After much trial and error, here is a quick how-to for setting up Zimbra 8.7 on Ubuntu 16.04 LTS to use the free Letsencrypt SSL certificate-generating system with the Zimbra server. As always, I take NO RESPONSIBILITY if you kill your server following these instructions. Obviously, you should not attempt this for the first time on a production server as incorrect certificates will screw up LDAP and Zimbra will not start, therefore a backup is strongly recommended. Also, these instructions will NOT work for apache certificates. If you are still ready to press on, just follow the simple steps:

Part One – Initial creation and install of certificates.

  1. Login as a non-root user – I created a user called ‘zadmin’ with sudo privileges (important) and as ROOT, install SOCAT
    sudo apt-get install socat
  2. As a NON-ROOT (not zimbra) user, get the installer from the Letsencrypt (LE) site and install LE in your home/~user directory
    git clone https://github.com/Neilpang/acme.sh
    cd acme.sh
    ./acme.sh --install --nocron
    cd ..
    chmod 755 .acme.sh
    rm -r acme.sh

    Close and reopen your terminal to start using acme.sh

  3. There are several ways Letsencrypt can use to authenticate your Zimbra installation. You can upload the dns records manually to your DNS server or you can use their API. Check the Letsencrypt website to see if your favourite DNS provider is there as that is the PREFERRED way to go. If you don’t use one of the providers listed on Neil’s page or you run your own DNS server, you will have to cut and paste the records generated by acme.sh manually into your DNS server of choice. If you decide to use one of these awesome scripts (which I highly recommend), you will need to grab an API key from the chosen DNS host which you will insert in the ‘account.conf’ file in acme.sh. I will use Linode for this particular example but I will give the alternate commands for manual creation. If you are using the API method you will need to get an API key. Follow the simple instructions on Neil’s page to do this and edit the account.conf to add your relevant DNS provider’s API key
    nano account.conf
    # add this: LINODE_API_KEY='YOUR_KEY'
  4. Issue the initial certificates as a NON-ROOT (not zimbra) user
    acme.sh --issue --dns dns_linode --dnssleep 900 -d mail.yourdomain.ca
    # It takes 900 seconds for the dns records to propagate so grab a drink!
    # If you wanted to do several domains at once issue the command like so (note:make the first -d entry your zmhostname):
    acme.sh --issue --dns dns_linode --dnssleep 900 -d mail.yourdomain.ca -d mail.yourdomain1.ca -d mail.yourdomain2.ca
    # If you are not using a .sh script to automate this process here is the manual command:
    acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com

    You will need to paste the record(s) manually into dns records on you dns server and wait for propagation.

  5. Now we need to create the fullchain.cer file so we can upload the new certificate onto our Zimbra server. The first time, we need to create a cross-signed IdentTrust CERT so that Zimbra can verify our certificate chain properly. It is IdentTrust who gives LetEncrypt authority to sign these free certs and allows browsers to accept these certificates. I put the following CERT into a file named IdentTrust.pem so I can use this the next time I have to renew my certs. It comes from here: https://myriad.ca/IdentTrust.pem. Copy and paste the aforementioned DST Root certificate into a text file called IdentTrust.pem in your .acme.sh/ folder. cd into the domain you just created and merge the IdentTrust.pem file with the existing fullchain.pem
    cd $home/.acme.sh/mail.yourdomain.ca
    #Copy the file first as you are going to need the original file back in the next section.
    cp fullchain.cer fullchain.cer.bak
    # Add the IdentTrust.pem:
    cat ../IdentTrust.pem >> fullchain.cer
  6. Let’s check and see if Zimbra likes these certs BEFORE we install them:
    sudo -i
    cd $home/.acme.sh/mail.yourdomain.ca
    su zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm mail.yourdomain.ca.key mail.yourdomain.ca.cer fullchain.cer"

    If there is no error we can move on…

  7. Now it’s time to deploy the certificate.  But first, as the zimbra user, back up the existing certs in case something goes horribly wrong! Login as root.
    sudo -i su - zimbra
    cd /opt/zimbra/ssl
    tar cvf zimbra.tar.$(date "+%Y%m%d") zimbra
  8. Now, sudo to the ROOT user and test out the cert (you can’t su to zimbra as it will ask for a password you will never guess).
    sudo -i
    cd $home/.acme.sh/mail.yourdomain.ca
    su zimbra -c "cp mail.yourdomain.ca.key /opt/zimbra/ssl/zimbra/commercial/commercial.key"
    su zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm mail.yourdomain.ca.cer fullchain.cer"
    su zimbra -c "/opt/zimbra/bin/zmcontrol restart" 
    #note this may NOT start all services correctly. You may have to ssh in to root and restart with su - zimbra

    Once zimbra restarts you can open the web UI and if all went to plan you should have a green lock and you can move on to part two – renewal.
    **Because Jim’s script assumes your fullchain.cer file only has TWO certs, be sure to restore the fullchain.cer.bak file and remove the fullchain.pem you modded in step 5, so you only have the original file BEFORE you move on to the renewal portion of the tutorial.

    rm fullchain.cer
    mv fullchain.cer.bak fullchain.cer

Part Two – Renewing your certificates.

Letsencrypt certificates only last for 60 days and then they have to be renewed and this is one of the downsides of using these ‘free’ certs. Fortunately, using a few scripts we can automate this process through cron and have the certificates auto-renew with no user intervention.  Let’s get started!

  1. First, we need to create a folder in the /opt directory which will be used by the renewal script to install its updated certificates when it is time for renewal. Create a letsencrypt folder in opt and make it owned by the zimbra user.
    cd /opt
    mkdir letsencrypt
    chown zimbra:zimbra
  2. Copy John Dunphy’s revised (by me) script into the /opt/letsencrypt folder and make it executable.
    cd /opt/letsencrypt
    sudo wget https://myriad.ca/deploy-zimbra-letsencrypt.sh
    sudo wget https://github.com/JimDunphy/deploy-zimbra-letsencrypt.sh #only use this if you want to use Jim's original script (won't work)
    sudo chmod + x deploy-zimbra-letsencrypt.sh
  3. Edit Jim’s file to change your domain name and your home drive path.
    sudo nano deploy-zimbra-letsencrypt.sh >> change the following: domain="mail.yourdomain.ca" user="/home/yourusername"
    # You need to 'seed' the /opt/letsencrypt folder with your .acme.sh from your user folder with correct zimbra permissions:
    sudo -i
    su zimbra -c "cp -r ~user/.acme.sh /opt/letsencrypt/"
    # Remove everything but your domain folder from .acme.sh (keeps it neater - less to troubleshoot if something goes wrong)
    su zimbra -c "find /opt/letsencrypt/.acme.sh -mindepth 1 -name mail.yourdomain.ca -prune -o -exec rm -rf {} \;"
  4. Test it out:
    sudo -i
    su zimbra -c "./deploy-zimbra-letsencrypt.sh"

    If you get a error saying that the script can’t cp the .acme.sh folder from your home folder, ensure that the folder is readable by the zimbra user (see #3 above). If you get the message saying that it’s not yet time to renew, you can also change the “min” variable to higher than 60 if you want to test out a renewal.

  5. Make a cron job to run the script every day as ROOT (make sure your change the ‘cron’ option in the script to ‘0’):
    crontab -e
    5 1 * * * su - zimbra /opt/letsencrypt/deploy-zimbra-letsencrypt.sh
  6. Make another cronjob to run as the NON-ROOT user for the renewal of the original cert from LE:
    crontab -e
    @daily /home/user/.acme.sh/acme.sh --renew -d mail.yourdomain.ca #Letsencrypt renewal

3
Leave a Reply

avatar
1 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
BillRick Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Bill
Guest
Bill

It seems that your modified deployment script for the ZCS LetsEncrypt article is no longer available, has it been removed?