Page 1 of 3

[SOLVED] Zimbra 8.7 and letsencrypt ssl

Posted: Fri Jul 15, 2016 5:03 pm
by amatu
Hi everyone!

From zimbra 8.6 and older, the letsencrypt ssl installation is simple and normal, but in new Zimbra 8.7, the utilities zmcertmgr always notify like that:
zmcertmgr: ERROR: no longer runs as root!
When I verified or deployed. Please check it!!

Thanks everyone!

Re: Zimbra 8.7 and letsencrypt ssl

Posted: Fri Jul 15, 2016 7:40 pm
by DualBoot
just read the message and change to zimbra user should do the trick. :lol:

Re: Zimbra 8.7 and letsencrypt ssl

Posted: Sat Jul 16, 2016 3:06 am
by jorgedlcruz

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Posted: Sat Jul 16, 2016 10:53 am
by amatu
Hi jorgedlcruz and DualBoot !

Thanks guys, I will check and confirm :lol:

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Posted: Sat Jul 16, 2016 2:51 pm
by amatu
The case solved! Deployed and confirmed!! Thanks all!

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Posted: Sat Jul 16, 2016 3:23 pm
by MisterM74
Hello
This also works with multi-domain solution?
* .domain.com

Mz

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Posted: Sat Jul 16, 2016 7:40 pm
by v1rtu4l
If those certificates expire after 90 days who would you automate the renewal. It is not of much use, if you would need to renew by hand every few months.

Gesendet von meinem SM-N910F mit Tapatalk

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Posted: Sat Jul 16, 2016 7:45 pm
by jorgedlcruz
Hello MisterM74,
You have two ways to go from here:
  • Follow the Wiki steps, but then run this command to have Multi-SAN, not Wildcard, as Let's Encrypt doesn't work withWildcard -

    Code: Select all

    ./letsencrypt-auto certonly --standalone -d fqdn1 -d fqdn2
  • Run the command all the domains you need, for example mail.domain.com mail2.domain.net client3.domain.org

    Code: Select all

    ./letsencrypt-auto certonly --standalone -d mail.domain.com
    ./letsencrypt-auto certonly --standalone -d mail2.domain.net
    ./letsencrypt-auto certonly --standalone -d client3.domain.org

    And then use the new SSL SNI, to assing each certificate, to the proper Domain - https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS

First method is easier, and because you need to renew the SSL each three months will save you time, but all the domains remind exposed when people search for your SSL certificate, the second one is better, as each domain have their own SSL Certificate, but because you want to use Let's Encrypt you need to renew each one each three months :)

Start another thread if you want more information, this topic, for one domain, is solved

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Posted: Sun Jul 17, 2016 7:15 am
by MisterM74
Hello
I understand that it is the longevity of this certificate?
Thank you for the details of the response, I have taken note.
Thank you
Mz

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Posted: Sun Jul 17, 2016 8:52 pm
by v1rtu4l
Just as a little Note and warning: if you use the steps described in the Wiki and your Hostname Fqdn does not match the public domain name (which is pretty much always the case) after deployment of the lets encrypt certificates the ldap Server will fail to connect, since it somehow expects the local ldap Server to be able to be resolved on the public domain name and even after fixing this by adding an entry to the Hosts file it failed to connect to the local ldap Server, hence zimbra did not start anymore. Fortunately i had a Snapshot i could revert to.

Gesendet von meinem SM-N910F mit Tapatalk