• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Automatically Renewing FREE SSL on Zimbra

Automatically Renewing FREE SSL on Zimbra

September 17, 2020 - by Zsolt Agoston - last edited on September 30, 2020

Zimbra, like all secure servers that communicate on the internet, needs a publicly trusted SSL certificate to function correctly. Both client access and secure SMTP mail transmission depend on the SSL certificate, which is by default self-signed when the installation of a fresh server finishes.

This provides encryption from the very get-go, but being self-issued it is not trusted by other servers on the internet which causes warning messages for users when opening the access portal, and partner organizations possibly rejecting our emails as many email servers require perfectly functioning TLS encryption to send and receive messages.

We need a new certificate, signed by a public certification authority. There are many CAs out there that we can use, but we want to save money and get our SSL certificate for free.

Let's Encrypt offers free certificates valid for 3 months, after which they are free to renew. We already covered how to get LE certificates for CentOS boxes, this time we incorporate that knowledge into a script to get and automatically renew the SSL certificate for our Zimbra server running on CentOS 8 ( for the installation guide click here ) Let's get started!

1. Install the Let's Encrypt Certbot

# Install Certbot on the linux box
yum install -y certbot

# Generate our first SSL cert. Subsequent certificates will be renewed by our script below
certbot certonly --standalone -d mail.protectigate.com -m zsolt@opentechtips.com --agree-tos -n

# Prepare the Zimbra directory for the new certificate
mkdir /opt/zimbra/ssl/letsencrypt

2. Install the Certificate and create the Script for auto-renewal

a. Create script as /root/ssl.sh

#Change work dir to /tmp
cd /tmp

#Renew cert if needed
certbot certonly --standalone -d mail.protectigate.com -m zsolt@opentechtips.com --agree-tos -n 

# Stop the nginx Zimbra service
sudo -u zimbra /opt/zimbra/bin/zmproxyctl stop
sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl stop

#Rename existing Zimbra letsencrypt folder and create new
if [[  -e /opt/zimbra/ssl/letsencrypt ]]; then
    mv /opt/zimbra/ssl/letsencrypt  /opt/zimbra/ssl/letsencrypt$(date +'%Y%m%d')
    mkdir /opt/zimbra/ssl/letsencrypt
    chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
 fi

# Copy Let's Encrypt SSL cert into Zimbra SSL dir
/bin/cp -rf /etc/letsencrypt/live/mail.protectigate.com/* /opt/zimbra/ssl/letsencrypt/

#Download the Let's Encrypt root cert
wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt -O /opt/zimbra/ssl/letsencrypt/root.pem

#Merge the root cert into the chain file
cat /opt/zimbra/ssl/letsencrypt/root.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem

#Change owner of SSL files to Zimbra user
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt

# Verify new SSL cert
sudo -u zimbra /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem

# Make backup of existing SSL
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

# Copy new priv key
/bin/cp -rf /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

# Install new SSL cert
sudo -u zimbra /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem

# Restart Zimbra services
sudo -u zimbra /opt/zimbra/bin/zmcontrol restart

b. Make script executable: chmod +x /root/ssl.sh

3. Create cron job to run the script every 3 month

Now that we have our script ready, we create a cron job to run it every month, renewing the certificate if it is about to expire.

#Create new cron job that runs on the 1st every month at 2am
(crontab -l && echo "0 2 1 * * /bin/sh /root/ssl.sh") | crontab -

4. Verify

Visiting our management portal the address bar is green, showing that the SSL certificate for our encrypted traffic is trusted. The same applies to the client portal and encrypted SMTP traffic, they are all covered by the new signed key-pair. Enjoy!

Automatically Renewing FREE SSL on Zimbra

Reader Interactions

Comments

  1. jeff says

    April 27, 2021 at 17:24

    These directions do not work for the renewal. The initial creation of the cert works. Renewal fails with authentication errors.

    Reply
    • Mischa says

      April 29, 2021 at 11:23

      Hi! You find a solution for this?

      Reply

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • 1. Install the Let’s Encrypt Certbot
  • 2. Install the Certificate and create the Script for auto-renewal
  • 3. Create cron job to run the script every 3 month
  • 4. Verify

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}