This document will help you to configure your zimbra server with let’s encrypt autossl, a free ssl certificate solution to all your domains hosted in your zimbra opensource email server platform. Here we are going to configure it into a brand new Ubuntu 16.04 server with a domain name mymail.com having the server ip 10.0.0.10. Before starting the zimbra installation. You need to point the following domain name / subdomain name to the IP address 10.0.0.10
mymail.com => 10.0.0.10 imap.mymail.com => 10.0.0.10 pop.mymail.com => 10.0.0.10 smtp.mymail.com => 10.0.0.10 ssl.mymail.com => 10.0.0.10
We are using the certbot-zimbra script to automate the process. You can download it from GitHUB https://github.com/YetOpen/certbot-zimbra
Install Zimbra opensource
First step is to install zimbra opensource edition in your server. I used zimbra 8.8.11 for the installation at the time of the documentations. You need to make sure to chose the zimbra-proxy package during the zimbra installation. By default the nginx proxy installed by zimbra won’t listen on http port 80. This option must be enable for activating let’e encrypt certificate, because the certificate authority verify the acme challenge on this post.
There are two methods to do this. The first method is a recommend one. Second method is to open non-ssl service in zimbra. Please chose a suitable option as follows,Option 1( recommended )
Edit the nginx template file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add the following code before “server” tag as seen below,
include ${core.includes}/${core.cprefix}.lets.conf;
Now create the file /opt/zimbra/conf/nginx/includes/nginx.conf.lets.conf with the following configuration
server {
listen 80 default_server;
server_name _;
access_log off;
location ^~ /.well-known/acme-challenge {
root /opt/zimbra/data/nginx/html;
}
location / {
rewrite ^/(.*) https://$host$request_uri permanent;
}
}
server {
listen 80;
server_name ssl.mymail.com; # This is going to be the main ssl validation domain only for ssl verification
access_log off;
root /opt/zimbra/data/nginx/html;
index index.html index.htm;
location ^~ /.well-known/acme-challenge {
root /opt/zimbra/data/nginx/html;
}
location / {
try_files $uri $uri/ =404;
}
}
Now restart the nginx proxy server
# zmcontrol stop # zmcontrol start # exit
Option 2
>To enable HTTP service on zimbra proxy you may run the following command as zimbra user.
# sudo su - zimbra # zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled FALSE # /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H mymail.com # zmcontrol stop # zmcontrol start # exit
Now test whether nginx listening on port 80 or not as follows
root@mymail:~# netstat -pant | grep nginx tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 1406/nginx.conf tcp 0 0 138.201.107.56:51694 138.201.107.56:11211 ESTABLISHED 1411/nginx: worker tcp 0 0 138.201.107.56:51698 138.201.107.56:11211 ESTABLISHED 1410/nginx: worker tcp 0 0 138.201.107.56:51692 138.201.107.56:11211 ESTABLISHED 1407/nginx: worker tcp 0 0 138.201.107.56:51696 138.201.107.56:11211 ESTABLISHED 1412/nginx: worker root@mymail:~#
From the above output you can see nginx is listening on port 80. Now you are ready to go the next step
Install certboat
This client software is provided by the let’s encrypt. It is required to install ssl certificates. You may install it as follows,
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot
Please note , you must disable the certboat cron, because after the renew we must deploy it in Zimbra . So open /etc/cron.d/certbot with your favorite editor and comment the last line.
Install certbot-zimbra scripts
You may download the certbot-zimbra package from https://github.com/YetOpen/certbot-zimbra as follows,
# wget https://github.com/YetOpen/certbot-zimbra/archive/master.zip # unzip master.zip # cd certbot-zimbra-master/ # cp -av certbot_zimbra.sh /usr/local/bin/
Now install certificate
At this time the software support to install only one certificate. But that is not an issue . You can add all your domains as SAN domains. So only one certificate is required to install in this server. You may do it as follows,
# certbot_zimbra.sh -n -d mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com
Add a cron job to run every two days after midnight to check the certificate expire issue and renew it if need. Create a file /etc/cron.d/zimbracrontab using your favorite editor and add the following line.
0 1 */2 * * root /usr/bin/certbot renew --pre-hook "/usr/local/bin/certbot_zimbra.sh -p" --renew-hook "/usr/local/bin/certbot_zimbra.sh -r"
Now restart zimbra email server
# su -u zimbra # zmcontrol stop # zmcontrol start # exit
Now test the ssl certificates from https://mymail.com/ .
Isn’t working.
Starting proxy…nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /opt/zimbra/conf/nginx/includes/nginx.conf.lets.conf:2
failed.
Doesn`t work. FIrst error: you forgot su – zimbra in restart zimbra block.
Another error is in the line:
certbot_zimbra.sh -n -d mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com
Certbot_zimbra cannot use -n -d both. Only -n or -d. After remove -d certbot doesn`t know mymail.com parameter.
I try to change it into:
certbot_zimbra.sh -n -H mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com
All logl looks ok, but certificate in zimbra serwer are still old. I try to use cron.d job manualy. Error:
Attempting to renew cert (mymail.com) from /etc/letsencrypt/renewal/mymail.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
Attempting to renew cert (mail.mymail.com) from /etc/letsencrypt/renewal/mymail.com.conf produced an unexpected error: The requested nginx plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mymail.com-0001/fullchain.pem (failure)
/etc/letsencrypt/live/mymail.com/fullchain.pem (failure)
/etc/letsencrypt/live/mail.mymail.com/fullchain.pem (failure)
mymail.com = my real hostname
What is wrong?
HI, renewal is not working.
Checking if process is listening on port 80 with name “nginx” user “zimbra”
Error: port check failed. If you have overridden the port with –port, a web server to use for letsencrypt authentication of the domain xxxt must be listening on it.
An error seems to have occurred. Please read the output above for clues and try to rectify the situation.
If you believe this is an error with the script, please file an issue at https://github.com/YetOpen/certbot-zimbra.
Hook command “/usr/local/bin/certbot_zimbra.sh -p” returned error code 1
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxx
Cleaning up challenges
Attempting to renew cert (xxx) from /etc/letsencrypt/renewal/xxxt.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for xxxt:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xxx/fullchain.pem (failure)
while 80 port is opened and i can reach my zimbra over http.
is there any way to use port other than 80 for certbot?
I have two nginx installed in the server :
1. Zimbra nginx
2. Ubuntu nginx
The one that already started is zimbra nginx, if i follow your instruction with option 1 can i success in automatic renewal ?
Great post, can you please change the following line in Issuing the cert:
# certbot_zimbra.sh -n -d mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com
to
# certbot_zimbra.sh -n -H mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com
after the breaking update the -d is now -H
How can i renew the certificate manually?
afte the changes zmconfigd stop working.Any ideas
Excellent article, resulted in a few hours of migration, so thanks for that. I ran into 1 issue, the certbot command had to be different for it to work for me:
certbot_zimbra.sh -n -d mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com
The -n option cannot be used together with the -d option. I used the command like this, -H for host name:
certbot_zimbra.sh -n -H mymail.com -e smtp.mymail.com -e pop.mymail.com -e imap.mymail.com
Hello Sherin; Thanks for a wonderful tutorial on Letsencrypt fully automated on Zimbra. I would like to point out a change in the certificate deployment, which was introduced in recent update of certbot_zimbra.sh script.
Installing certificate using the above script needs the -H parameter in place of -d. Also the cron should be -d in place of -r.
These changes are as per the documentation in https://github.com/YetOpen/certbot-zimbra
Hope you will amend these changes and make the tutorial a great success.
hi, could you update the tutorial?
listen 80 default_server;
=
i get duplicate
my zimbra server name, it is not a TLD name, it is a common name.
I use:
certbot_zimbra.sh -n -H server1.local -e autodiscover.domain.com
and it does not work
I wait for your answer … thank you in advance
hello,
your tutorial for ssl certificate for zimbra is good i create a certificate for my zimbra mail.
But i have an error when i want to renew certificate.
Attempting to renew cert (emslb.fr) from /etc/letsencrypt/renewal/emslb.fr.conf produced an unexpected error: Error determining zone identifier for emslb.fr: 403 Client Error: Forbidden for url: https://eu.api.ovh.com/1.0/domain/zone/. (Are your Application Key and Consumer Key values correct?). Skipping.
Challenge failed for domain mail.emslb.fr
http-01 challenge for mail.emslb.fr
Cleaning up challenges
Attempting to renew cert (mail.emslb.fr) from /etc/letsencrypt/renewal/mail.emslb.fr.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/emslb.fr/fullchain.pem (failure)
/etc/letsencrypt/live/mail.emslb.fr/fullchain.pem (failure)
could you help me please ?
kind regards
Hello, thanks for your blog. How Do I reverse option 2 steps to default? I don´t want my mail service to listen on both, 80 and 443. Thank You