Recently I was tasked to install a free SSL certificate from LetsEncrypt on a local Linux machine that was running Zimbra Mail Server.
The task seemed simple, and I had no problem generating and installing the certificate from LetsEncrypt on Linux, cuz I’ve been doing that for years now. And I’ve also googled my way to adding a certificate inside Zimbra, but the problem was: How to force Zimbra to use the certificate and redirect all http requests to https.
I’ve managed to create this script that will automatically generate an SSL certificate from Let’sEncrypt, install it on the server, add it inside Zimbra’s Administration Console, enforce https and finally restart Zimbra.
Step 1. Set required env vars
First, we have to set required env vars: LETSENCRYPT_HOST and LETSENCRYPT_EMAIL:
read -p 'letsencrypt_email [mail@server]: ' letsencrypt_email
read -p 'mail_server_url [mail.server]: ' mail_server_url
where mail@server is your email address and mail.server your url.
Step 2. Stop Jetty or Nginx service
Before we begin actually installing the certificate, we need to stop the jetty or Nginx services at Zimbra level:
su - zimbra -c 'zmproxyctl stop'
su - zimbra -c 'zmmailboxdctl stop'
Step 3. Install git and Let’sEncrypt
Inside the /opt directory we install git:
cd /opt/
apt-get install git
and then use git to download letsencrypt:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Step 4. Generate SLL Certificate
To generate a new SSL certificate from Let’sEncrypt, use the following command along with the certificate chain:
./letsencrypt-auto certonly --standalone --non-interactive --agree-tos --email $letsencrypt_email -d $mail_server_url --hsts
cd /etc/letsencrypt/live/$mail_server_url
cat <<EOF >>chain.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
Step 5. Verify Commercial Certificate
After generating a certificate from Let’sEncrypt, let’s verify it with:
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/$mail_server_url/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem'
Step 6. Deploy the Certificate
Deploy the new Let’s Encrypt SSL certificate:
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem'
Step 7. Restart Zimbra Mail Server
Now let’s restart Zimbra mail Server, so that it picks up the certificate:
su - zimbra -c 'zmcontrol restart'
Step 8. Redirect http to https
At the end, you might want to redirect all http requests to https by using the following:
cd /opt && touch https-redirect.sh && chown zimbra:zimbra https-redirect.sh && chmod +x https-redirect.sh
cat <<EOF >>/opt/https-redirect.sh
zmprov ms $mail_server_url zimbraReverseProxyMailMode redirect
EOF
su - zimbra -c '/opt/https-redirect.sh'
rm /opt/https-redirect.sh
fi
Optional: Renew the Certificate
To renew a certificate follow all the steps from 1-8 without:
Step 3.– (you don’t need to install git and letsencrypt again)Step 8.– (the redirects are already set in Zimbra mail server)
Make sure to start the following services afterwards:
su - zimbra -c 'zmproxyctl start'
su - zimbra -c 'zmmailboxdctl start'