.
	Stopping snmp…Done.
	Stopping cbpolicyd…Done.
	Stopping archiving…Done.
	Stopping opendkim…Done.
	Stopping amavis…Done.
	Stopping antivirus…Done.
	Stopping antispam…Done.
	Stopping proxy…Done.
	Stopping memcached…Done.
	Stopping mailbox…Done.
	Stopping logger…Done.
	Stopping dnscache…Done.
	Stopping ldap…Done.
Host mail.yourdomain.com
	Starting ldap…Done.
	Starting zmconfigd…Done.
	Starting logger…Done.
	Starting mailbox…Done.
	Starting memcached…Done.
	Starting proxy…Done.
	Starting amavis…Done.
	Starting antispam…Done.
	Starting antivirus…Done.
	Starting opendkim…Done.
	Starting snmp…Done.
	Starting spell…Done.
	Starting mta…Done.
	Starting stats…Done.
	Starting service webapp…Done.
	Starting zimbra webapp…Done.
	Starting zimbraAdmin webapp…Done.
	Starting zimlet webapp…Done.
	Starting imapd…Done.

When you use the -e option, you can use it many times each time you need to add a new domain. Or you can add new domains in the same time as the following command.

# certbot_zimbra.sh -n -d mail.yourdomain.com -e mail.yourseconddomain.com -e mail.yourthirddomain.com

Conclusion

Thanks to certbot-zimbra, installing SSL certificates for Zimbra mail servers has become simpler. But when using multiple domains, you need to pay attention to using the right options. Avoid system errors.

«« »»
One Comment