CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra
SSL certificate setup
To setup lets encrypt SSL certificates use: Refer Link
1. First stop web and mailbox services as *zimbra user*
zmproxyctl stop
zmmailboxdctl stop
2. Download letsencrypt github package as *root user*
yum -y install git epel-release
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
3. Get letsencrypt certificates for domain using:
./letsencrypt-auto certonly --standalone -d mail.zimbra.sbarjatiya.com -d zimbra.sbarjatiya.com
On various prompts use:
a.Emergency email - saurabh@example.com
b.Agree/Cancel - A
c.Yes/No - Y
The important file locations are:
- /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/fullchain.pem
- /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem
4. Download Root and intermediate certificates from LetsEncrypt site Example
cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
wget https://letsencrypt.org/certs/isrgrootx1.pem.txt
wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
5. To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:
cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
6. Install certificates *as zimbra* user:
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
**If above validation succeeds**
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
zmcontrol restart
7. Recently the above validations have started to fail with error:
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'combined.pem'
ERROR: Unable to validate certificate chain: cert.pem: CN = mail.zimbra.sbarjatiya.com
error 20 at 0 depth lookup:unable to get local issuer certificate
#OR
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'combined.pem'
ERROR: Unable to validate certificate chain: cert.pem: C = US, O = Let's Encrypt, CN = R3
error 2 at 1 depth lookup:unable to get issuer certificate
If case of above you can solve it by modiying steps to generate combined.pem to
cd /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/
wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
cat isrgrootx1.pem.txt lets-encrypt-r3.pem chain.pem > combined.pem
cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
After this try the verifycrt step again and this time it should work
8. Open Zimbra Admin and verify that certificate along with root “ISRG Root X1” and Intermediate “Lets Encrypt Authority X3” is coming up properly. 9. Test certificates using:
openssl s_client -starttls smtp -connect zimbra.sbarjatiya.com:25 -showcerts
openssl s_client -connect zimbra.sbarjatiya.com:465 -showcerts
openssl s_client -connect zimbra.sbarjatiya.com:443 -showcerts
openssl s_client -connect zimbra.sbarjatiya.com:993 -showcerts
openssl s_client -starttls imap -connect zimbra.sbarjatiya.com:143 -showcerts
Refer Link: