1. Install the Let’s Encrypt Certbot
# Install Certbot on the linux box yum install -y certbot # Generate our first SSL cert. Subsequent certificates will be renewed by our script below certbot certonly --standalone -d mail.protectigate.com -m [email protected] --agree-tos -n # Prepare the Zimbra directory for the new certificate mkdir /opt/zimbra/ssl/letsencrypt
2. Install the Certificate and create the Script for auto-renewal
a. Create script as /root/ssl.sh
#Change work dir to /tmp cd /tmp #Renew cert if needed certbot certonly --standalone -d mail.protectigate.com -m [email protected] --agree-tos -n # Stop the nginx Zimbra service sudo -u zimbra /opt/zimbra/bin/zmproxyctl stop sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl stop #Rename existing Zimbra letsencrypt folder and create new if [[ -e /opt/zimbra/ssl/letsencrypt ]]; then mv /opt/zimbra/ssl/letsencrypt /opt/zimbra/ssl/letsencrypt$(date +'%Y%m%d') mkdir /opt/zimbra/ssl/letsencrypt chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt fi # Copy Let's Encrypt SSL cert into Zimbra SSL dir /bin/cp -rf /etc/letsencrypt/live/mail.protectigate.com/* /opt/zimbra/ssl/letsencrypt/ #Download the Let's Encrypt root cert wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt -O /opt/zimbra/ssl/letsencrypt/root.pem #Merge the root cert into the chain file cat /opt/zimbra/ssl/letsencrypt/root.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem #Change owner of SSL files to Zimbra user chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt # Verify new SSL cert sudo -u zimbra /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem # Make backup of existing SSL cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") # Copy new priv key /bin/cp -rf /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key # Install new SSL cert sudo -u zimbra /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem # Restart Zimbra services sudo -u zimbra /opt/zimbra/bin/zmcontrol restart
b. Make script executable: chmod +x /root/ssl.sh
3. Create cron job to run the script every 3 month
Now that we have our script ready, we create a cron job to run it every month, renewing the certificate if it is about to expire.
#Create new cron job that runs on the 1st every month at 2am (crontab -l && echo "0 2 1 * * /bin/sh /root/ssl.sh") | crontab -
Src::https://opentechtips.com/automatically-renewing-free-ssl-zimbra/
