Letsencrypt Zimbra: the easy way

👉 👉 ⚠️ UPDATE 2017.09.11: the script got updates, see all the blog posts here or GitHub project page for the latest information ⚠️

There’s an extensive guide on Zimbra’s Wiki on how to (manually) set up a Letsencrypt certificate in Zimbra Collboration Server.

There’s a bash script to request and deploy a cert. There’s another method explained on Zimbra’s bug#99549 with mixed scripts.

But would you like to simply type:

certbot_zimbra.sh -n

and deploy the certificate?

The script I developed takes a different approach than the previous ones: it patches Zimbra’s nginx to allow the bypass of /.well-known webserver location to certbot executable.

Requirements

certbot, the letsencrypt automated script. Version >=0.7.0 is highly recommended, mainly because of the ability to execute a command when the certificate is renewed.

zimbra-proxy package must be installed (but shouldn’t be a big issue, since it’s a compulsory requirement since 8.6).

Installation

To obtain Certbot I’d suggest to use the EFF way:

wget https://dl.eff.org/certbot-auto -P /usr/local/bin
chmod a+x /usr/local/bin/certbot-auto

The certbot-zimbra can be cloned from GitHub:

cd /usr/local/src
git clone https://github.com/YetOpen/certbot-zimbra.git
cd certbot-zimbra

At this point to obtain and install the letsencrypt certificate in Zimbra just run (as root):

./certbot_zimbra.sh -n

the script will

  1. patch nginx;
  2. request the certificate (for the host defined by zmhostname);
  3. verify the certificate;
  4. install the letsencrypt certificate in Zimbra;
  5. restart Zimbra.

That’s it!

Now what about renewal? In your favorite cron place add the following line:

55 4 * * * root /usr/bin/certbot renew --post-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -r -d $(zmhostname)"

The certbot will check if there’s an update needed daily, and when the certificate is renewed the script is called to deploy the new cert in Zimbra (and Zimbra is restarted).

Sources

The script is published on GitHub. Suggestion, feedback and pull requests are welcome at: https://github.com/yetopen/certbot-zimbra

48 pensieri su “Letsencrypt Zimbra: the easy way

  1. Lorenzo,

    Does the renewal happen on the final day of the 90 days of the original certificate? I ask because 19 days before the expiration, I got an email from LetsEncrypt that the certificate will expire soon and to renew..

    Thoughts?

    Carlos

  2. Hello, I have a litle problem .. but corrected … the problem it was that not get the correct path/domain to copy de letsencrypt files and break in that point …
    The issue it was in “function prepare_certificate”
    ..
    The # it is the line with the problem and -> it the line that working for me…
    #cp $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
    -> cp $CERTPATH/$ZMHOSTNAME/* /opt/zimbra/ssl/letsencrypt/
    ….
    #cat $CERTPATH/chain.pem > /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
    -> cat $CERTPATH/$ZMHOSTNAME/chain.pem > /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem

    After that work perfectly. Many that for the script …
    my info is server Ubuntu 14.04 and zimbra 8.7.11

      • Hi Maxxer, this http issue is upon first deployment of the script. This was error when I installed it, so it did not deploy LE SSL certificate.
        I can enable port 80 temporary, but I did not to see, if you can resolve the bug somehow.

  3. Hi there,
    Thx for the tuto. I’m getting an error, something about a patch not found. Here’s the output:
    Certbot-Zimbra v0.2 – https://github.com/YetOpen/certbot-zimbra
    Detected Zimbra 8.8.8
    which: no patch in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    No patch binary found. Please install OS ‘patch’ package

  4. hi,
    i have this error ( zimbra 8.8.9 – ubuntu16.04)
    help 🙂

    ——————————-ithe script ends with this:
    ….
    Creating virtual environment…
    Traceback (most recent call last):
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 2363, in
    main()
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 719, in main
    symlink=options.symlink)
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 988, in create_environment
    download=download,
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
    OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 – setuptools pkg_resources pip wheel failed with error code 1
    letsencrypt returned an error

  5. Hello there,
    I have same problem with Andrej.
    I have tested to telnet to port 80 (http), it worked, I also tested with browser to connect to port 80 it was promptly redirected to port 443 and it also worked, but when I try to connect to this particular directory, e.g. http://mail.myserver.com/.well-known/acme-challenge/xyz – I got “Connection reset by peer”
    Any suggestion is appreciated.
    Mille grazie

  6. help screen mentions ‘-u’ as beeing –no-public-hostname-detection, examination of the script reveals that is is actually -h (which normally would bring up a help screen).

  7. hi
    i hope you are good . i am facing this error can you plesae help me in this .

    Failed authorization procedure. zmail.cubexsweatherly.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zmail.cubexsweatherly.com/.well-known/acme-challenge/882zG0-i5-oIjKp5s3f6aCwW8ApndRzd_UO__Zbi4ks: Connection refused

    IMPORTANT NOTES:
    – The following errors were reported by the server:

    Domain: zmail.cubexsweatherly.com
    Type: connection
    Detail: Fetching
    http://zmail.cubexsweatherly.com/.well-known/acme-challenge/882zG0-i5-oIjKp5s3f6aCwW8ApndRzd_UO__Zbi4ks:
    Connection refused

  8. Hi,
    is there any way to run the script without port 80 being opened? This is very stupid auth request from LE, I know…can we somehow only work on port 443 or some permanent DNS verification record?
    Thanx, Andrej

    • There are other auth methods, but the script currently supports only http. For your other error I’d suggest to install certbot from packages, because it looks like you’re missing a Python package.
      For further support I suggest you to use GitHub which is better suited for help.

  9. And one more error on Zimbra 8.8.10:

    Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
    Traceback (most recent call last):
    File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
    from certbot.main import main
    File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 10, in
    import josepy as jose
    File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/__init__.py”, line 41, in
    from josepy.interfaces import JSONDeSerializable
    File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/interfaces.py”, line 8, in
    from josepy import errors, util
    File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/util.py”, line 4, in
    import OpenSSL
    File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/__init__.py”, line 8, in
    from OpenSSL import rand, crypto, SSL
    File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py”, line 1, in
    import datetime
    ImportError: No module named datetime
    letsencrypt returned an error

  10. Well, thank you for express hints – I sucessfully managed to install on Zimbra 8.8.10 and Ubuntu 16.04 using the following:

    1.) Installed certbot via pip, but first install pip:
    # apt install python-pip
    # rm -rf /opt/eff.org/*
    # pip install -U certbot

    2.) Then I make sure all other domains are really pointing to my server, AND that port 80 is opened on firewall AND Zimbra is listening on port 80, too (as Zimbra user):
    # zmprov getServer my.host.name zimbraReverseProxyMailMode
    If the answer is “both”, then Cerbot will work.
    If not, you may swithch to “both”:
    # zmprov ms my.host.name zimbraReverseProxyMailMode both

    3.) Then I run:
    # cd /usr/local/src/certbot-zimbra
    # ./certbot_zimbra.sh -n

    SUCCESS! 🙂

  11. hi team

    i have renew my certficate with your given above command . but its not reflected with my zimbra.

    [root@zmail ~]# certbot-auto renew
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Processing /etc/letsencrypt/renewal/zmail.onegig.com.pk.conf
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Cert not yet due for renewal

    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

    The following certs are not due for renewal yet:
    /etc/letsencrypt/live/zmail.onegig.com.pk/fullchain.pem expires on 2019-04-30 (skipped)
    No renewals were attempted.
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    [root@zmail ~]# certbot certificates | grep -Ei ‘expiry|domain’
    -bash: certbot: command not found
    [root@zmail ~]# certbot-auto certificates | grep -Ei ‘expiry|domain’
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Domains: zmail.onegig.com.pk
    Expiry Date: 2019-04-30 10:23:55+00:00 (VALID: 89 days)
    [root@zmail ~]#

  12. hi

    i am facing this issue can you help me on this matter.

    [root@mail certbot-zimbra]# ./certbot_zimbra.sh -n
    Certbot-Zimbra v0.5 – https://github.com/YetOpen/certbot-zimbra
    Detected Zimbra 8.8.10
    Detected mail.hbfc.com.pk as Zimbra hostname
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Cert not yet due for renewal

    You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
    (ref: /etc/letsencrypt/renewal/mail.hbfc.com.pk.conf)

    What would you like to do?
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    1: Keep the existing certificate for now
    2: Renew & replace the cert (limit ~5 per 7 days)
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
    Keeping the existing certificate

    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    Certificate not yet due for renewal; no action taken.
    – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
    ** Verifying ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ against ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’
    Certificate ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ and private key ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’ match.
    ** Verifying ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ against ‘/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem’
    Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
    ERROR: Can’t read file ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
    Host mail.hbfc.com.pk

    [root@mail certbot-zimbra]# ls -lh /opt/zimbra/ssl/zimbra/commercial/commercial.key
    -rw——- 1 root root 1.7K Jan 31 02:02 /opt/zimbra/ssl/zimbra/commercial/commercial.key
    [root@mail certbot-zimbra]#

  13. hi

    my all issue have been resolved. thanks for your superb script .just add one line in your script :

    cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
    chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key # add this line in your script please .

  14. Error on commercial key:
    Result:
    ** Verifying ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ against ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’
    Certificate ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ and private key ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’ match.
    ** Verifying ‘/opt/zimbra/ssl/letsencrypt/cert.pem’ against ‘/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem’
    Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
    ERROR: Can’t read file ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’

  15. PERFECT! I just installed it on Zimbra 8.8.12
    Before start everything, I have just change the behavior of zimbra proxy with the following command:

    zmprov ms YourMailHostHere.com zimbraReverseProxyMailMode redirect

    In this way, when any challange is made against the server (to get the server information) it is going to work, by default, in Zimbra 8.8.12 is only listening on port 443 (not in port 80), in my case, I guess that is always best practice redirect all the traffic in port 80 to a secure port 443 (HTTP to HTTPS)

  16. I got the following error:

    Detecting port from zimbraMailProxyPort
    Checking if process is listening on port 80 with name “nginx” user “zimbra”
    Error: port check failed. If you have overridden the port with –port, a web ser ver to use for letsencrypt authentication of the domain mail2.stbanklaos.la must be listening on it.

    An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
    If you believe this is an error with the script, please file an issue at https:/ /github.com/YetOpen/certbot-zimbra.

    Could you help me with this.

    • You’d better report this kind of problems on GitHub, but are you using the latest versions? We’ve fixed some issues like this in the latest weeks.

      If you’re sure your setup is ok you can pass -j to skip port check

  17. Well maxxer i was having the same issue as sounay and the -j did the job, everything ran smootly and now my zimbra has ssl enable 🙂 tyvm

  18. Hi,
    seems like even latest script 0.77 does not RENEW properly. Maybe there’s incompatibility with EFF and GITHUB method, but in my case (GitHub method) certificate gets properly issued by LE…
    ….but scrypt copies WRONG CERT to zimbra:

    Should use path:
    /etc/letsencrypt/live/-0001/ (seemsl ike -0001 is increased with each renewal)

    But instead it uses path:
    /run/certbot-zimbra/certs-McigMQS7/ (seems like 2nd part of name is random)

    So I end up with all OK, no errors…but SSL is the same as before renewal.
    I need to manually copy over files.

  19. hi, I use this guide to install zimbra and letsencrypt. Now, the SSL has expired, and could you tell me how manually renew letsencypt?

    I tried this one certbot_zimbra.sh -n but it is not working?

    shall i stop Zimbra first?

    • Check your zimbra nginx.access.log and mailbox.log to see what’s going on. Otherwise ask help on Zimbra forum which is a better place for getting help 🙂

  20. I had an error this morning because my certbot wasn’t renewing properly.

    “ERROR: Unable to validate certificate chain: C = US, O = Internet Security Research Group, CN = ISRG Root X1
    error 2 at 2 depth lookup: unable to get issuer certificate
    error /run/certbot-zimbra/certs-v9mE7HRs/cert.pem: verification failed”

    I upgraded from 0.7.11 to 0.7.12 of this script by using these commands.

    $ sudo su
    $ cd /usr/local/src
    $ mv certbot-zimbra certbot-zimbra.old
    $ git clone https://github.com/YetOpen/certbot-zimbra.git
    $ /usr/local/src/certbot-zimbra/certbot_zimbra.sh -n -c -L “–force-renewal”

    After upgrading from 0.7.11 to 0.7.12, the script ran successfully and I was able to restart my zimbra server without any issue.

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Solve : *
2 + 7 =


Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.