SystemMen - Install Let’s Encrypt ssl certificate in Zimbra automated. This article, I will guide you step by step to do this.
If you don’t know yet, Let’s Encrypt is a free project that provides SSL certificates.
This project aims to improve the safety of websites, contributing to making the internet environment safer.
Let’s Encrypt’s Certbot installation
First, we must install certbot on the Zimbra server. You can install Let’s Encrypt manually, but I recommend it is not necessary. Certbot is a utility tool.
Use the following command to download the certbot to your zimbra server.
[root@mail ~]# wget https://dl.eff.org/certbot-auto -P /usr/local/bin
It looks like this.
[root@mail ~]# wget https://dl.eff.org/certbot-auto -P /usr/local/bin --2019-05-28 16:19:10-- https://dl.eff.org/certbot-auto Resolving dl.eff.org (dl.eff.org)… 151.101.192.201, 151.101.64.201, 151.101.0.201, … Connecting to dl.eff.org (dl.eff.org)|151.101.192.201|:443… connected. HTTP request sent, awaiting response… 200 OK Length: 68023 (66K) [application/octet-stream] Saving to: ‘/usr/local/bin/certbot-auto’ 100%[=====================================================================================================================================================================================================================================>] 68.023 --.-K/s in 0,09s 2019-05-28 16:19:11 (758 KB/s) - ‘/usr/local/bin/certbot-auto’ saved [68023/68023]
After that, you grant permission to execute it. That’s it.
[root@mail ~]# chmod a+x /usr/local/bin/certbot-auto
Install Let’s Encrypt ssl certificate in Zimbra with YetOpen certbot-zimbra
Zimbra has an article that shows you how to install the Zimbra SSL certificate manually.
However, Zimbra also recommends that we use automated scripts. And in it, we will use YetOpen certbot-zimbra.
Download and install YetOpen certbot-zimbra
First, download certbot-zimbra to your zimbra server.
[root@mail ~]# wget https://raw.githubusercontent.com/YetOpen/certbot-zimbra/master/certbot_zimbra.sh -P /usr/local/bin
The result looks like this.
[root@mail ~]# wget https://raw.githubusercontent.com/YetOpen/certbot-zimbra/master/certbot_zimbra.sh -P /usr/local/bin --2019-05-28 16:20:08-- https://raw.githubusercontent.com/YetOpen/certbot-zimbra/master/certbot_zimbra.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)… 151.101.64.133, 151.101.0.133, 151.101.192.133, … Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.64.133|:443… connected. HTTP request sent, awaiting response… 200 OK Length: 13426 (13K) [text/plain] Saving to: ‘/usr/local/bin/certbot_zimbra.sh’ 100%[=====================================================================================================================================================================================================================================>] 13.426 --.-K/s in 0,04s 2019-05-28 16:20:09 (342 KB/s) - ‘/usr/local/bin/certbot_zimbra.sh’ saved [13426/13426]
Grant execution permission for certbot-zimbra.
[root@mail ~]# chmod +x /usr/local/bin/certbot_zimbra.sh
Install Let’s Encrypt ssl certificate in Zimbra
Now, we start installing the ssl certificate for Zimbra mail server.
First, we determine the hostname of Zimbra server.
[root@mail ~]# /opt/zimbra/bin/zmhostname mail.yourdomain.com
Next, run the following command to request the ssl certificate for the domain mail.
[root@mail ~]# certbot_zimbra.sh -n
Because we run certbot Let’s Encrypt for the first time, so it will install some necessary packages. From the next run, it will skip the installation.
[root@mail ~]# certbot_zimbra.sh -n Certbot-Zimbra v0.5 - https://github.com/YetOpen/certbot-zimbra Detected Zimbra 8.8.12 Making a backup of nginx templates in /opt/zimbra/conf/nginx/templates.20190528_162302 Stopping proxy…done. Starting proxy…done. Detected mail.yourdomain.com as Zimbra hostname Bootstrapping dependencies for RedHat-based OSes… (you can skip this with --no-bootstrap) yum is /usr/bin/yum yum is hashed (/usr/bin/yum) Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile epel/x86_64/metalink | 5.5 kB 00:00:00 * base: mirrors.viethosting.com * epel: sg.fedora.ipserverone.com * extras: mirrors.viethosting.com * updates: mirrors.viethosting.com base | 3.6 kB 00:00:00 epel | 4.7 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 zimbra | 2.9 kB 00:00:00 zimbra-8812-oss | 2.9 kB 00:00:00 (1/2): epel/x86_64/updateinfo | 1.0 MB 00:00:00 (2/2): epel/x86_64/primary_db | 6.7 MB 00:00:01 Package 1:openssl-1.0.2k-16.el7_6.1.x86_64 already installed and latest version Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version Resolving Dependencies --> Running transaction check ---> Package augeas-libs.x86_64 0:1.4.0-6.el7_6.1 will be installed ---> Package gcc.x86_64 0:4.8.5-36.el7_6.2 will be installed --> Processing Dependency: cpp = 4.8.5-36.el7_6.2 for package: gcc-4.8.5-36.el7_6.2.x86_64 --> Processing Dependency: libmpfr.so.4()(64bit) for package: gcc-4.8.5-36.el7_6.2.x86_64 --> Processing Dependency: libmpc.so.3()(64bit) for package: gcc-4.8.5-36.el7_6.2.x86_64 ---> Package libffi-devel.x86_64 0:3.0.13-18.el7 will be installed ---> Package openssl-devel.x86_64 1:1.0.2k-16.el7_6.1 will be installed --> Processing Dependency: zlib-devel(x86-64) for package: 1:openssl-devel-1.0.2k-16.el7_6.1.x86_64 --> Processing Dependency: krb5-devel(x86-64) for package: 1:openssl-devel-1.0.2k-16.el7_6.1.x86_64 ---> Package python-devel.x86_64 0:2.7.5-77.el7_6 will be installed ---> Package python-tools.x86_64 0:2.7.5-77.el7_6 will be installed --> Processing Dependency: tkinter = 2.7.5-77.el7_6 for package: python-tools-2.7.5-77.el7_6.x86_64 ---> Package python-virtualenv.noarch 0:15.1.0-2.el7 will be installed ---> Package python2-pip.noarch 0:8.1.2-8.el7 will be installed ---> Package redhat-rpm-config.noarch 0:9.1.0-87.el7.centos will be installed --> Processing Dependency: dwz >= 0.4 for package: redhat-rpm-config-9.1.0-87.el7.centos.noarch --> Processing Dependency: zip for package: redhat-rpm-config-9.1.0-87.el7.centos.noarch --> Processing Dependency: perl-srpm-macros for package: redhat-rpm-config-9.1.0-87.el7.centos.noarch --> Running transaction check ---> Package cpp.x86_64 0:4.8.5-36.el7_6.2 will be installed ---> Package dwz.x86_64 0:0.11-3.el7 will be installed ---> Package krb5-devel.x86_64 0:1.15.1-37.el7_6 will be installed --> Processing Dependency: libkadm5(x86-64) = 1.15.1-37.el7_6 for package: krb5-devel-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libverto-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libselinux-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64 --> Processing Dependency: libcom_err-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64 --> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.15.1-37.el7_6.x86_64 ---> Package libmpc.x86_64 0:1.0.1-3.el7 will be installed ---> Package mpfr.x86_64 0:3.1.1-4.el7 will be installed ---> Package perl-srpm-macros.noarch 0:1-8.el7 will be installed ---> Package tkinter.x86_64 0:2.7.5-77.el7_6 will be installed --> Processing Dependency: libtk8.5.so()(64bit) for package: tkinter-2.7.5-77.el7_6.x86_64 --> Processing Dependency: libtcl8.5.so()(64bit) for package: tkinter-2.7.5-77.el7_6.x86_64 --> Processing Dependency: libX11.so.6()(64bit) for package: tkinter-2.7.5-77.el7_6.x86_64 --> Processing Dependency: libTix.so()(64bit) for package: tkinter-2.7.5-77.el7_6.x86_64 ---> Package zip.x86_64 0:3.0-11.el7 will be installed ---> Package zlib-devel.x86_64 0:1.2.7-18.el7 will be installed --> Running transaction check ---> Package keyutils-libs-devel.x86_64 0:1.5.8-3.el7 will be installed ---> Package libX11.x86_64 0:1.6.5-2.el7 will be installed --> Processing Dependency: libX11-common >= 1.6.5-2.el7 for package: libX11-1.6.5-2.el7.x86_64 --> Processing Dependency: libxcb.so.1()(64bit) for package: libX11-1.6.5-2.el7.x86_64 ---> Package libcom_err-devel.x86_64 0:1.42.9-13.el7 will be installed ---> Package libkadm5.x86_64 0:1.15.1-37.el7_6 will be installed ---> Package libselinux-devel.x86_64 0:2.5-14.1.el7 will be installed --> Processing Dependency: libsepol-devel(x86-64) >= 2.5-10 for package: libselinux-devel-2.5-14.1.el7.x86_64 --> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.5-14.1.el7.x86_64 --> Processing Dependency: pkgconfig(libpcre) for package: libselinux-devel-2.5-14.1.el7.x86_64 ---> Package libverto-devel.x86_64 0:0.2.5-4.el7 will be installed ---> Package tcl.x86_64 1:8.5.13-8.el7 will be installed ---> Package tix.x86_64 1:8.4.3-12.el7 will be installed ---> Package tk.x86_64 1:8.5.13-6.el7 will be installed --> Processing Dependency: libXft.so.2()(64bit) for package: 1:tk-8.5.13-6.el7.x86_64 --> Running transaction check ---> Package libX11-common.noarch 0:1.6.5-2.el7 will be installed ---> Package libXft.x86_64 0:2.3.2-2.el7 will be installed --> Processing Dependency: fontconfig >= 2.2-1 for package: libXft-2.3.2-2.el7.x86_64 --> Processing Dependency: libfontconfig.so.1()(64bit) for package: libXft-2.3.2-2.el7.x86_64 --> Processing Dependency: libXrender.so.1()(64bit) for package: libXft-2.3.2-2.el7.x86_64 ---> Package libsepol-devel.x86_64 0:2.5-10.el7 will be installed ---> Package libxcb.x86_64 0:1.13-1.el7 will be installed --> Processing Dependency: libXau.so.6()(64bit) for package: libxcb-1.13-1.el7.x86_64 ---> Package pcre-devel.x86_64 0:8.32-17.el7 will be installed --> Running transaction check ---> Package fontconfig.x86_64 0:2.13.0-4.3.el7 will be installed --> Processing Dependency: fontpackages-filesystem for package: fontconfig-2.13.0-4.3.el7.x86_64 --> Processing Dependency: dejavu-sans-fonts for package: fontconfig-2.13.0-4.3.el7.x86_64 ---> Package libXau.x86_64 0:1.0.8-2.1.el7 will be installed ---> Package libXrender.x86_64 0:0.9.10-1.el7 will be installed --> Running transaction check ---> Package dejavu-sans-fonts.noarch 0:2.33-6.el7 will be installed --> Processing Dependency: dejavu-fonts-common = 2.33-6.el7 for package: dejavu-sans-fonts-2.33-6.el7.noarch ---> Package fontpackages-filesystem.noarch 0:1.44-8.el7 will be installed --> Running transaction check ---> Package dejavu-fonts-common.noarch 0:2.33-6.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =============================================================================================================================================================================================================================================================================== Package Arch Version Repository Size =============================================================================================================================================================================================================================================================================== Installing: augeas-libs x86_64 1.4.0-6.el7_6.1 updates 355 k gcc x86_64 4.8.5-36.el7_6.2 updates 16 M libffi-devel x86_64 3.0.13-18.el7 base 23 k openssl-devel x86_64 1:1.0.2k-16.el7_6.1 updates 1.5 M python-devel x86_64 2.7.5-77.el7_6 updates 398 k python-tools x86_64 2.7.5-77.el7_6 updates 856 k python-virtualenv noarch 15.1.0-2.el7 base 1.7 M python2-pip noarch 8.1.2-8.el7 epel 1.7 M redhat-rpm-config noarch 9.1.0-87.el7.centos base 81 k Installing for dependencies: cpp x86_64 4.8.5-36.el7_6.2 updates 5.9 M dejavu-fonts-common noarch 2.33-6.el7 base 64 k dejavu-sans-fonts noarch 2.33-6.el7 base 1.4 M dwz x86_64 0.11-3.el7 base 99 k fontconfig x86_64 2.13.0-4.3.el7 base 254 k fontpackages-filesystem noarch 1.44-8.el7 base 9.9 k keyutils-libs-devel x86_64 1.5.8-3.el7 base 37 k krb5-devel x86_64 1.15.1-37.el7_6 updates 271 k libX11 x86_64 1.6.5-2.el7 base 606 k libX11-common noarch 1.6.5-2.el7 base 164 k libXau x86_64 1.0.8-2.1.el7 base 29 k libXft x86_64 2.3.2-2.el7 base 58 k libXrender x86_64 0.9.10-1.el7 base 26 k libcom_err-devel x86_64 1.42.9-13.el7 base 31 k libkadm5 x86_64 1.15.1-37.el7_6 updates 178 k libmpc x86_64 1.0.1-3.el7 base 51 k libselinux-devel x86_64 2.5-14.1.el7 base 187 k libsepol-devel x86_64 2.5-10.el7 base 77 k libverto-devel x86_64 0.2.5-4.el7 base 12 k libxcb x86_64 1.13-1.el7 base 214 k mpfr x86_64 3.1.1-4.el7 base 203 k pcre-devel x86_64 8.32-17.el7 base 480 k perl-srpm-macros noarch 1-8.el7 base 4.6 k tcl x86_64 1:8.5.13-8.el7 base 1.9 M tix x86_64 1:8.4.3-12.el7 base 254 k tk x86_64 1:8.5.13-6.el7 base 1.4 M tkinter x86_64 2.7.5-77.el7_6 updates 326 k zip x86_64 3.0-11.el7 base 260 k zlib-devel x86_64 1.2.7-18.el7 base 50 k Transaction Summary =============================================================================================================================================================================================================================================================================== Install 9 Packages (+29 Dependent packages) Total download size: 37 M Installed size: 94 M Is this ok [y/d/N]: y Downloading packages: (1/38): dejavu-fonts-common-2.33-6.el7.noarch.rpm | 64 kB 00:00:00 (2/38): augeas-libs-1.4.0-6.el7_6.1.x86_64.rpm | 355 kB 00:00:00 (3/38): fontpackages-filesystem-1.44-8.el7.noarch.rpm | 9.9 kB 00:00:00 (4/38): fontconfig-2.13.0-4.3.el7.x86_64.rpm | 254 kB 00:00:00 (5/38): dwz-0.11-3.el7.x86_64.rpm | 99 kB 00:00:00 (6/38): keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm | 37 kB 00:00:00 (7/38): krb5-devel-1.15.1-37.el7_6.x86_64.rpm | 271 kB 00:00:00 (8/38): libX11-common-1.6.5-2.el7.noarch.rpm | 164 kB 00:00:00 (9/38): libXau-1.0.8-2.1.el7.x86_64.rpm | 29 kB 00:00:00 (10/38): libX11-1.6.5-2.el7.x86_64.rpm | 606 kB 00:00:00 (11/38): libXrender-0.9.10-1.el7.x86_64.rpm | 26 kB 00:00:00 (12/38): libXft-2.3.2-2.el7.x86_64.rpm | 58 kB 00:00:00 (13/38): libcom_err-devel-1.42.9-13.el7.x86_64.rpm | 31 kB 00:00:00 (14/38): libffi-devel-3.0.13-18.el7.x86_64.rpm | 23 kB 00:00:00 (15/38): libmpc-1.0.1-3.el7.x86_64.rpm | 51 kB 00:00:00 (16/38): libselinux-devel-2.5-14.1.el7.x86_64.rpm | 187 kB 00:00:00 (17/38): libsepol-devel-2.5-10.el7.x86_64.rpm | 77 kB 00:00:00 (18/38): libkadm5-1.15.1-37.el7_6.x86_64.rpm | 178 kB 00:00:00 (19/38): libverto-devel-0.2.5-4.el7.x86_64.rpm | 12 kB 00:00:00 (20/38): dejavu-sans-fonts-2.33-6.el7.noarch.rpm | 1.4 MB 00:00:01 (21/38): libxcb-1.13-1.el7.x86_64.rpm | 214 kB 00:00:00 (22/38): mpfr-3.1.1-4.el7.x86_64.rpm | 203 kB 00:00:00 (23/38): perl-srpm-macros-1-8.el7.noarch.rpm | 4.6 kB 00:00:00 (24/38): python-devel-2.7.5-77.el7_6.x86_64.rpm | 398 kB 00:00:00 (25/38): pcre-devel-8.32-17.el7.x86_64.rpm | 480 kB 00:00:00 (26/38): python-tools-2.7.5-77.el7_6.x86_64.rpm | 856 kB 00:00:00 (27/38): openssl-devel-1.0.2k-16.el7_6.1.x86_64.rpm | 1.5 MB 00:00:01 (28/38): redhat-rpm-config-9.1.0-87.el7.centos.noarch.rpm | 81 kB 00:00:00 (29/38): python-virtualenv-15.1.0-2.el7.noarch.rpm | 1.7 MB 00:00:01 (30/38): tix-8.4.3-12.el7.x86_64.rpm | 254 kB 00:00:00 warning: /var/cache/yum/x86_64/7/epel/packages/python2-pip-8.1.2-8.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Public key for python2-pip-8.1.2-8.el7.noarch.rpm is not installed (31/38): python2-pip-8.1.2-8.el7.noarch.rpm | 1.7 MB 00:00:01 (32/38): tkinter-2.7.5-77.el7_6.x86_64.rpm | 326 kB 00:00:00 (33/38): zip-3.0-11.el7.x86_64.rpm | 260 kB 00:00:00 (34/38): tcl-8.5.13-8.el7.x86_64.rpm | 1.9 MB 00:00:01 (35/38): zlib-devel-1.2.7-18.el7.x86_64.rpm | 50 kB 00:00:00 (36/38): cpp-4.8.5-36.el7_6.2.x86_64.rpm | 5.9 MB 00:00:04 (37/38): tk-8.5.13-6.el7.x86_64.rpm | 1.4 MB 00:00:01 (38/38): gcc-4.8.5-36.el7_6.2.x86_64.rpm | 16 MB 00:00:06 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.2 MB/s | 37 MB 00:00:07 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <epel@fedoraproject.org>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-11.noarch (@extras) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : mpfr-3.1.1-4.el7.x86_64 1/38 Installing : 1:tcl-8.5.13-8.el7.x86_64 2/38 Installing : libmpc-1.0.1-3.el7.x86_64 3/38 Installing : fontpackages-filesystem-1.44-8.el7.noarch 4/38 Installing : dejavu-fonts-common-2.33-6.el7.noarch 5/38 Installing : dejavu-sans-fonts-2.33-6.el7.noarch 6/38 Installing : fontconfig-2.13.0-4.3.el7.x86_64 7/38 Installing : cpp-4.8.5-36.el7_6.2.x86_64 8/38 Installing : dwz-0.11-3.el7.x86_64 9/38 Installing : libX11-common-1.6.5-2.el7.noarch 10/38 Installing : zip-3.0-11.el7.x86_64 11/38 Installing : libkadm5-1.15.1-37.el7_6.x86_64 12/38 Installing : libXau-1.0.8-2.1.el7.x86_64 13/38 Installing : libxcb-1.13-1.el7.x86_64 14/38 Installing : libX11-1.6.5-2.el7.x86_64 15/38 Installing : libXrender-0.9.10-1.el7.x86_64 16/38 Installing : libXft-2.3.2-2.el7.x86_64 17/38 Installing : 1:tk-8.5.13-6.el7.x86_64 18/38 Installing : 1:tix-8.4.3-12.el7.x86_64 19/38 Installing : tkinter-2.7.5-77.el7_6.x86_64 20/38 Installing : libsepol-devel-2.5-10.el7.x86_64 21/38 Installing : perl-srpm-macros-1-8.el7.noarch 22/38 Installing : zlib-devel-1.2.7-18.el7.x86_64 23/38 Installing : libverto-devel-0.2.5-4.el7.x86_64 24/38 Installing : keyutils-libs-devel-1.5.8-3.el7.x86_64 25/38 Installing : libcom_err-devel-1.42.9-13.el7.x86_64 26/38 Installing : python-devel-2.7.5-77.el7_6.x86_64 27/38 Installing : pcre-devel-8.32-17.el7.x86_64 28/38 Installing : libselinux-devel-2.5-14.1.el7.x86_64 29/38 Installing : krb5-devel-1.15.1-37.el7_6.x86_64 30/38 Installing : 1:openssl-devel-1.0.2k-16.el7_6.1.x86_64 31/38 Installing : python-virtualenv-15.1.0-2.el7.noarch 32/38 Installing : redhat-rpm-config-9.1.0-87.el7.centos.noarch 33/38 Installing : python-tools-2.7.5-77.el7_6.x86_64 34/38 Installing : gcc-4.8.5-36.el7_6.2.x86_64 35/38 Installing : augeas-libs-1.4.0-6.el7_6.1.x86_64 36/38 Installing : python2-pip-8.1.2-8.el7.noarch 37/38 Installing : libffi-devel-3.0.13-18.el7.x86_64 38/38 Verifying : 1:tcl-8.5.13-8.el7.x86_64 1/38 Verifying : fontconfig-2.13.0-4.3.el7.x86_64 2/38 Verifying : python-tools-2.7.5-77.el7_6.x86_64 3/38 Verifying : libXrender-0.9.10-1.el7.x86_64 4/38 Verifying : mpfr-3.1.1-4.el7.x86_64 5/38 Verifying : pcre-devel-8.32-17.el7.x86_64 6/38 Verifying : 1:tix-8.4.3-12.el7.x86_64 7/38 Verifying : gcc-4.8.5-36.el7_6.2.x86_64 8/38 Verifying : python-devel-2.7.5-77.el7_6.x86_64 9/38 Verifying : libcom_err-devel-1.42.9-13.el7.x86_64 10/38 Verifying : krb5-devel-1.15.1-37.el7_6.x86_64 11/38 Verifying : keyutils-libs-devel-1.5.8-3.el7.x86_64 12/38 Verifying : libffi-devel-3.0.13-18.el7.x86_64 13/38 Verifying : libverto-devel-0.2.5-4.el7.x86_64 14/38 Verifying : zlib-devel-1.2.7-18.el7.x86_64 15/38 Verifying : perl-srpm-macros-1-8.el7.noarch 16/38 Verifying : dejavu-fonts-common-2.33-6.el7.noarch 17/38 Verifying : libselinux-devel-2.5-14.1.el7.x86_64 18/38 Verifying : libxcb-1.13-1.el7.x86_64 19/38 Verifying : 1:tk-8.5.13-6.el7.x86_64 20/38 Verifying : redhat-rpm-config-9.1.0-87.el7.centos.noarch 21/38 Verifying : python2-pip-8.1.2-8.el7.noarch 22/38 Verifying : cpp-4.8.5-36.el7_6.2.x86_64 23/38 Verifying : libX11-1.6.5-2.el7.x86_64 24/38 Verifying : dejavu-sans-fonts-2.33-6.el7.noarch 25/38 Verifying : python-virtualenv-15.1.0-2.el7.noarch 26/38 Verifying : libsepol-devel-2.5-10.el7.x86_64 27/38 Verifying : 1:openssl-devel-1.0.2k-16.el7_6.1.x86_64 28/38 Verifying : libXau-1.0.8-2.1.el7.x86_64 29/38 Verifying : libkadm5-1.15.1-37.el7_6.x86_64 30/38 Verifying : zip-3.0-11.el7.x86_64 31/38 Verifying : libX11-common-1.6.5-2.el7.noarch 32/38 Verifying : fontpackages-filesystem-1.44-8.el7.noarch 33/38 Verifying : dwz-0.11-3.el7.x86_64 34/38 Verifying : libXft-2.3.2-2.el7.x86_64 35/38 Verifying : augeas-libs-1.4.0-6.el7_6.1.x86_64 36/38 Verifying : tkinter-2.7.5-77.el7_6.x86_64 37/38 Verifying : libmpc-1.0.1-3.el7.x86_64 38/38 Installed: augeas-libs.x86_64 0:1.4.0-6.el7_6.1 gcc.x86_64 0:4.8.5-36.el7_6.2 libffi-devel.x86_64 0:3.0.13-18.el7 openssl-devel.x86_64 1:1.0.2k-16.el7_6.1 python-devel.x86_64 0:2.7.5-77.el7_6 python-tools.x86_64 0:2.7.5-77.el7_6 python-virtualenv.noarch 0:15.1.0-2.el7 python2-pip.noarch 0:8.1.2-8.el7 redhat-rpm-config.noarch 0:9.1.0-87.el7.centos Dependency Installed: cpp.x86_64 0:4.8.5-36.el7_6.2 dejavu-fonts-common.noarch 0:2.33-6.el7 dejavu-sans-fonts.noarch 0:2.33-6.el7 dwz.x86_64 0:0.11-3.el7 fontconfig.x86_64 0:2.13.0-4.3.el7 fontpackages-filesystem.noarch 0:1.44-8.el7 keyutils-libs-devel.x86_64 0:1.5.8-3.el7 krb5-devel.x86_64 0:1.15.1-37.el7_6 libX11.x86_64 0:1.6.5-2.el7 libX11-common.noarch 0:1.6.5-2.el7 libXau.x86_64 0:1.0.8-2.1.el7 libXft.x86_64 0:2.3.2-2.el7 libXrender.x86_64 0:0.9.10-1.el7 libcom_err-devel.x86_64 0:1.42.9-13.el7 libkadm5.x86_64 0:1.15.1-37.el7_6 libmpc.x86_64 0:1.0.1-3.el7 libselinux-devel.x86_64 0:2.5-14.1.el7 libsepol-devel.x86_64 0:2.5-10.el7 libverto-devel.x86_64 0:0.2.5-4.el7 libxcb.x86_64 0:1.13-1.el7 mpfr.x86_64 0:3.1.1-4.el7 pcre-devel.x86_64 0:8.32-17.el7 perl-srpm-macros.noarch 0:1-8.el7 tcl.x86_64 1:8.5.13-8.el7 tix.x86_64 1:8.4.3-12.el7 tk.x86_64 1:8.5.13-6.el7 tkinter.x86_64 0:2.7.5-77.el7_6 zip.x86_64 0:3.0-11.el7 zlib-devel.x86_64 0:1.2.7-18.el7 Complete! Creating virtual environment… Installing Python packages… Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@yourdomain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for mail.yourdomain.com Using the webroot path /opt/zimbra/data/nginx/html for all unmatched domains. Waiting for verification… Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem Your cert will expire on 2019-08-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le ** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem' Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match. ** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK ** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK ** Copying '/opt/zimbra/ssl/letsencrypt/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.yourdomain.com…ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.yourdomain.com…ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 3 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/ca.pem ** Removing /opt/zimbra/conf/ca/b8c8cdf8.0 ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink 'b8c8cdf8.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt' Host mail.yourdomain.com Stopping zmconfigd…Done. Stopping imapd…Done. Stopping zimlet webapp…Done. Stopping zimbraAdmin webapp…Done. Stopping zimbra webapp…Done. Stopping service webapp…Done. Stopping stats…Done. Stopping mta…Done. Stopping spell…Done. Stopping snmp…Done. Stopping cbpolicyd…Done. Stopping archiving…Done. Stopping opendkim…Done. Stopping amavis…Done. Stopping antivirus…Done. Stopping antispam…Done. Stopping proxy…Done. Stopping memcached…Done. Stopping mailbox…Done. Stopping logger…Done. Stopping dnscache…Done. Stopping ldap…Done. Host mail.yourdomain.com Starting ldap…Done. Starting zmconfigd…Done. Starting logger…Done. Starting mailbox…Done. Starting memcached…Done. Starting proxy…Done. Starting amavis…Done. Starting antispam…Done. Starting antivirus…Done. Starting opendkim…Done. Starting snmp…Done. Starting spell…Done. Starting mta…Done. Starting stats…Done. Starting service webapp…Done. Starting zimbra webapp…Done. Starting zimbraAdmin webapp…Done. Starting zimlet webapp…Done. Starting imapd…Done.
If your log is the same as above, congratulations on installing a successful certificate SSL.
Setting up crontab auto renew ssl certificates
Because Let’s Encrypt ssl certificates have 90 days, so you need to renew it before it expires. But you can’t do it manually, you need to do it automatically.
You create a crontab with the following content.
00 3 * * * root /usr/local/bin/certbot-auto renew --post-hook "/usr/local/bin/certbot_zimbra.sh -r -d $(/opt/zimbra/bin/zmhostname)"
Because the renew will have to restart zimbra, so you should put crontab outside the company’s working hours. I think 3 am is appropriate, you can edit it.
Crontab will check the renew once a day. You can specify the domain immediately after the -d option.
Conclusion
So I instructed you to use certbot-zimbra to successfully install the ssl certificate for Zimbra mail server. Hope you can do it without any errors.
«« How to redirect HTTP to HTTPS in Zimbra 8.8.12How to check a DKIM core key record is correct »»
Thank you, excellent tutorial…but you missed something crucial: Most of Zimbra installations will only listen on 443 port and NOT on 80, but certbot needs port 80 to issue the cert. So you need to temporarily allow port 80 on BOTH, zimbra server itself AND on firewall.
For Zimbra to switch from curent MODE to 443/80 MODE, you first need to check what mode your ZCS server is in right now:
Run as “zimbra” user:
zmprov getServer YOUR.SERVER.NAME zimbraReverseProxyMailMode
Make a note, whether it is “redirect” or some other mode to set it up later into the same mode.
then swithch to BOTH mode:
zmprov ms YOUR.SERVEr.NAME zimbraReverseProxyMailMode both
Now you can run the above mentioned certbot_zimbra.sh to renew/install LE SSL.
After script finishes, return to original mode, again as “zimbra” user, for example to return to “redirect” mode:
zmprov ms YOUR.SERVER.NAME zimbraReverseProxyMailMode redirect
And that’s it.