HomeLetsEncryptLetsEncrypt on Zimbra 9 and Rocky Linux 8

LetsEncrypt on Zimbra 9 and Rocky Linux 8

Software Effect Enterprises, Inc Posted on by

First – install Zimbra

Then execute:

yum -y install epel-release
/usr/bin/crb enable
yum -y install certbot

create a file named /usr/local/sbin/letsencrypt-zimbra

#!/bin/bash

FQDN=`hostname --fqdn`
/usr/sbin/service zimbra stop
/usr/bin/certbot certonly -d $FQDN --standalone -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email --key-type rsa
cp "/etc/letsencrypt/live/$FQDN/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
rm -f "/etc/letsencrypt/live/$FQDN/chainZimbra.pem"
cp "/etc/letsencrypt/live/$FQDN/chain.pem" "/etc/letsencrypt/live/$FQDN/chainZimbra.pem"
cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/$FQDN/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R
cd /tmp
su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/$(hostname --fqdn)/cert.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"'
rm -f "/etc/letsencrypt/live/$FQDN/chainZimbra.pem"

/usr/sbin/service zimbra start

set the correct permsions on the file

chmod 700 /usr/local/sbin/letsencrypt-zimbra

and then execute

/usr/local/sbin/letsencrypt-zimbra

Renewal

create a file named /etc/letsencrypt/renewal-hooks/pre/001-stop-zimbra.sh

#!/bin/bash
su zimbra /opt/zimbra/bin/zmproxyctl stop

set the permissions on the file

chmod 700  /etc/letsencrypt/renewal-hooks/pre/001-stop-zimbra.sh

create a file named /etc/letsencrypt/renewal-hooks/post/001-restart-zimbra.sh

#!/bin/bash
cp "/etc/letsencrypt/live/$(hostname --fqdn)/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -q -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cp "/etc/letsencrypt/live/$(hostname --fqdn)/chain.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R
cd /tmp
su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/$(hostname --fqdn)/cert.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"'
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
service zimbra restart
exit 0

Set the permissions

chmod 700 /etc/letsencrypt/renewal-hooks/post/001-restart-zimbra.sh

The above will cause the certificate to be updated in zimbra automatically every 90 days

 

Tested on Rocky Linux 8 running Zimbra 9

 

Comments are closed.