[SOLVED] Zimbra 8.7 and letsencrypt ssl

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
amatu
Posts: 7
Joined: Fri Jul 15, 2016 4:54 pm

[SOLVED] Zimbra 8.7 and letsencrypt ssl

Postby amatu » Fri Jul 15, 2016 5:03 pm

Hi everyone!

From zimbra 8.6 and older, the letsencrypt ssl installation is simple and normal, but in new Zimbra 8.7, the utilities zmcertmgr always notify like that:
zmcertmgr: ERROR: no longer runs as root!
When I verified or deployed. Please check it!!

Thanks everyone!


User avatar
DualBoot
Elite member
Elite member
Posts: 1081
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: Zimbra 8.7 and letsencrypt ssl

Postby DualBoot » Fri Jul 15, 2016 7:40 pm

just read the message and change to zimbra user should do the trick. :lol:
The Guy - DualBoot

PostMaster - WikiMaster - SysAdmin
"Free Your Mind. Think Open Source"
april.org
Zetalliance Member - zetalliance.org
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra 8.7 and letsencrypt ssl

Postby jorgedlcruz » Sat Jul 16, 2016 3:06 am

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
amatu
Posts: 7
Joined: Fri Jul 15, 2016 4:54 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Postby amatu » Sat Jul 16, 2016 10:53 am

Hi jorgedlcruz and DualBoot !

Thanks guys, I will check and confirm :lol:
amatu
Posts: 7
Joined: Fri Jul 15, 2016 4:54 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Postby amatu » Sat Jul 16, 2016 2:51 pm

The case solved! Deployed and confirmed!! Thanks all!
MisterM74
Posts: 26
Joined: Sat Jul 16, 2016 3:09 pm
ZCS/ZD Version: Release 8.8.9_GA_2055.RHEL7_64_2018

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Postby MisterM74 » Sat Jul 16, 2016 3:23 pm

Hello
This also works with multi-domain solution?
* .domain.com

Mz
Version Used.
Release 8.7.0.GA.1659.UBUNTU UBUNTU 16.64 16 64 FOSS edition.
Zextras License.
v1rtu4l
Posts: 36
Joined: Tue Jun 28, 2016 3:04 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Postby v1rtu4l » Sat Jul 16, 2016 7:40 pm

If those certificates expire after 90 days who would you automate the renewal. It is not of much use, if you would need to renew by hand every few months.

Gesendet von meinem SM-N910F mit Tapatalk
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Postby jorgedlcruz » Sat Jul 16, 2016 7:45 pm

Hello MisterM74,
You have two ways to go from here:
  • Follow the Wiki steps, but then run this command to have Multi-SAN, not Wildcard, as Let's Encrypt doesn't work withWildcard -

    Code: Select all

    ./letsencrypt-auto certonly --standalone -d fqdn1 -d fqdn2
  • Run the command all the domains you need, for example mail.domain.com mail2.domain.net client3.domain.org

    Code: Select all

    ./letsencrypt-auto certonly --standalone -d mail.domain.com
    ./letsencrypt-auto certonly --standalone -d mail2.domain.net
    ./letsencrypt-auto certonly --standalone -d client3.domain.org

    And then use the new SSL SNI, to assing each certificate, to the proper Domain - https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS

First method is easier, and because you need to renew the SSL each three months will save you time, but all the domains remind exposed when people search for your SSL certificate, the second one is better, as each domain have their own SSL Certificate, but because you want to use Let's Encrypt you need to renew each one each three months :)

Start another thread if you want more information, this topic, for one domain, is solved
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
MisterM74
Posts: 26
Joined: Sat Jul 16, 2016 3:09 pm
ZCS/ZD Version: Release 8.8.9_GA_2055.RHEL7_64_2018

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Postby MisterM74 » Sun Jul 17, 2016 7:15 am

Hello
I understand that it is the longevity of this certificate?
Thank you for the details of the response, I have taken note.
Thank you
Mz
Version Used.
Release 8.7.0.GA.1659.UBUNTU UBUNTU 16.64 16 64 FOSS edition.
Zextras License.
v1rtu4l
Posts: 36
Joined: Tue Jun 28, 2016 3:04 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Postby v1rtu4l » Sun Jul 17, 2016 8:52 pm

Just as a little Note and warning: if you use the steps described in the Wiki and your Hostname Fqdn does not match the public domain name (which is pretty much always the case) after deployment of the lets encrypt certificates the ldap Server will fail to connect, since it somehow expects the local ldap Server to be able to be resolved on the public domain name and even after fixing this by adding an entry to the Hosts file it failed to connect to the local ldap Server, hence zimbra did not start anymore. Fortunately i had a Snapshot i could revert to.

Gesendet von meinem SM-N910F mit Tapatalk

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests