Installing a Let's Encrypt SSL Certificate - Complete Wiki Steps

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Installing a Let's Encrypt SSL Certificate - Complete Wiki Steps

Postby jorgedlcruz » Sat Dec 05, 2015 5:29 pm


Hi guys,


Past 3 of December Let's Encrypt goes into Public Beta, which means we can start testing this new way to obtain a free SSL Certificate, the Companies behind this Technology are:



Here at Zimbra, I've tested in my lab and I didn't saw any issues, but I've just tested on one server, with one domain, nothing really huge, as the project mentions, this is a Beta project for now, and you must use it in staging or test servers, but at least you have now the full Steps documented.



Like usual, we are looking forward to have your feedback on issues with this new SSL Certificate, your thoughts and ideas, and maybe complex scenarios like Multi-Server, and Multi-Domain.


Best regards



Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
pdifeo
Posts: 21
Joined: Sat Sep 13, 2014 3:13 am

Installing a Let's Encrypt SSL Certificate - Complete Wiki Steps

Postby pdifeo » Tue Dec 15, 2015 1:10 am

Based on my little experience, the right command is "./letsencrypt-auto certonly --standalone" if web server is not avalaible for domain validation.
emoulton
Posts: 10
Joined: Fri Sep 12, 2014 10:42 pm

Installing a Let's Encrypt SSL Certificate - Complete Wiki Steps

Postby emoulton » Tue Dec 15, 2015 4:25 pm

I've been using a 3rd party client for Let's Encrypt called simp_le for an Apache web server. ( https://github.com/kuba/simp_le ). It's non-interactive, so it can be scripted. Depending on how you setup your scripts and permissions for automating it, you can run it as a non-root user. It does not modify the Apache configuration in any way. I'd like to see if I can get it working for Zimbra, however it requires the document root path of the web server for the domain ownership verification token. Is there a path in the Zimbra installation directory where the token could be placed? Do any services need to be stopped/restarted before or after the token file is placed there? It expects to find the token file at the following URL zimbra.example.com/.well-known/<tokenfile>. Any way that this could work with Zimbra?
emoulton
Posts: 10
Joined: Fri Sep 12, 2014 10:42 pm

Installing a Let's Encrypt SSL Certificate - Complete Wiki Steps

Postby emoulton » Tue Dec 15, 2015 4:28 pm

I forgot to mention that I'm running the open source edition of Zimbra version 8.0
gusans
Posts: 24
Joined: Thu Sep 25, 2014 9:02 am

Installing a Let's Encrypt SSL Certificate - Complete Wiki Steps

Postby gusans » Mon Jan 18, 2016 12:58 pm

i just followed the steps and it worked great on zimbra open source 8.6.
now, what if there are one domain mail.zimbra.com and additionals alias like imap.zimbra.com, smtp.zimbra.com, pop.zimbra.com ?
how can i extend these steps to apply on this case?
thanks!

kgleason
Posts: 1
Joined: Tue Jan 26, 2016 10:08 am

Installing a Let's Encrypt SSL Certificate - Complete Wiki Steps

Postby kgleason » Tue Jan 26, 2016 10:11 am

Thanks for this write up. I followed the steps in the wiki article, but the cert fails validation:



# /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem 
** Verifying cert.pem against privkey.pem
Certificate (cert.pem) and private key (privkey.pem) match.
XXXXX ERROR: Invalid Certificate: cert.pem: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
error 2 at 1 depth lookup:unable to get issuer certificate


Any ideas? I get the same failure with fullchain.pem as well.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 18 guests