Zimbra Let’s Encrypt SSL Script

Rumi, 
#!/bin/bash -x

# SSL certificate installation in Zimbra
# with SSL certificate provided by Let's Encrypt (letsencrypt.org)

# Check if running as root
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi

read -p 'letsencrypt_email [mail@server]: ' letsencrypt_email
read -p 'mail_server_url [mail.server]: ' mail_server_url

# Check All variable have a value
if [ -z $mail_server_url ] || [ -z $letsencrypt_email ]
then
echo run script again please insert all value. do not miss any value
else

# Installation start
# Stop the jetty or nginx service at Zimbra level
su - zimbra -c 'zmproxyctl stop'
su - zimbra -c 'zmmailboxdctl stop'

# Install git and letsencrypt
cd /opt/
apt-get install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

# Get SSL certificate
./letsencrypt-auto certonly --standalone --non-interactive --agree-tos --email $letsencrypt_email -d $mail_server_url --hsts
cd /etc/letsencrypt/live/$mail_server_url
cat <<EOF >>chain.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF

# Verify commercial certificate
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/$mail_server_url/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem'

# Deploy the new Let's Encrypt SSL certificate
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem'

# Restart Zimbra
su - zimbra -c 'zmcontrol restart'

# setting auto https redirect
cd /opt && touch https-redirect.sh && chown zimbra:zimbra https-redirect.sh && chmod +x https-redirect.sh
cat <<EOF >>/opt/https-redirect.sh
zmprov ms $mail_server_url zimbraReverseProxyMailMode redirect
EOF
su - zimbra -c '/opt/https-redirect.sh'
rm /opt/https-redirect.sh
fi
Scripts

Comments (8)

  6. Hello Rumi. Thanks for the knowledge you shared. I need your help with my problem. I had 2 domain on same server. Can u write a script install and auto renew for it . I Renew SSL manually through the tutorial :
    certbot certonly –standalone –preferred-chain “ISRG Root X1” -d mail.domain1.com -d mail.domain2.com

  7. Here’s the trick part-

    ./letsencrypt-auto certonly –standalone –non-interactive –agree-tos –email $letsencrypt_email -d $mail_server_url –hsts
    cd /etc/letsencrypt/live/$mail_server_url

  8. letsencrypt_email [mail@server]: admin@xxx.com
    mail_server_url [mail.server]: mail.xxx.com
    Stopping proxy…done.
    Stopping mailboxd…done.
    LE_Script.sh: line 28: apt-get: command not found
    Cloning into ‘letsencrypt’…
    remote: Enumerating objects: 98614, done.
    remote: Counting objects: 100% (549/549), done.
    remote: Compressing objects: 100% (287/287), done.
    remote: Total 98614 (delta 311), reused 455 (delta 256), pack-reused 98065
    Receiving objects: 100% (98614/98614), 48.29 MiB | 19.91 MiB/s, done.
    Resolving deltas: 100% (73285/73285), done.
    LE_Script.sh: line 33: ./letsencrypt-auto: No such file or directory
    LE_Script.sh: line 34: cd: /etc/letsencrypt/live/mail.xxx.com: No such file or directory
    cp: cannot stat ‘/etc/letsencrypt/live/mail.xxx.com/*’: No such file or directory
    chown: cannot access ‘/opt/zimbra/ssl/letsencrypt/*’: No such file or directory
    total 8
    drwxr-xr-x 2 root root 4096 Jun 4 21:46 .
    drwxr-xr-x 8 zimbra zimbra 4096 Jun 4 21:46 ..
    ** Verifying ‘cert.pem’ against ‘privkey.pem’
    ERROR: Can’t read file ‘privkey.pem’
    ERROR: Can’t read file ‘cert.pem’
    cp: cannot stat ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’: No such file or directory
    chown: cannot access ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’: No such file or directory
    ERROR: open input ‘cert.pem’ failed: No such file or directory

Leave a Reply

Your email address will not be published. Required fields are marked *