Files to automate the deployment process of Let's Encrypt certificates to Zimbra Collaboration Suite
Files to automate the deploy of letsencrypt certificates to Zimbra.
You will probably find these files usefull when you want to move your self-signed Zimbra certificate to the letsencrypt-signed one and automate the renewal of the certificate.
Start with Setup manual below and help message of the script
letsencrypt-zimbra.sh -h`
Enjoy open-source and encryption!
zimbra
userThe script will perform following steps:
-d
and -f
optionscertbot
(in standalone mode) and use generated requestSee the help message of the script (-h
), example config file
(letsencrypt-zimbra.cfg.example
) and the code itself for more details.
Install the certbot
Please follow the official instructions for your distribution
For example on Ubuntu bionic:
Install pip3
apt install python3-pip
Install certbot
pip package
pip3 install certbot cryptography~=3.3.0 pyOpenSSL~=19.1.0 zope.interface~=5.4
Clone this repository
git clone https://github.com/VojtechMyslivec/letsencrypt-zimbra.git /opt/letsencrypt-zimbra
Create and edit config file
Copy the example file
cp /opt/letsencrypt-zimbra/letsencrypt-zimbra.cfg{.example,}
Configure your e-mail and server common names in
/opt/letsencrypt-zimbra/letsencrypt-zimbra.cfg
Add sudo privileges to 'zimbra' user to run certbot
Copy prepared sudoers config:
cp configs/sudoers.conf /etc/sudoers.d/zimbra_certbot
Test the sudo privilege for 'zimbra' user (no password should be needed)
sudo -Hu zimbra sudo /usr/local/bin/certbot -h
Run the script to obtain certificate
sudo -Hiu zimbra /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh -v
-t
option to run a test (see below)Configure the cron job
cp configs/cron.conf /etc/cron.d/letsencrypt-zimbra
/etc/cron.d/letsencrypt-zimbra
if it meets your system
requirementsIf you need to edit the list of domain names in your already-deployed certificate:
Update the list of domain names in common_name
variable in
letsencrypt-zimbra.cfg
Run the script interactively with an extra -f
(force renew) option:
sudo -Hiu zimbra /opt/letsencrypt-zimbra/letsencrypt-zimbra.sh -vf
Let's Encrypt authority provides rate limits. The best practice is to test the configuration and script on staging environment, where rate limits are much more benevolent. Certificates issued by this staging environment are signed with (STAGING) Pretend Pear X1 CA and so they are not trusted.
To use this environment, use -t
option when running letsencrypt-zimbra.sh
.
Also a verbose option -v
is recommended to see information messages what the
script is doing.
When the script successfully deployed a staging cert, run the script again
with -f
to force renew the cert with Let's Encrypt trusted CA.