Install Free 🔒Let’sEncrypt SSL Certificate on 📧 Zimbra Mail Server

Install Free 🔒Let’sEncrypt SSL Certificate on 📧 Zimbra Mail Server

Recently I was tasked to install a free SSL certificate from LetsEncrypt on a local Linux machine that was running Zimbra Mail Server.

The task seemed simple, and I had no problem generating and installing the certificate from LetsEncrypt on Linux, cuz I’ve been doing that for years now. And I’ve also googled my way to adding a certificate inside Zimbra, but the problem was: How to force Zimbra to use the certificate and redirect all http requests to https.

I’ve managed to create this script that will automatically generate an SSL certificate from Let’sEncrypt, install it on the server, add it inside Zimbra’s Administration Console, enforce https and finally restart Zimbra.

Step 1. Set required env vars

First, we have to set required env vars: LETSENCRYPT_HOST and LETSENCRYPT_EMAIL:

read -p 'letsencrypt_email [mail@server]: ' letsencrypt_email
read -p 'mail_server_url [mail.server]: ' mail_server_url

where mail@server is your email address and mail.server your url.

Step 2. Stop Jetty or Nginx service

Before we begin actually installing the certificate, we need to stop the jetty or Nginx services at Zimbra level:

su - zimbra -c 'zmproxyctl stop'
su - zimbra -c 'zmmailboxdctl stop'

Step 3. Install git and Let’sEncrypt

Inside the /opt directory we install git:

cd /opt/
apt-get install git

and then use git to download letsencrypt:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Step 4. Generate SLL Certificate

To generate a new SSL certificate from Let’sEncrypt, use the following command along with the certificate chain:

./letsencrypt-auto certonly --standalone --non-interactive --agree-tos --email $letsencrypt_email -d $mail_server_url --hsts
cd /etc/letsencrypt/live/$mail_server_url
cat <<EOF >>chain.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF

Step 5. Verify Commercial Certificate

After generating a certificate from Let’sEncrypt, let’s verify it with:

mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/$mail_server_url/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem'

Step 6. Deploy the Certificate

Deploy the new Let’s Encrypt SSL certificate:

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem'

Step 7. Restart Zimbra Mail Server

Now let’s restart Zimbra mail Server, so that it picks up the certificate:

su - zimbra -c 'zmcontrol restart'

Step 8. Redirect http to https

At the end, you might want to redirect all http requests to https by using the following:

cd /opt && touch https-redirect.sh && chown zimbra:zimbra https-redirect.sh && chmod +x https-redirect.sh
cat <<EOF >>/opt/https-redirect.sh
zmprov ms $mail_server_url zimbraReverseProxyMailMode redirect
EOF
su - zimbra -c '/opt/https-redirect.sh'
rm /opt/https-redirect.sh
fi

Optional: Renew the Certificate

To renew a certificate follow all the steps from 1-8 without:

  • Step 3. – (you don’t need to install git and letsencrypt again)
  • Step 8. – (the redirects are already set in Zimbra mail server)
See also  Unable to connect to cPanel mail server via an email client: TLS handshaking: SSL_accept() failed

Make sure to start the following services afterwards:

su - zimbra -c 'zmproxyctl start'
su - zimbra -c 'zmmailboxdctl start'

BONUS: Shell Scripts to Install and Renew Let’sEncrypt Certificate on Zimbra Mail Server

Install Free Let'sEncrypt SSL Certificate on Zimbra Mail Server
whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.