Letsencrypt Zimbra: the easy way

👉 👉 ⚠️ UPDATE 2017.09.11: the script got updates, see all the blog posts here or GitHub project page for the latest information ⚠️

There’s an extensive guide on Zimbra’s Wiki on how to (manually) set up a Letsencrypt certificate in Zimbra Collboration Server.

There’s a bash script to request and deploy a cert. There’s another method explained on Zimbra’s bug#99549 with mixed scripts.

But would you like to simply type:

certbot_zimbra.sh -n

and deploy the certificate?

The script I developed takes a different approach than the previous ones: it patches Zimbra’s nginx to allow the bypass of /.well-known webserver location to certbot executable.

Requirements

certbot, the letsencrypt automated script. Version >=0.7.0 is highly recommended, mainly because of the ability to execute a command when the certificate is renewed.

zimbra-proxy package must be installed (but shouldn’t be a big issue, since it’s a compulsory requirement since 8.6).

Installation

To obtain Certbot I’d suggest to use the EFF way:

wget https://dl.eff.org/certbot-auto -P /usr/local/bin
chmod a+x /usr/local/bin/certbot-auto

The certbot-zimbra can be cloned from GitHub:

cd /usr/local/src
git clone https://github.com/YetOpen/certbot-zimbra.git
cd certbot-zimbra

At this point to obtain and install the letsencrypt certificate in Zimbra just run (as root):

./certbot_zimbra.sh -n

the script will

  1. patch nginx;
  2. request the certificate (for the host defined by zmhostname);
  3. verify the certificate;
  4. install the letsencrypt certificate in Zimbra;
  5. restart Zimbra.

That’s it!

Now what about renewal? In your favorite cron place add the following line:

55 4 * * * root /usr/bin/certbot renew --post-hook "/usr/local/src/certbot-zimbra/certbot_zimbra.sh -r -d $(zmhostname)"

The certbot will check if there’s an update needed daily, and when the certificate is renewed the script is called to deploy the new cert in Zimbra (and Zimbra is restarted).

Sources

The script is published on GitHub. Suggestion, feedback and pull requests are welcome at: https://github.com/yetopen/certbot-zimbra

22 pensieri su “Letsencrypt Zimbra: the easy way

  1. Lorenzo,

    Does the renewal happen on the final day of the 90 days of the original certificate? I ask because 19 days before the expiration, I got an email from LetsEncrypt that the certificate will expire soon and to renew..

    Thoughts?

    Carlos

  2. Hello, I have a litle problem .. but corrected … the problem it was that not get the correct path/domain to copy de letsencrypt files and break in that point …
    The issue it was in “function prepare_certificate”
    ..
    The # it is the line with the problem and -> it the line that working for me…
    #cp $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
    -> cp $CERTPATH/$ZMHOSTNAME/* /opt/zimbra/ssl/letsencrypt/
    ….
    #cat $CERTPATH/chain.pem > /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
    -> cat $CERTPATH/$ZMHOSTNAME/chain.pem > /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem

    After that work perfectly. Many that for the script …
    my info is server Ubuntu 14.04 and zimbra 8.7.11

      • Hi Maxxer, this http issue is upon first deployment of the script. This was error when I installed it, so it did not deploy LE SSL certificate.
        I can enable port 80 temporary, but I did not to see, if you can resolve the bug somehow.

  3. Hi there,
    Thx for the tuto. I’m getting an error, something about a patch not found. Here’s the output:
    Certbot-Zimbra v0.2 – https://github.com/YetOpen/certbot-zimbra
    Detected Zimbra 8.8.8
    which: no patch in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
    No patch binary found. Please install OS ‘patch’ package

  4. hi,
    i have this error ( zimbra 8.8.9 – ubuntu16.04)
    help 🙂

    ——————————-ithe script ends with this:
    ….
    Creating virtual environment…
    Traceback (most recent call last):
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 2363, in
    main()
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 719, in main
    symlink=options.symlink)
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 988, in create_environment
    download=download,
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
    File “/usr/lib/python3/dist-packages/virtualenv.py”, line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
    OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 – setuptools pkg_resources pip wheel failed with error code 1
    letsencrypt returned an error

  5. Hello there,
    I have same problem with Andrej.
    I have tested to telnet to port 80 (http), it worked, I also tested with browser to connect to port 80 it was promptly redirected to port 443 and it also worked, but when I try to connect to this particular directory, e.g. http://mail.myserver.com/.well-known/acme-challenge/xyz – I got “Connection reset by peer”
    Any suggestion is appreciated.
    Mille grazie

  6. help screen mentions ‘-u’ as beeing –no-public-hostname-detection, examination of the script reveals that is is actually -h (which normally would bring up a help screen).

  7. hi
    i hope you are good . i am facing this error can you plesae help me in this .

    Failed authorization procedure. zmail.cubexsweatherly.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zmail.cubexsweatherly.com/.well-known/acme-challenge/882zG0-i5-oIjKp5s3f6aCwW8ApndRzd_UO__Zbi4ks: Connection refused

    IMPORTANT NOTES:
    – The following errors were reported by the server:

    Domain: zmail.cubexsweatherly.com
    Type: connection
    Detail: Fetching
    http://zmail.cubexsweatherly.com/.well-known/acme-challenge/882zG0-i5-oIjKp5s3f6aCwW8ApndRzd_UO__Zbi4ks:
    Connection refused

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Solve : *
11 − 8 =


Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.