HostSEO Blog

Stories and News from IT Industry, Reviews & Tips | Technology Blog


How to install Let’s encrypt ssl with zimbra fully automated configuration

This document will help you to configure your zimbra server with let’s encrypt autossl, a free ssl certificate solution to all your domains hosted in your zimbra opensource email server platform. Here we are going to configure it into a brand new Ubuntu 16.04 server with a domain name mymail.com having the server ip 10.0.0.10. Before starting the zimbra installation. You need to point the following domain name / subdomain name to the IP address 10.0.0.10

mymail.com  => 10.0.0.10
imap.mymail.com => 10.0.0.10
pop.mymail.com => 10.0.0.10
smtp.mymail.com => 10.0.0.10
ssl.mymail.com  => 10.0.0.10

We are using the certbot-zimbra script to automate the process. You can download it from GitHUBhttps://github.com/YetOpen/certbot-zimbra

Install Zimbra opensource

First step is to install zimbra opensource edition in your server. I used zimbra 8.8.11 for the installation at the time of the documentations. You need to make sure to chose the zimbra-proxy package during the zimbra installation. By default the nginx proxy installed by zimbra won’t listen on http port 80. This option must be enable for activating let’e encrypt certificate, because the certificate authority verify the acme challenge on this post.

There are two methods to do this. The first method is a recommend one. Second method is to open non-ssl service in zimbra. Please chose a suitable option as follows,

OPTION 1( RECOMMENDED )

Edit the nginx template file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add the following code before “server” tag as seen below,

include                 ${core.includes}/${core.cprefix}.lets.conf;

Now create the file /opt/zimbra/conf/nginx/includes/nginx.conf.lets.conf with the following configuration

server {
	listen 80 default_server;
	server_name _;
	access_log off;

	location ^~ /.well-known/acme-challenge {
                root /opt/zimbra/data/nginx/html;
        }

	location / {

		rewrite ^/(.*) https://$host$request_uri     permanent;
	}	
}

server {
	listen 80;
	server_name ssl.mymail.com;    # This is going to be the main ssl validation domain only for ssl verification
	access_log off;
	root /opt/zimbra/data/nginx/html;
	index index.html index.htm;

	location ^~ /.well-known/acme-challenge {
		root /opt/zimbra/data/nginx/html;
	}

	location / {
	      try_files $uri $uri/ =404;
	}


}

Now restart the nginx proxy server

# zmcontrol  stop 
# zmcontrol start
# exit

OPTION 2

>

To enable HTTP service on zimbra proxy you may run the following command as zimbra user.

# sudo su - zimbra
# zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled FALSE
# /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H  mymail.com
# zmcontrol  stop 
# zmcontrol start
# exit

Now test whether nginx listening on port 80 or not as follows

root@mymail:~# netstat -pant | grep nginx
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 138.201.107.56:51694    138.201.107.56:11211    ESTABLISHED 1411/nginx: worker 
tcp        0      0 138.201.107.56:51698    138.201.107.56:11211    ESTABLISHED 1410/nginx: worker 
tcp        0      0 138.201.107.56:51692    138.201.107.56:11211    ESTABLISHED 1407/nginx: worker 
tcp        0      0 138.201.107.56:51696    138.201.107.56:11211    ESTABLISHED 1412/nginx: worker 
root@mymail:~#

From the above output you can see nginx is listening on port 80. Now you are ready to go the next step

Install certboat

This client software is provided by the let’s encrypt. It is required to install ssl certificates. You may install it as follows,

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot 

Please note , you must disable the certboat cron, because after the renew we must deploy it in Zimbra . So open /etc/cron.d/certbot with your favorite editor and comment the last line.

Install certbot-zimbra scripts

You may download the certbot-zimbra package from https://github.com/YetOpen/certbot-zimbra as follows,

# wget https://github.com/YetOpen/certbot-zimbra/archive/master.zip
# unzip master.zip
# cd certbot-zimbra-master/
# cp -av  certbot_zimbra.sh /usr/local/bin/

Now install certificate

At this time the software support to install only one certificate. But that is not an issue . You can add all your domains as SAN domains. So only one certificate is required to install in this server. You may do it as follows,

# certbot_zimbra.sh -n -d mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com

Add a cron job to run every two days after midnight to check the certificate expire issue and renew it if need. Create a file /etc/cron.d/zimbracrontab using your favorite editor and add the following line.

0 1 */2 * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --renew-hook "/usr/local/bin/certbot_zimbra.sh -r"

Now restart zimbra email server

# su -u zimbra  
# zmcontrol  stop 
# zmcontrol start
# exit 

Now test the ssl certificates from https://mymail.com/ .

Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar

SatSunMonTueWedThuFri
 1
2345678
9101112131415
16171819202122
23242526272829
30 

Born in 2004 ... Trusted By Clients n' Experts

SEO Stars

They never made me feel silly for asking questions. Help me understand how to attract more people and improve my search engine ranking.

Read More

Emily Schneller Manager at Sabre Inc
SEO Stars

Took advantage of Hostseo's superb tech support and I must say, it is a very perfect one. It is very fast, servers reliability is incredible.

Read More

Leena Mäkinen Creative producer
SEO Stars

We're operating a worldwide network of servers with high quality standards requirements, we’ve choose hostseo to be our perfect partner.

Read More

Ziff Davis CEO at Mashable
SEO Stars

It’s very comfortable to know I can rely about all technical issues on Hostseo and mostly that my website and emails are safe and secured here.

Read More

Isaac H. Entrepreneur
SEO Stars

With hostseo as a hosting partner we are more flexible and save money due to the better packages with great pricing, free SEO n' free SSL too!

Read More

Madeline E. Internet Professional