Correct way to install letsencrypt? GA 8.8.15

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Correct way to install letsencrypt? GA 8.8.15

Post by zim_mike »

I have a Centos 7 server running 8.8.15 that needs to have a proper SSL certificate.
The problem is that all of the information I find is different than the next so it's not clear what method would properly work on my server without trashing it.
Can anyone provide a URL to something that clearly explains how to go about this on the system and versions I have.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Correct way to install letsencrypt? GA 8.8.15

Post by phoenix »

Follow the Jim Dunphy thread on how to install the acme script to generate and automatically renew the certificates.

The thread is in the Administrator forum as a sticky, it's been there since 2016. ;) I've been using this for years and had no problems.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: Correct way to install letsencrypt? GA 8.8.15

Post by zim_mike »

Thanks, I'll look for that. I forgot someone told me this before.
Last edited by zim_mike on Sat Feb 04, 2023 4:17 pm, edited 3 times in total.
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: Correct way to install letsencrypt? GA 8.8.15

Post by zim_mike »

BTW, searching above using 'Jim Dunphy acme script' leads to this post only.
I was hoping to find something where I can simply use the 'certbot renew' method once the cert was installed and being used by the zimbra server.
A script, no matter how good, makes me a little nervous as it seems to complicate an otherwise seemingly simple process, at least for web servers :).
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Correct way to install letsencrypt? GA 8.8.15

Post by JDunphy »

zim_mike wrote: The problem is that all of the information I find is different than the next so it's not clear what method would properly work on my server without trashing it.
Can anyone provide a URL to something that clearly explains how to go about this on the system and versions I have.
Any of the methods will work as installing certificates with zimbra is well understood and works well once you understand how they use zmcertmgr to validate and also install the certificate. Every script or directions does exactly the same thing.

Most people are confused because they don't realize that you need to do 2 things before beginning the LE process.

1) You must choose an acme protocol client to talk to the letsencrypt service. If you need a conceptual model, think about picking a ftp client to talk to a ftp server.
There are 100's but certbot (python) and acme.sh (bash) are 2 examples of clients. certbot tends to track LE changes early which can break zimbra at times. They moved to default ec-256 certs before acme.sh did for example; but as reported recently in the forums that can break new and defaults for certificate issue as zmcertmgr wants RSA certs.
2) You must choose a verification method that the letsencrypt server will use to make sure you control the domain you want the certificate for.

I didn't like certbot because it was overly complicated and installed a lot more software and libraries than I wanted on my zimbra server. I also didn't want to take down the server to issue a certificate so I chose the DNS method of verification. A lot of the clients can do DNS verification but acme.sh also allows one to use CNAMEs which can allow one to have RFC1918 space with valid certificates in an automatic fashion.

Since you are familiar with the self-signed model, these clients are doing this all for you and most likely the same way using openssl. They will create a certificate, send the certificate to a certificate authority (CA) to sign and in some instances (acme.sh) will work with zmcertmgr to verify and install it inside zimbra. For the acme.sh case, the issuing of the certificate and the deployment would be two commands. Once you have a valid certificate, you can install or deploy it. That allows you to make sure everything is perfect before you could "trash it" as you say.

As an example: This is the deploy script that we use for acme.sh https://raw.githubusercontent.com/JimDu ... /zimbra.sh
If you look for the comment '#if it verifies we can deploy it". Put a 'return 0' prior to this comment if you are worried and it won't install the certficate but allow you to test the certificate. If you do that, when you run the acme.sh script after getting a certificate, it is a fairly painless way to have zimbra verify it to see if everything is good. In other words, you can issue certificates as often as you need and do this to see if zimbra will like the certificate by running this command.

Code: Select all

# su - zimbra
% cd .acme.sh
% ./acme.sh --deploy --deploy-hook zimbra -d mail.example.com
So ...

If you want to use the DNS method for verification which is what a lot of us use with zimbra since we don't like taking an outage while getting a certificate, take a look at this link: https://github.com/acmesh-official/acme ... ter/dnsapi
It contains a list of all the dns providers that the acme.sh (bash script) can use. If you are old school and operate your own DNS zones with bind or something else, it can handle that too for DNS but to make this less complicated, I won't mention how. If you prefer to use another client like certbot than it will have something similar like dns validation and a list of hooks to make this transparent when using the client.

So in summary... provided you had acme.sh installed and modified account.conf with the API's keys for your dns provider, you would do this to issue your certificate once you had installed acme.sh and reset the proper defaults so that zimbra can use the certificate by default. All the clients need to do this once but the options are fairly close with all of them.

Code: Select all

# su - zimbra
% cd .acme.sh
% ./acme.sh --issue --keylength 2048 --dns dns_cf -d mail.example.com -d mail.example.net -d ...  
# Note: this keylength addition is new to me as certbot and acme.sh now default to ec-256 certificates and zmcertmgr can't handle them.
Ref: viewtopic.php?f=15&t=60781&start=140

As for the deployment and Zimbra verification, we showed that above.

Really is fairly simple once you get the client installed and defaults setup. In fact, the renewal is done automatically and installed with cron already as part of the installation with acme.sh. You can do it by hand too which does both steps and is what is installed in cron when you install acme.sh

Code: Select all

"/opt/zimbra/.acme.sh"/acme.sh --cron --home "/opt/zimbra/.acme.sh"
One last thing...You are not going to trash your system but say it didn't restart. You will install a new self-signed certificate or fix whatever issue you had with LE and install the certificate. Where people go wrong is not issuing the LE certificate with the proper options followed closely by not adding the root anchor cert as zmcermgr will walk the trust tree too. zmcertmgr uses openssl command to do all the work. That deploy script with acme.sh takes care of this so it's hidden from you.

HTH,

Jim
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: Correct way to install letsencrypt? GA 8.8.15

Post by zim_mike »

Hi Jim,

That's an amazing write up so thank you for that. FYI, I wasn't trashing your method, just asking if there was a newer method in case there is :).
By trashing, I mean that sometimes it's easy to get your system messed up so it won't start and that usually causes between minutes and hours of down time.
I've had it happen a few times since I've been running Zimbra but always found a way to get it back again which is great.

Yes, I do run my own DNS servers. I'll review everything you said and give it a try in the next while.

BTW, I have around 15 domains on the server. Should I be getting certs for each domain? The information I've found on the net is all over the place, older, newer and it becomes unclear after a while what one should try. I usually backup the system before I play with it but if it had a chance to run and mail flowed, then the backup becomes somewhat pointless.

We've always used the Zimbra desktop client and the other day, I had to set up a Thunderbird client. I had never seen the errors before using the Zimbra client but TB brought up some things that made me think something is not right on the server; viewtopic.php?f=15&t=71640&p=308089#p308089

The system is used only to send and receive sign up emails and internal emails. We don't have any public users on the system so spamming from the system is not something that should happen but almost all emails that go out end up in the spam/junk boxes of receivers. I figured maybe it's related to not having a real cert.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Correct way to install letsencrypt? GA 8.8.15

Post by JDunphy »

I understood trash to mean the system... Zimbra is complex and nothing scarier when it won't start.

DNS is going to be a problem if you do not have an automatic DNS method to add/del those TXT records. I have manual zones that I maintain myself too but I have a domain on cloudflare that I use for this. So for those zone files you would have an entry like this pointing to a domain that does have an API interface. You can also do this with bind and there is a hook there too but I find the challenge-alias easy for my usage.

Code: Select all

_acme-challenge.example.com.       IN CNAME _acme-challenge.domainThatHasAPI.com.
Then when I issue the certificate, I do:

Code: Select all

./acme.sh --issue --keylength 2048 --challenge-alias domainThatHasAPI.com --dns dns_cf -d example.com -d mail.example.com -d mail.example.net -d mail.example.org -d ... 
I think it is simpler to use SAN (subject alternative names), so keep adding -d .. -d .. when you issue the certificate for all of them. I think the limit is fairly high and 15 isn't a lot.

If the DNS seems too complicated, look into the other verification methods but you will need to be aware that the acme client will want to listen on port 80 or 443 depending on method chosen or want something placed in a known location. That can mean bringing down the proxy to issue the certificate since in some verification methods the acme client will be the web server for certificate issue. There are scripts that try to automate this step for zimbra.

PS... you might be able to modify that zimbra hook for zimbra deployment for acme.sh so that reloads vs a complete system restart (stop/start). postifx/nginx/ldap all appear to support 'reload' but mailboxd doesn't that I know of. Note: I have never used keylength option but others reported it was necessary with version 3.0.6 of acme.sh to get RSA certs so I am adding it to the issue above.

Good Luck.

Jim
Post Reply