LINUXexpert

LetsEncrypt Zimbra

LetsEncrypt Zimbra

Here are the instructions on how to set up and use the provided Bash script for managing SSL certificates with Let’s Encrypt and deploying them to Zimbra.

Prerequisites

Before using the script, ensure the following prerequisites are met:

  1. Linux Server: Ensure you’re running a Linux server where Zimbra is installed.
  2. Root Access: You must have root or sudo access to the server.
  3. Zimbra Collaboration Suite (ZCS): Zimbra should already be installed and configured on your server.
  4. Install Certbot: Certbot is the tool used to obtain and renew SSL certificates from Let’s Encrypt. Install it using the instructions below.

Step 1: Install Certbot

Certbot can be installed via your package manager depending on your Linux distribution. Here are instructions for a few common distributions:

  • Debian/Ubuntu: sudo apt update sudo apt install certbot
  • CentOS/RHEL: sudo yum install epel-release sudo yum install certbot
  • Fedora: sudo dnf install certbot
  • openSUSE: sudo zypper install certbot

Step 2: Prepare the Zimbra Server

Before using the script, ensure that:

  1. Zimbra is Installed and Running: Make sure Zimbra Collaboration Suite is installed and running properly on your server.
  2. Configure DNS: Ensure that the Fully Qualified Domain Name (FQDN) of your Zimbra server points to the correct IP address in DNS.

Step 3: Copy the Script

Create the script file on your server:

#!/bin/bash

# Stop Zimbra services
su - zimbra -c "zmcontrol stop"

# Renew the certificate using Certbot
certbot renew

# Run the letsencript-zimbra script (included below)
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email --key-type rsa

# Copy the private key and certificate to Zimbra's Let's Encrypt directory
cp "/etc/letsencrypt/live/$(hostname --fqdn)/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp "/etc/letsencrypt/live/$(hostname --fqdn)/cert.pem" /opt/zimbra/ssl/letsencrypt/

# Download the ISRG Root X1 certificate
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt

# Prepare and modify the certificate chain for Zimbra
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cp "/etc/letsencrypt/live/$(hostname --fqdn)/chain.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R

# Deploy the certificate to Zimbra
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem'
su - zimbra -c "zmcontrol start"

# Clean up the temporary chain file
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
  1. Create the Script File: sudo nano /usr/local/bin/renew_zimbra_cert.sh
  2. Copy the Combined Script: Copy the entire script provided above into the file you created.
  3. Make the Script Executable: sudo chmod +x /usr/local/bin/renew_zimbra_cert.sh

Step 4: Configure Automatic Certificate Renewal

You can automate the script to run periodically using a cron job. Here’s how to set it up:

  1. Open the Crontab Editor: sudo crontab -e
  2. Add a Cron Job: Add the following line to schedule the script to run every 12 weeks (3 months): 0 3 1 */3 * /usr/local/bin/renew_zimbra_cert.sh >> /var/log/renew_zimbra_cert.log 2>&1 This cron job will execute the script at 3 AM on the 1st day of every 3rd month.
  3. Save and Exit: Save and exit the crontab editor. The script will now automatically renew the certificate and deploy it to Zimbra every 3 months.

Step 5: Manual Execution

If you wish to run the script manually, simply execute it with root privileges:

sudo /usr/local/bin/renew_zimbra_cert.sh

Step 6: Verify the Setup

After running the script or allowing it to run via cron, verify the SSL certificate has been updated:

  1. Check Zimbra Services: su - zimbra -c "zmcontrol status" Ensure all services are running.
  2. Check the Certificate: Open your webmail interface (e.g., https://mail.yourdomain.com) and check the SSL certificate details in your browser to confirm that it has been updated.

Troubleshooting

  • Certificate Renewal Issues: If Certbot cannot renew the certificate, check the DNS settings and ensure the FQDN is correct and accessible.
  • Zimbra Issues: If Zimbra fails to start after deploying the new certificate, check the log file (/var/log/renew_zimbra_cert.log) for errors.

Conclusion

By following these steps, you’ll have an automated system for renewing Let’s Encrypt certificates and deploying them to your Zimbra Collaboration Suite, ensuring your email communications remain secure without manual intervention.

Other Recent Posts