Skip to content

Instantly share code, notes, and snippets.

@rocc0

rocc0/zimbra_letsencrypt_renew_ssl.md

Last active August 31, 2017 08:19
Show Gist options
  • Save rocc0/49f926a07f58945067e8d3ea58ae83ee to your computer and use it in GitHub Desktop.
Save rocc0/49f926a07f58945067e8d3ea58ae83ee to your computer and use it in GitHub Desktop.
Download ZIP
Renewing of Zimbra Let's Encrypt Certificate
Raw
zimbra_letsencrypt_renew_ssl.md

How to Renew Zimbra Letsencrypt SSL Certificates

Zimbra Version: Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS editio

Switch to zimbra user and stop services

Change user to zimbra and stop proxy(error if not used, it's ok) and mail box service before renew proccess. It's necesery to stop this two services because letsencrypt and this services are working on the same 443 port.

su zimbra
zmproxyctl stop
zmmailboxdctl stop

Update your certificates

Then return to root user(letsencrypt working only under root user) and renew Letsencrypt certificate. Option --no-bootstrap will skip installation of Python and other deps because they are was installed after first usage of Letsencrypt.

exit
letsencrypt renew --no-bootstrap

If you got an error "like -bash: letsencrypt: command not found", then go to the dir where letsencrypt cloned from git is located(usually it's /tmp/letsencrypt) and renew certs

cd /tmp/letsencrypt/
./letsencrypt-auto renew --no-bootstrap

Copy new certificates to zimbra directory

Change directory to Zimbra Letsecnrpyt SSL folder

cd /opt/zimbra/ssl/letsencrypt/

Copy new SSL files to Zimbra Letsencrypt folder then change owner and group to zimbra:zimbra.

At this point change {DomainName} to your domain which is we are working on.

cp /etc/letsencrypt/live/{DomainName}/* .
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

Add X3 root certificate to our chain.pem. You can take it from old chain.pem at etc/letsencrypt/archive/ {DomainName}/chain1.pem(first part of the key)

nano /opt/zimbra/ssl/letsencrypt/chain.pem

After copying X3 cert to your newly generated chain.pem it will be looked like this:

-----BEGIN CERTIFICATE-----
X3 cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
newly generated cert
-----END CERTIFICATE-----

Verify and deploy your certificates

Let's verify our certs via Zimbra certificate manager

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

Message Valid Certificate: cert.pem: OK means thet process if completed correctly. Now let's create a backup of certificates

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

You need to replace your current commercial.key with newly created privkey.pem. If you skip this step you will get an error like this: XXXXX ERROR: Unmatching certificate ... and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

Let's deploy our new certs!

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Final step: restart your zimbra server.

su zimbra
zmcontrol restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment