Zimbra letsencrypt

Want to install Let’s encrypt for the Zimbra mail server?

Email protection is vital for the user and business.

An SSL connection encrypts the email traffic.

At Bobcares, we often receive requests to install Let’s Encrypt for the Zimbra mail server as a part of our Server Management Services.

Today, let us discuss how Support Engineers install Let’s Encrypt for the Zimbra mail server.


 Zimbra Letsencrypt

Let’s Encrypt is an automated certificate authority providing SSLs free of charge.

Its main purpose is to allow people to encrypt their internet traffic at no cost, easily, and automatically.

The certificate is valid for 90 days, during which renewal can take place at any time.

Let’s Encrypt is widely used by the customer to protect the Zimbra mail.

Let us discuss how our Support Engineers install let’s Encrypt certificate for the mail server.


Zimbra LetsEncrypt how to install it

First, we stop the jetty or Nginx service at Zimbra level using the command

su zimbra
zmproxyctl stop
zmmailboxdctl stop

After stopping the service exit from Zimbra user.

Next, we git clone the object on the folder using the command

git clone https://github.com/letsencrypt/letsencrypt

If the git is not installed in the server we install git in the server using the command

yum install git

Now we move into the letsencrypt folder and run Let’s Encrypt in auto mode and use the certonly option.

cd letsencrypt
./letsencrypt-auto certonly --standalone

Once all the dependencies are downloaded for Let’s Encrypt, a prompt window appears. We enter the email address.

And then we agree with the terms of service. Now we enter the FQDN domain name.

Now the certificate files are present at the location /etc/letsencrypt/live/domainname

cert.pem is the certificate
chain.pem is the chain
fullchain.pem is the concatenation of cert.pem and chain.pem
privkey.pem is the private key

Next, we need to add the root CA to the chain.pem file. Now we take our root certificate and merge in the chain.pem file.

We add the details after the chain file.


Verify the Letsencrypt certificate for Zimbra mail

The next step is to verify the LetsEncrypt certificate. To do this, first, we create a folder at the location.

mkdir /opt/zimbra/ssl/letsencrypt

Next, we copy the certificate to the newly created folder.

cp /etc/letsencrypt/live/domainname/* /opt/zimbra/ssl/letsencrypt/

Then we change the ownership for the certificate to Zimbra using the command

chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

Now to verify the commercial certificate using the command.

For version 8.7 and above we execute the command from Zimbra user

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

For version 8.6 and below we execute the command from the root user

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem


Deploy the Lets encrypt SSL certificate for Zimbra mail

Before we proceed with deployment, we take a backup of the SSL folder.

Now we copy the private key under Zimbra SSL commercial path

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

To deploy the SSL in version 8.7 and above we run the command from the Zimbra user.

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

To deploy the SSL in version 8.6 and below we run the command as a root user.

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Finally, restart the service and we start the Nginx or the jetty we stopped before the installation.

zmcontrol restart

We test the working of the SSL from the web browser.


Errors when installing Let’s Encrypt

Usually, we face error when installing let encrypt when Varnish cache is installed in the server. To resolve the error we stop the varnish cache service during the installation.  We use the command

service varnish stop

After the installation, we start the service back.



In short, we just discussed the installation of Let’sEncrypt certificate. Also, we saw how our Support Engineers setup let’s Encrypt certificate for the Zimbra server.

Source link


Write A Comment