Zimbra Let’s Encrypt SSL Script Rumi, December 28, 2022 #!/bin/bash -x # SSL certificate installation in Zimbra # with SSL certificate provided by Let's Encrypt (letsencrypt.org) # Check if running as root if [ "$(id -u)" != "0" ]; then echo "This script must be run as root" 1>&2 exit 1 fi read -p 'letsencrypt_email [mail@server]: ' letsencrypt_email read -p 'mail_server_url [mail.server]: ' mail_server_url # Check All variable have a value if [ -z $mail_server_url ] || [ -z $letsencrypt_email ] then echo run script again please insert all value. do not miss any value else # Installation start # Stop the jetty or nginx service at Zimbra level su - zimbra -c 'zmproxyctl stop' su - zimbra -c 'zmmailboxdctl stop' # Install git and letsencrypt cd /opt/ apt-get install git git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt # Get SSL certificate ./letsencrypt-auto certonly --standalone --non-interactive --agree-tos --email $letsencrypt_email -d $mail_server_url --hsts cd /etc/letsencrypt/live/$mail_server_url cat <<EOF >>chain.pem -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- EOF # Verify commercial certificate mkdir /opt/zimbra/ssl/letsencrypt cp /etc/letsencrypt/live/$mail_server_url/* /opt/zimbra/ssl/letsencrypt/ chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/* ls -la /opt/zimbra/ssl/letsencrypt/ su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem' # Deploy the new Let's Encrypt SSL certificate cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key su - zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem' # Restart Zimbra su - zimbra -c 'zmcontrol restart' # setting auto https redirect cd /opt && touch https-redirect.sh && chown zimbra:zimbra https-redirect.sh && chmod +x https-redirect.sh cat <<EOF >>/opt/https-redirect.sh zmprov ms $mail_server_url zimbraReverseProxyMailMode redirect EOF su - zimbra -c '/opt/https-redirect.sh' rm /opt/https-redirect.sh fi Scripts LetsencryptScriptszimbra
Hello Rumi. Thanks for the knowledge you shared. I need your help with my problem. I had 2 domain on same server. Can u write a script install and auto renew for it . I Renew SSL manually through the tutorial : certbot certonly –standalone –preferred-chain “ISRG Root X1” -d mail.domain1.com -d mail.domain2.com
Here’s the trick part- ./letsencrypt-auto certonly –standalone –non-interactive –agree-tos –email $letsencrypt_email -d $mail_server_url –hsts cd /etc/letsencrypt/live/$mail_server_url
letsencrypt_email [mail@server]: admin@xxx.com mail_server_url [mail.server]: mail.xxx.com Stopping proxy…done. Stopping mailboxd…done. LE_Script.sh: line 28: apt-get: command not found Cloning into ‘letsencrypt’… remote: Enumerating objects: 98614, done. remote: Counting objects: 100% (549/549), done. remote: Compressing objects: 100% (287/287), done. remote: Total 98614 (delta 311), reused 455 (delta 256), pack-reused 98065 Receiving objects: 100% (98614/98614), 48.29 MiB | 19.91 MiB/s, done. Resolving deltas: 100% (73285/73285), done. LE_Script.sh: line 33: ./letsencrypt-auto: No such file or directory LE_Script.sh: line 34: cd: /etc/letsencrypt/live/mail.xxx.com: No such file or directory cp: cannot stat ‘/etc/letsencrypt/live/mail.xxx.com/*’: No such file or directory chown: cannot access ‘/opt/zimbra/ssl/letsencrypt/*’: No such file or directory total 8 drwxr-xr-x 2 root root 4096 Jun 4 21:46 . drwxr-xr-x 8 zimbra zimbra 4096 Jun 4 21:46 .. ** Verifying ‘cert.pem’ against ‘privkey.pem’ ERROR: Can’t read file ‘privkey.pem’ ERROR: Can’t read file ‘cert.pem’ cp: cannot stat ‘/opt/zimbra/ssl/letsencrypt/privkey.pem’: No such file or directory chown: cannot access ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’: No such file or directory ERROR: open input ‘cert.pem’ failed: No such file or directory