Zimbra letsencrypt
Want to install Let’s encrypt for the Zimbra mail server?
Email protection is vital for the user and business.
An SSL connection encrypts the email traffic.
At Bobcares, we often receive requests to install Let’s Encrypt for the Zimbra mail server as a part of our Server Management Services.
Today, let us discuss how Support Engineers install Let’s Encrypt for the Zimbra mail server.
Zimbra Letsencrypt
Let’s Encrypt is an automated certificate authority providing SSLs free of charge.
Its main purpose is to allow people to encrypt their internet traffic at no cost, easily, and automatically.
The certificate is valid for 90 days, during which renewal can take place at any time.
Let’s Encrypt is widely used by the customer to protect the Zimbra mail.
Let us discuss how our Support Engineers install let’s Encrypt certificate for the mail server.
Zimbra LetsEncrypt how to install it
First, we stop the jetty or Nginx service at Zimbra level using the command
su zimbra
zmproxyctl stop
zmmailboxdctl stopAfter stopping the service exit from Zimbra user.
Next, we git clone the object on the folder using the command
git clone https://github.com/letsencrypt/letsencryptIf the git is not installed in the server we install git in the server using the command
yum install gitNow we move into the letsencrypt folder and run Let’s Encrypt in auto mode and use the certonly option.
cd letsencrypt
./letsencrypt-auto certonly --standaloneOnce all the dependencies are downloaded for Let’s Encrypt, a prompt window appears. We enter the email address.
And then we agree with the terms of service. Now we enter the FQDN domain name.
Now the certificate files are present at the location /etc/letsencrypt/live/domainname
cert.pem is the certificate
chain.pem is the chain
fullchain.pem is the concatenation of cert.pem and chain.pem
privkey.pem is the private key
Next, we need to add the root CA to the chain.pem file. Now we take our root certificate and merge in the chain.pem file.
We add the details after the chain file.
Verify the Letsencrypt certificate for Zimbra mail
The next step is to verify the LetsEncrypt certificate. To do this, first, we create a folder at the location.
mkdir /opt/zimbra/ssl/letsencryptNext, we copy the certificate to the newly created folder.
cp /etc/letsencrypt/live/domainname/* /opt/zimbra/ssl/letsencrypt/Then we change the ownership for the certificate to Zimbra using the command
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*Now to verify the commercial certificate using the command.
For version 8.7 and above we execute the command from Zimbra user
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pemFor version 8.6 and below we execute the command from the root user
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
Deploy the Lets encrypt SSL certificate for Zimbra mail
Before we proceed with deployment, we take a backup of the SSL folder.
Now we copy the private key under Zimbra SSL commercial path
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.keyTo deploy the SSL in version 8.7 and above we run the command from the Zimbra user.
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.keyTo deploy the SSL in version 8.6 and below we run the command as a root user.
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pemFinally, restart the service and we start the Nginx or the jetty we stopped before the installation.
zmcontrol restartWe test the working of the SSL from the web browser.
Errors when installing Let’s Encrypt
Usually, we face error when installing let encrypt when Varnish cache is installed in the server. To resolve the error we stop the varnish cache service during the installation. We use the command
service varnish stopAfter the installation, we start the service back.
Conclusion
In short, we just discussed the installation of Let’sEncrypt certificate. Also, we saw how our Support Engineers setup let’s Encrypt certificate for the Zimbra server.
0 Comments