Hello Zimbra Customers, Partners & Friends,
Today’s blog post is all about using Let’s Encrypt certificates with Zimbra. Let’s Encrypt is a way to obtain trusted and free TLS certificates. To obtain certificates you can use a program called Certbot. You can find instructions for setting up certbot at https://certbot.eff.org/instructions. If you already use Let’s Encrypt on Zimbra keep reading as this post will explain how to keep using Let’s Encrypt after the expiration of IdentTrust DST Root CA X3 on September 30!
In many cases it’s easiest to set-up a dedicated VM to take care of the deployment of Let’s Encrypt certificates to all the systems you plan to use with TLS certificates.
If you want to use Zimbra, we recommend that you use the snap version of Certbot because it supports the --preferred-chain "ISRG Root X1" option that you need to make it work with Zimbra. You will also need the flag --key-type rsa as Zimbra does not support ecdsa yet.
Installing the Certificate on Zimbra
Be sure to request a certificate with the --preferred-chain "ISRG Root X1" option. If you already have a certificate but didn’t use that option, you have to do a force renewal with the --force-renewal --preferred-chain "ISRG Root X1" options. You will also need the flag --key-type rsa as Zimbra does not support ecdsa yet.
To deploy the certificate from Let’s Encrypt on Zimbra:
As user root or sudo:
cp /etc/letsencrypt/live/barrydegraaff.tk/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.tk/chain.pem
As user zimbra or sudo su zimbra -:
cd ~ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem
The output should be similar to:
root@zimbra91:~# su zimbra - zimbra@zimbra91:/root$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem ** Verifying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem' Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.tk/cert.pem: OK zimbra@zimbra91:/root$ cd ~ zimbra@zimbra91:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.tk/cert.pem /etc/letsencrypt/live/barrydegraaff.tk/chain.pem ** Verifying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem' Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.tk/cert.pem: OK ** Copying '/etc/letsencrypt/live/barrydegraaff.tk/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '/etc/letsencrypt/live/barrydegraaff.tk/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra91.barrydegraaff.tk...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra91.barrydegraaff.tk...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 3 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/e50a23da.0 ** Removing /opt/zimbra/conf/ca/ca.pem ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink 'e50a23da.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
Finally restart Zimbra as user zimbra or sudo su zimbra -:
zmcontrol restart
That’s it! If you have any questions, please post them in the comments section.
Thanks,
Your Zimbra Team
Further reading
• Extra long step-by-step guide for Let’s Encrypt: https://postboxservices.com/blogs/post/lets-setup-zimbra-9-0-0-on-ubuntu-18-0-4-and-configure-letsencrypt-ssl-certificates-on-it
• Further reading on the root expiration: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry
Hi, thanks for the post.
No matter what I do, my certbot (1.10 on CentOS 6) doesn’t want to provide me with certificates from the alternate chain. It has the –preferred-chain option but it only gets certificates that chain up to the expired DST root cert. Zimbra doesn’t verify these and adding the self-signed ISRG root cert anywhere doesn’t help either, because my certificate is signed by the other ISRG X1 root, the one signed by DST.
So, my two questions are:
– is the snap version of certbot absolutely essential to get the alternate chain cert?
– do you know of another sure-fire way of obtaining alternate chain certificates from Letsencrypt? Meaning certificates where there is no trace of any DST root, expired or not.
Thanks.
You will need a new version of Certbot the one shipped with CentOS 6 is too old, also CentOS 6 is EOL. I am not aware of an alternate way of getting the certificate, but you can ask at https://forums.zimbra.org/ or https://community.letsencrypt.org/
Hi, no matter what I do, always get the same results, this is in Ubuntu 18.04
zimbra@servidor:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/replaced.com/cert.pem /etc/letsencrypt/live/replaced.com/chain.pem
** Verifying ‘/etc/letsencrypt/live/replaced.com/cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
ERROR: Can’t read file ‘/etc/letsencrypt/live/replaced.com/cert.pem’
Regards,
It probably means zimbra does not have read permission on the /etc/letsencrypt/live/replaced.com/cert.pem. Try
chown zimbra:zimbra /etc/letsencrypt/live/replaced.com/cert.pemorchown zimbra:zimbra /etc/letsencrypt -RDear,
thank you for the instruction. We following this step-by-step and use _–preferred-chain “ISRG Root X1″_ on Certbot without issues and got a renewal cert.
In the step of verifying with _/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key cert.pem chain.pem_ we got the message:
** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error cert.pem: verification failed
And can’t proceed on ZCS 8.8.15p21 , CentOS 7.
Any notes or hints?
Thanks in advance.
Perhaps you can try https://community.letsencrypt.org/t/fixing-validation-from-centos-instances/161182
sudo update-ca-trustAnd make sure to install all OS updates, please let me know if it works, thanks!
Dear Barry,
thank you for your swift reply. We introduce the cert as in the blacklist and run the update-ca-trust command but doesn’t solve the issue.
This issue was solved by removing the second cert from chain.pem as mentioned at https://forums.zimbra.org/viewtopic.php?t=69652#p301636
Cheers
Barry,
thank you for your detail here.
helped me resolve issue with letsencrypt. (after much searching)
Hi, I think this guide should explain how to tell zimbra to use the new certbot (the snap one) and where to add the extra params –preferred-chain “ISRG Root X1”
Without this info, it makes no sense I believe
I’m not explaining how to do it because I don’t know, and I am trying to understand how to do it hehe
thanks
Hello,
A full guide can be found at: https://postboxservices.com/blogs/post/lets-setup-zimbra-9-0-0-on-ubuntu-18-0-4-and-configure-letsencrypt-ssl-certificates-on-it