How to install Let’s encrypt ssl with zimbra fully automated configuration
- Category : Linux Helpline (Easy Guide)
- Posted on : Feb 08, 2019
- Views : 2,249
- By : Odalis J.
This document will help you to configure your zimbra server with let’s encrypt autossl, a free ssl certificate solution to all your domains hosted in your zimbra opensource email server platform. Here we are going to configure it into a brand new Ubuntu 16.04 server with a domain name mymail.com having the server ip 10.0.0.10. Before starting the zimbra installation. You need to point the following domain name / subdomain name to the IP address 10.0.0.10
mymail.com => 10.0.0.10 imap.mymail.com => 10.0.0.10 pop.mymail.com => 10.0.0.10 smtp.mymail.com => 10.0.0.10 ssl.mymail.com => 10.0.0.10
We are using the certbot-zimbra script to automate the process. You can download it from GitHUBhttps://github.com/YetOpen/certbot-zimbra
Install Zimbra opensource
First step is to install zimbra opensource edition in your server. I used zimbra 8.8.11 for the installation at the time of the documentations. You need to make sure to chose the zimbra-proxy package during the zimbra installation. By default the nginx proxy installed by zimbra won’t listen on http port 80. This option must be enable for activating let’e encrypt certificate, because the certificate authority verify the acme challenge on this post.
There are two methods to do this. The first method is a recommend one. Second method is to open non-ssl service in zimbra. Please chose a suitable option as follows,
OPTION 1( RECOMMENDED )
Edit the nginx template file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add the following code before “server” tag as seen below,
include ${core.includes}/${core.cprefix}.lets.conf;
Now create the file /opt/zimbra/conf/nginx/includes/nginx.conf.lets.conf with the following configuration
server { listen 80 default_server; server_name _; access_log off; location ^~ /.well-known/acme-challenge { root /opt/zimbra/data/nginx/html; } location / { rewrite ^/(.*) https://$host$request_uri permanent; } } server { listen 80; server_name ssl.mymail.com; # This is going to be the main ssl validation domain only for ssl verification access_log off; root /opt/zimbra/data/nginx/html; index index.html index.htm; location ^~ /.well-known/acme-challenge { root /opt/zimbra/data/nginx/html; } location / { try_files $uri $uri/ =404; } }
Now restart the nginx proxy server
# zmcontrol stop # zmcontrol start # exit
OPTION 2
>
To enable HTTP service on zimbra proxy you may run the following command as zimbra user.
# sudo su - zimbra # zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled FALSE # /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H mymail.com # zmcontrol stop # zmcontrol start # exit
Now test whether nginx listening on port 80 or not as follows
root@mymail:~# netstat -pant | grep nginx tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 138.201.107.56:51694 138.201.107.56:11211 ESTABLISHED 1411/nginx: worker tcp 0 0 138.201.107.56:51698 138.201.107.56:11211 ESTABLISHED 1410/nginx: worker tcp 0 0 138.201.107.56:51692 138.201.107.56:11211 ESTABLISHED 1407/nginx: worker tcp 0 0 138.201.107.56:51696 138.201.107.56:11211 ESTABLISHED 1412/nginx: worker root@mymail:~#
From the above output you can see nginx is listening on port 80. Now you are ready to go the next step
Install certboat
This client software is provided by the let’s encrypt. It is required to install ssl certificates. You may install it as follows,
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot
Please note , you must disable the certboat cron, because after the renew we must deploy it in Zimbra . So open /etc/cron.d/certbot with your favorite editor and comment the last line.
Install certbot-zimbra scripts
You may download the certbot-zimbra package from https://github.com/YetOpen/certbot-zimbra as follows,
# wget https://github.com/YetOpen/certbot-zimbra/archive/master.zip # unzip master.zip # cd certbot-zimbra-master/ # cp -av certbot_zimbra.sh /usr/local/bin/
Now install certificate
At this time the software support to install only one certificate. But that is not an issue . You can add all your domains as SAN domains. So only one certificate is required to install in this server. You may do it as follows,
# certbot_zimbra.sh -n -d mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com
Add a cron job to run every two days after midnight to check the certificate expire issue and renew it if need. Create a file /etc/cron.d/zimbracrontab using your favorite editor and add the following line.
0 1 */2 * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --renew-hook "/usr/local/bin/certbot_zimbra.sh -r"
Now restart zimbra email server
# su -u zimbra # zmcontrol stop # zmcontrol start # exit
Now test the ssl certificates from https://mymail.com/ .
Categories
- cPanel Question 47
- cPanel Software Management 29
- cPanel Tutorials 13
- Development 29
- Domain 13
- General 19
- Linux Helpline (Easy Guide) 156
- Marketing 47
- MySQL Question 13
- News 2
- PHP Configuration 14
- SEO 4
- SEO 42
- Server Administration 84
- SSL Installation 54
- Tips and Tricks 24
- VPS 3
- Web Hosting 44
- Website Security 22
- WHM questions 13
- WordPress 148
Subscribe Now
10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!Archive Calendar
Sat | Sun | Mon | Tue | Wed | Thu | Fri |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | |
7 | 8 | 9 | 10 | 11 | 12 | 13 |
14 | 15 | 16 | 17 | 18 | 19 | 20 |
21 | 22 | 23 | 24 | 25 | 26 | 27 |
28 | 29 | 30 | 31 |
Recent Articles
-
Posted on : Sep 17
-
Posted on : Sep 10
-
Posted on : Aug 04
-
Posted on : Apr 01
Tags
- ts
- myisam
- vpn
- sql
- process
- kill
- tweak
- server load
- attack
- ddos mitigation
- Knowledge
- layer 7
- ddos
- webmail
- DMARC
- Development
- nginx
- seo vpn
- Hosting Security
- wireguard
- innodb
- exim
- smtp relay
- smtp
- VPS Hosting
- cpulimit
- Plesk
- Comparison
- cpu
- encryption
- WHM
- xampp
- sysstat
- optimize
- cheap vpn
- php-fpm
- mariadb
- apache
- Small Business
- Error
- Networking
- VPS
- SSD Hosting
- Link Building
- centos
- DNS
- optimization
- ubuntu