Hướng dẫn Cấu hình, Renew SSL free LetsEncrypt cho Zimbra Email Server
1./ Stop Email server
su - zimbra
zmproxyctl stop
zmmailboxdctl stop
2./ Tiến hành git clone letsencrypt về server local
ở đây mình down về /opt/letencrypt
3./ Tiến hành tạo certs
Đối với 1 domain thì chạy lệnh này
./letsencrypt-auto certonly --standalone
Đối với nhiều domain thì chạy lệnh này
./letsencrypt-auto certonly --standalone -d xmpp.example.com -d conference.example.com
Điền email
Đồng ý
Nhập domain với trường hợp chỉ đăng ký cho 1 domain
Kết quả
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.cloudx.com.vn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.cloudx.com.vn/privkey.pem
Your cert will expire on 2020-08-23. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
sau khi tạo certs xong vào thư mục /etc/letsencrypt/live/mail.cloudx.com.vn/
sẽ có những file như sau:
cert.pem is the certificate
chain.pem is the chain
fullchain.pem is the concatenation of cert.pem + chain.pem
privkey.pem is the private key
Please keep in mind that the private key is only for you.
4./ Tiến hành sửa file chain.pem
Chỉnh sửa file chain.pem như sau:
Mở file chain.pem và thêm vào đoạn bôi vàng sau:
Your chain.pem should look like:
-----BEGIN CERTIFICATE-----
YOURCHAIN
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
Bước này rất quan trọng phải copy root CA vào sau file chain.pem
File được thêm vào có nội dung ở link dưới:
https://letsencrypt.org/certs/trustid-x3-root.pem.txt
5./ Tiến hành Build certs
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/mail.cloudx.com.vn/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
total 24
drwxr-xr-x 2 root root 4096 Jul 15 22:59 .
drwxr-xr-x 8 zimbra zimbra 4096 Jul 15 22:59 ..
-rw-r--r-- 1 zimbra zimbra 1809 Jul 15 22:59 cert.pem
-rw-r--r-- 1 zimbra zimbra 2847 Jul 15 22:59 chain.pem
-rw-r--r-- 1 zimbra zimbra 3456 Jul 15 22:59 fullchain.pem
-rw-r--r-- 1 zimbra zimbra 1704 Jul 15 22:59 privkey.pem
Login bằng user zimbra
su - zimbra
cd /opt/zimbra/ssl/letsencrypt
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
Tiến hành backup thư mục zimbra
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/*
chmod 755 /opt/zimbra/ssl/zimbra/commercial/*
zimbra@mail:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
zimbra@mail:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.cloudx.com.vn...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.cloudx.com.vn...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/9deea024.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/ca.key
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '9deea024.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
zmcontrol restart
Đợi khoảng 2 phút để tất cả services được bật lại
6./ Mở trình duyệt kiểm tra lại cert
https://mail.yourdomain.com
Test the new SSL Certificate with OpenSSL
You can use openssl cli tools to check and test the new SSL certificate:
echo QUIT | openssl s_client -connect $domain:443 | openssl x509 -noout -text | less
echo QUIT | openssl s_client -connect mail.cloudx.com.vn:443 | openssl x509 -noout -text | less
Kết quả
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail.cloudx.com.vn
verify return:1
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:10:50:68:52:61:5f:36:3c:82:ee:26:e2:de:71:60:cb:bc
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: May 26 02:04:02 2020 GMT
Not After : Aug 24 02:04:02 2020 GMT
Subject: CN = mail.cloudx.com.vn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:eb:87:a1:80:d0:f0:b2:e6:45:40:e5:99:11:b2:
04:f3:32:3e:6e:1b:86:65:d5:40:e2:ef:12:fd:ea:
47:99:f8:76:25:1d:a6:1e:65:e1:12:75:22:37:e7:
d8:a8:7a:97:28:dc:3d:30:8a:6b:cb:e2:52:58:9f:
af:bc:78:93:43:3b:96:30:75:56:d8:41:83:c5:0f:
ab:32:b6:00:eb:a2:cf:77:f9:8e:e3:1f:5d:f4:a2:
6d:ae:20:c2:10:66:63:9b:4a:c8:fd:b2:1b:82:b1:
7e:59:90:0e:28:db:58:83:e1:98:f1:11:11:12:bc:
3a:59:b6:b3:a8:c4:14:5d:1b:dc:1b:88:a5:37:d4:
f5:b3:f4:a3:b7:bf:17:e1:3f:0f:10:85:03:97:37:
b0:11:a8:5b:89:d9:87:1e:36:ad:27:c5:6a:ba:0e:
a4:d4:14:e1:25:4e:19:1b:ab:d0:42:65:6d:15:86:
7e:02:56:4a:35:b3:5f:5e:28:f4:81:4d:1a:49:cf:
ca:27:5d:65:8b:7a:d9:80:b8:9e:02:5c:10:9a:0d:
8c:53:9d:72:b1:44:cf:8f:9f:df:42:6a:a1:48:37:
84:3d:27:69:39:04:50:14:58:8e:54:66:cc:50:5a:
67:99:0a:9b:3c:6e:fa:96:41:49:fb:3b:0d:48:61:
14:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
EB:AC:6B:3B:4F:44:2A:87:72:5A:80:14:2D:37:4A:6D:B1:11:B0:13
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:mail.cloudx.com.vn
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:
7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E
Timestamp : May 26 03:04:02.410 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:1D:EE:26:5B:6B:3C:BF:66:42:64:2C:82:
5D:FD:7C:8A:DF:A1:6A:C2:9C:86:53:FA:BB:D0:09:6B:
18:43:19:E3:02:20:68:65:CD:42:4B:CD:3B:C8:68:3F:
6F:80:9B:B5:39:58:21:34:D4:55:57:97:D9:27:30:38:
07:F1:BD:F3:A2:5D
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B2:1E:05:CC:8B:A2:CD:8A:20:4E:87:66:F9:2B:B9:8A:
25:20:67:6B:DA:FA:70:E7:B2:49:53:2D:EF:8B:90:5E
Timestamp : May 26 03:04:02.400 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:BF:AE:07:C3:A9:59:2C:17:48:A6:A2:
E6:06:DC:87:7A:89:7C:98:9E:E9:D9:E3:05:C4:EE:08:
FA:09:69:7F:C2:02:21:00:BA:0C:DE:41:5B:3B:31:76:
31:75:06:D8:61:E0:7D:24:F7:8F:DE:1D:A4:BE:FA:84:
28:9D:25:CE:BA:BE:2D:6D
Signature Algorithm: sha256WithRSAEncryption
37:46:36:9c:f5:3f:ad:9c:63:55:7e:b2:13:ea:ae:0f:8a:e6:
27:e4:cb:59:be:aa:fe:a5:99:28:17:98:7b:58:f9:cf:2f:0f:
aa:c4:10:90:ff:f9:5d:28:59:fe:a0:8a:8b:f7:7b:38:57:ec:
4c:3d:a0:6c:14:33:92:1d:e5:13:50:06:e9:91:ee:68:f9:c3:
94:1f:a0:e3:92:0b:8c:c8:ec:20:84:e0:73:15:8b:55:b9:f9:
1c:19:73:a4:e1:25:ba:52:7c:1b:a8:07:4b:69:60:c8:92:f5:
8a:06:dd:44:58:85:be:2f:5a:71:ad:19:31:53:13:5c:b0:34:
20:d4:6c:cd:d6:90:5a:07:95:39:04:da:af:94:4b:40:32:11:
b8:cf:7e:2d:ba:2c:63:e8:d0:77:57:09:c1:fe:e0:71:26:eb:
d1:a2:ea:dc:2d:ae:14:dc:c3:c8:2f:e9:42:30:07:9e:6b:b0:
f2:3e:21:e9:aa:6f:80:04:5d:f2:fd:ab:38:ed:b1:6b:7f:f2:
62:5f:16:4b:b4:af:91:03:33:72:57:d3:93:2e:11:56:83:07:
0d:21:c5:37:47:d5:f4:28:8c:1d:78:ef:e7:70:64:c5:0c:55:
cd:61:7c:80:be:06:8f:0c:9d:c2:01:0e:f7:0e:cb:bc:25:c5:
f1:e3:bf:bc
Tham khảo:
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
7./ Để Renew SSL thực hiện các bước như sau:
Backup và xoá toàn bộ file trong thư mục
/opt/zimbra/ssl/zimbra/commercial
cp -R /opt/zimbra/ssl/zimbra/commercial /opt/backup/comercial_$(date "+%Y%m%d")
\rm -rf /opt/zimbra/ssl/zimbra/commercial/*
Backup và xoá toàn bộ file trong thư mục
/opt/zimbra/ssl/letsencrypt
cp -R /opt/zimbra/ssl/letsencrypt /opt/backup_$(date "+%Y%m%d")
\rm -rf /opt/zimbra/ssl/letsencrypt
#xoá và tạo lại cert ssl
cp -R /etc/letsencrypt /opt/backup/letsencrypt_$(date "+%Y%m%d")
\rm -rf /etc/letsencrypt
cd /opt/letsencrypt
./letsencrypt-auto certonly --standalone
Sau đó làm tiếp theo các bước 3 đến bước 6
Chúc các bạn thành công!
