So paste this into your ~/.acme.sh/deploy directory as zimbra.sh
Code: Select all
#!/bin/bash
# Zimbra Assumptions:
# 1) acme.sh is installed as Zimbra
# 2) see: https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt
######## Public functions #####################
#domain keyfile certfile cafile fullchain
zimbra_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
# Zimbra's javastore still needs DST Root CA X3 to verify on some versions
_IdentTrust="$(dirname "$_cca")/../IdentTrust.pem"
_debug _IdentTrust "$_IdentTrust"
# grab it if we don't have it
if [ ! -f "$_IdentTrust" ]; then
_debug No "$_IdentTrust"
wget -q "https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem" -O "$_IdentTrust" || return 1
fi
# append Intermediate
cat "$_cfullchain" "$(dirname "$_cca")/../IdentTrust.pem" > "${_cca}.real"
/opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "${_cca}.real" || return 1
#if it verifies we can deploy it
logger -p local2.info NETWORK "Certificate has been Renewed for $_cdomain"
cp -f "$_ckey" /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "${_cca}.real" || return 1
# %%% ldap wasn't being restarted leading to failed communication in the future if we hadn't done a restart.
# Adding a ldap restart was not tested so perhaps. Reload is restart when not defined by zimbra with
# exception of ldap which they didn't provide a reload.
#/opt/zimbra/bin/ldap restart
#/opt/zimbra/bin/zmmailboxdctl reload
#/opt/zimbra/bin/zmproxyctl reload
#/opt/zimbra/bin/zmmtactl reload
/opt/zimbra/bin/zmcontrol restart
return 0
}
You would then deploy your new certs like this but because you had to run this as root, double check zimbra has read permission to the folder or chown ownership
Code: Select all
# su - zimbra
%
Code: Select all
# ./.acme.sh/acme.sh --issue --standalone -d mymail.DOMAIN.COM
# cd .acme.sh
# chown -R 755 mymail.DOMAIN.COM
# ./.acme.sh/acme.sh --deploy --deploy-hook zimbra -d mymail.DOMAIN.COM
Code: Select all
# su - zimbra
% "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh"
The problem you are going to have is listening on port 80 is root and you need to install the certs as zimbra so you will need to compensate for this issue so the above would not renew automatically as I have typed it above. What I do is use the challengeAlias because one of my domains is handled by me directly and doesn't have a DNS api... Get any domain and put it with cloudflare or other DNS provider that has an API and is supported by acme.sh. I use cloudflare as pricing is wholesale cost for .com's $8 or so.... I then use this domain for any other domains we have to support. The only thing we do is add a CNAME entry for the "real" domains that we manage ourselves that points to this cloudflare domain that we are using the challengeAlias with. You would also add your API keys the first time to the account.conf so the cloudflare script dns_cf has permission to add/delete TXT records.
The advantage of the DNS method is that I don't have to take an outage with zimbra while your are trying to verify the certificate and you can do it as the zimbra user, and acme.sh will just work automatically renew every 60 days for new cert and installation. So my process looks like this the first time after setting up that CNAME for example.com and example2.com pointing to gsans1.com (BIND syntax below)
Code: Select all
; letencrypt - dns alias
; zimbra
_acme-challenge IN CNAME _acme-challenge.gsans1.com.
_acme-challenge.mail IN CNAME _acme-challenge.gsans1.com.
_acme-challenge.tmail IN CNAME _acme-challenge.gsans1.com.
Code: Select all
# su - zimbra
% cd ~/.acme.sh
% ./acme.sh --issue --dns dns_cf --challenge-alias gsans1.com -d mail.example.com -d mail.example2.com
% ./acme.sh --issue --deploy --deploy-hook zimbra -d mail.example.com
Code: Select all
% "/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh"
HTH,
Jim