Navigation

Zimbra with Let’s Encrypt Certificates a step-by-step guide (update)

By on August 10, 2022 in Community, Security & Privacy, Zimbra Server, Zimbra SkillZ

This article is a step-by-step instruction on setting up a Zimbra with
Let’s Encrypt certificates.

If you are running a multi server installation of Zimbra it is
recommended you set-up a dedicated VM for obtaining the Let’s Encrypt
certificate and follow this blog.

Prerequisites

This guide assumes you are using Ubuntu 20 and you have set up a correct
hostname and DNS, to check run the following as user zimbra and verify
zmhostname is the same as hostname --fqdn:

zimbra@le-test:~$ source ~/bin/zmshutil; zmsetvars
zimbra@le-test:~$ zmhostname
le-test.zimbra.tech
zimbra@le-test:~$ hostname --fqdn
le-test.zimbra.tech

Next you should have set up a CAA DNS record so that Let’s Encrypt can
issue certificates for your domain, to check run the following and make
sure 0 issue "letsencrypt.org" is in the output of the command:

zimbra@le-test:~$ sudo apt install -y net-tools dnsutils
zimbra@le-test:~$ dig +short type257 $(hostname --d)
0 issuewild "letsencrypt.org"
0 issue "letsencrypt.org"

Next check if Zimbra listens on port 80, Let’s Encrypt needs to be able
to run a temporary webserver on port 80, so it can not be used by
Zimbra. This is not an issue as most browsers now try https first. The
following command should not have any output:

netstat -tulpn | grep ":80 "

In case your Zimbra is listening on port 80, you have to switch the
proxy mode like this:

sudo su zimbra -
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov ms `zmhostname` zimbraMailMode https
/opt/zimbra/bin/zmtlsctl https
/opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`

If you are having trouble setting up Zimbra you can use our automated
installer that will take care of Let’s Encrypt also:
https://github.com/Zimbra/zinstaller

Further reading:

Installing Certbot

Certbot in the Ubuntu repositories is too old and cannot be used for
Zimbra. The newer version can be installed via snap or pip. Run below
commands to install Cerbot and obtain a certificate:

apt install -y python3 python3-venv libaugeas0
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot
ln -s /opt/certbot/bin/certbot /usr/local/sbin/certbot
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email

Zimbra deployment

Create the following script that deploys the Let’s Encrypt certificate
on Zimbra:

cat >> /usr/local/sbin/letsencrypt-zimbra << EOF
#!/bin/bash
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email 
cp "/etc/letsencrypt/live/$(hostname --fqdn)/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cp "/etc/letsencrypt/live/$(hostname --fqdn)/chain.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R
cd /tmp
su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/$(hostname --fqdn)/cert.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"'
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
EOF

Set the correct permission, set up a cron job and run the deployment:

chmod +rx /usr/local/sbin/letsencrypt-zimbra
ln -s /usr/local/sbin/letsencrypt-zimbra /etc/cron.daily/letsencrypt-zimbra
/etc/cron.daily/letsencrypt-zimbra

Finally restart Zimbra to load the new certificate:

sudo su zimbra -c '/opt/zimbra/bin/zmcontrol restart'

The cron job will renew your certificate about 1 month prior to the
expiration date, you need to manually restart Zimbra before the renewal
date to load the new certificate.

Using DANE

You have to use Certbot with the --reuse-key option, see
https://blog.zimbra.com/2022/04/zimbra-skillz-enable-dane-verification-for-incoming-email-in-zimbra/

Using multiple https domains with SNI

Refer to:
https://blog.zimbra.com/2022/06/zimbra-skillz-how-to-use-zimbra-with-multiple-https-domains-server-name-indication-sni/

Further reading

, ,

2 Responses to Zimbra with Let’s Encrypt Certificates a step-by-step guide (update)

  1. Derek September 11, 2022 at 9:26 AM #

    Has anyone successfully setup a nginx reverse proxy in front of zimbra proxy to manage certificates from a separate central reverse proxy using letsencrypt/certbot?

    I have one running in front of my zcs webmail proxy, and everything works, except certbot fails to renew the certificates now. So would be ideal to just run all the tls/certificate process on the reverse proxy.

    Can we just run zmtlsctl http and just proxy_pass to http://:8080 ? thereby disabling tls/https? Or go with self signed certificates on zcs? Thank you!

    • Avatar photo
      Barry de Graaff September 11, 2022 at 11:09 PM #

      In this case I would recommend you use the DNS validation option with certbot and not have certbot open a temporary server on port 80.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures