How to install Let’s encrypt ssl with zimbra fully automated configuration

Zimbra-lets-encypt
Zimbra-lets-encypt

This document will help you to configure your zimbra server with let’s encrypt autossl, a free ssl certificate solution to all your domains hosted in your zimbra opensource email server platform. Here we are going to configure it into a brand new Ubuntu 16.04 server with a domain name mymail.com having the server ip 10.0.0.10. Before starting the zimbra installation. You need to point the following domain name / subdomain name to the IP address 10.0.0.10

mymail.com  => 10.0.0.10
imap.mymail.com => 10.0.0.10
pop.mymail.com => 10.0.0.10
smtp.mymail.com => 10.0.0.10
ssl.mymail.com  => 10.0.0.10

We are using the certbot-zimbra script to automate the process. You can download it from GitHUB https://github.com/YetOpen/certbot-zimbra

Install Zimbra opensource

First step is to install zimbra opensource edition in your server. I used zimbra 8.8.11 for the installation at the time of the documentations. You need to make sure to chose the zimbra-proxy package during the zimbra installation. By default the nginx proxy installed by zimbra won’t listen on http port 80. This option must be enable for activating let’e encrypt certificate, because the certificate authority verify the acme challenge on this post.

There are two methods to do this. The first method is a recommend one. Second method is to open non-ssl service in zimbra. Please chose a suitable option as follows,

Option 1( recommended )

Edit the nginx template file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add the following code before “server” tag as seen below,

include                 ${core.includes}/${core.cprefix}.lets.conf;

Now create the file /opt/zimbra/conf/nginx/includes/nginx.conf.lets.conf with the following configuration

server {
	listen 80 default_server;
	server_name _;
	access_log off;

	location ^~ /.well-known/acme-challenge {
                root /opt/zimbra/data/nginx/html;
        }

	location / {

		rewrite ^/(.*) https://$host$request_uri     permanent;
	}	
}

server {
	listen 80;
	server_name ssl.mymail.com;    # This is going to be the main ssl validation domain only for ssl verification
	access_log off;
	root /opt/zimbra/data/nginx/html;
	index index.html index.htm;

	location ^~ /.well-known/acme-challenge {
		root /opt/zimbra/data/nginx/html;
	}

	location / {
	      try_files $uri $uri/ =404;
	}


}

Now restart the nginx proxy server

# zmcontrol  stop 
# zmcontrol start
# exit

Option 2

>

To enable HTTP service on zimbra proxy you may run the following command as zimbra user.

# sudo su - zimbra
# zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled FALSE
# /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H  mymail.com
# zmcontrol  stop 
# zmcontrol start
# exit

Now test whether nginx listening on port 80 or not as follows

root@mymail:~# netstat -pant | grep nginx
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      1406/nginx.conf 
tcp        0      0 138.201.107.56:51694    138.201.107.56:11211    ESTABLISHED 1411/nginx: worker 
tcp        0      0 138.201.107.56:51698    138.201.107.56:11211    ESTABLISHED 1410/nginx: worker 
tcp        0      0 138.201.107.56:51692    138.201.107.56:11211    ESTABLISHED 1407/nginx: worker 
tcp        0      0 138.201.107.56:51696    138.201.107.56:11211    ESTABLISHED 1412/nginx: worker 
root@mymail:~#

From the above output you can see nginx is listening on port 80. Now you are ready to go the next step

Install certboat

This client software is provided by the let’s encrypt. It is required to install ssl certificates. You may install it as follows,

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot 

Please note , you must disable the certboat cron, because after the renew we must deploy it in Zimbra . So open /etc/cron.d/certbot with your favorite editor and comment the last line.

Install certbot-zimbra scripts

You may download the certbot-zimbra package from https://github.com/YetOpen/certbot-zimbra as follows,

# wget https://github.com/YetOpen/certbot-zimbra/archive/master.zip
# unzip master.zip
# cd certbot-zimbra-master/
# cp -av  certbot_zimbra.sh /usr/local/bin/

Now install certificate

At this time the software support to install only one certificate. But that is not an issue . You can add all your domains as SAN domains. So only one certificate is required to install in this server. You may do it as follows,

# certbot_zimbra.sh -n -d mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com

Add a cron job to run every two days after midnight to check the certificate expire issue and renew it if need. Create a file /etc/cron.d/zimbracrontab using your favorite editor and add the following line.

0 1 */2 * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --renew-hook "/usr/local/bin/certbot_zimbra.sh -r"

Now restart zimbra email server

# su -u zimbra  
# zmcontrol  stop 
# zmcontrol start
# exit 

Now test the ssl certificates from https://mymail.com/ .