[SOLVED] Zimbra 8.7 and letsencrypt ssl

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
amatu
Posts: 7
Joined: Fri Jul 15, 2016 4:54 pm

[SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by amatu »

Hi everyone!

From zimbra 8.6 and older, the letsencrypt ssl installation is simple and normal, but in new Zimbra 8.7, the utilities zmcertmgr always notify like that:
zmcertmgr: ERROR: no longer runs as root!
When I verified or deployed. Please check it!!

Thanks everyone!
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Zimbra 8.7 and letsencrypt ssl

Post by DualBoot »

just read the message and change to zimbra user should do the trick. :lol:
The Guy - DualBoot

PostMaster - WikiMaster - SysAdmin
"Free Your Mind. Think Open Source"
april.org
Zetalliance Member - zetalliance.org
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra 8.7 and letsencrypt ssl

Post by jorgedlcruz »

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
amatu
Posts: 7
Joined: Fri Jul 15, 2016 4:54 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by amatu »

Hi jorgedlcruz and DualBoot !

Thanks guys, I will check and confirm :lol:
amatu
Posts: 7
Joined: Fri Jul 15, 2016 4:54 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by amatu »

The case solved! Deployed and confirmed!! Thanks all!
MisterM74
Posts: 31
Joined: Sat Jul 16, 2016 3:09 pm
ZCS/ZD Version: Release 8.8.9_GA_2055.RHEL7_64_2018

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by MisterM74 »

Hello
This also works with multi-domain solution?
* .domain.com

Mz
Version Used.
Release 10.0.7.GA.4518.RHEL8_64.20230301065514 NETWORK edition.
rspamd integrated antispam
v1rtu4l
Posts: 36
Joined: Tue Jun 28, 2016 3:04 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by v1rtu4l »

If those certificates expire after 90 days who would you automate the renewal. It is not of much use, if you would need to renew by hand every few months.

Gesendet von meinem SM-N910F mit Tapatalk
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by jorgedlcruz »

Hello MisterM74,
You have two ways to go from here:
  • Follow the Wiki steps, but then run this command to have Multi-SAN, not Wildcard, as Let's Encrypt doesn't work withWildcard -

    Code: Select all

    ./letsencrypt-auto certonly --standalone -d fqdn1 -d fqdn2
  • Run the command all the domains you need, for example mail.domain.com mail2.domain.net client3.domain.org

    Code: Select all

    ./letsencrypt-auto certonly --standalone -d mail.domain.com
    ./letsencrypt-auto certonly --standalone -d mail2.domain.net
    ./letsencrypt-auto certonly --standalone -d client3.domain.org
    And then use the new SSL SNI, to assing each certificate, to the proper Domain - https://wiki.zimbra.com/wiki/Multiple_S ... _for_HTTPS
First method is easier, and because you need to renew the SSL each three months will save you time, but all the domains remind exposed when people search for your SSL certificate, the second one is better, as each domain have their own SSL Certificate, but because you want to use Let's Encrypt you need to renew each one each three months :)

Start another thread if you want more information, this topic, for one domain, is solved
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
MisterM74
Posts: 31
Joined: Sat Jul 16, 2016 3:09 pm
ZCS/ZD Version: Release 8.8.9_GA_2055.RHEL7_64_2018

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by MisterM74 »

Hello
I understand that it is the longevity of this certificate?
Thank you for the details of the response, I have taken note.
Thank you
Mz
Version Used.
Release 10.0.7.GA.4518.RHEL8_64.20230301065514 NETWORK edition.
rspamd integrated antispam
v1rtu4l
Posts: 36
Joined: Tue Jun 28, 2016 3:04 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by v1rtu4l »

Just as a little Note and warning: if you use the steps described in the Wiki and your Hostname Fqdn does not match the public domain name (which is pretty much always the case) after deployment of the lets encrypt certificates the ldap Server will fail to connect, since it somehow expects the local ldap Server to be able to be resolved on the public domain name and even after fixing this by adding an entry to the Hosts file it failed to connect to the local ldap Server, hence zimbra did not start anymore. Fortunately i had a Snapshot i could revert to.

Gesendet von meinem SM-N910F mit Tapatalk
Post Reply