Zimbra 8.8. Parte IV. (Letsencrypt)

  • Instalamos git
apt-get install git -y
  • El primero paso será detener el servicio de nginx o de jetty, ya que Let´s Encrypt se comunica usando el puerto 443 para generar el Certificado SSL.
su zimbra
zmproxyctl stop
zmmailboxdctl stop
  • ingresamos a la carpeta /tmp
cd /tmp
  • Clonamos el proyecto
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
  • En este ejemplo, vamos a ejecutar Let’s Encrypt de manera automática, y usar la opción de certonly, la cual nos generará los ficheros que necesitamos para después instalarlos en Zimbra, ya que actualmente en zimbra no se puede instalar directamente.
  • La primera vez que ejecutamos el entorno letsencrypt descargará las dependencias necesarias de los repositorios, puede durar unos minutos
./letsencrypt-auto certonly --standalone
  • El proceso nos preguntará por una dirección Email para usar en caso de emergencia o recuperar una Private Key en caso necesario
  • El proceso nos preguntará también si estamos de acuerdo con las Condiciones de Uso
  • Nos indica si deseamos compartir nuestro correo NO
  • El último paso es introducir el FQDN que queremos proteger, en mi caso es correo.siua.ac.cr:
  • Si el proceso sale bien obtendrá
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for correo.siua.ac.cr
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/correo.siua.ac.cr/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/correo.siua.ac.cr/privkey.pem
   Your cert will expire on 2020-12-02. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  • Ahora los certificados generados se encuentran a la ruta
ls /etc/letsencrypt/live/correo.siua.ac.cr/
  • Donde:
    • cert.pem: es el certificado
    • fullchain.pem esl a unión cert.pem + chain.pem
    • privkey.pem es la lave privada (Recuerde que esto es solo para usted)

Construyendo el fichero con el Intermediate CA y el Root CA especial para Zimbra

  • Let’s Encrypt es casi perfecto, pero eso no quita que Zimbra tenga su particular manera de aceptar los Certificados SSL, donde necesitamos un fichero con las Intermediate CA y el Root CA, Let’s Encrypt ya nos genera el chain.pem donde se encuentra el Intermediate CA, pero necesitamos además añadir el root después del Intermediate
  • Por tanto abrimos la siguiente dirección web y copiamos el contenido
  • https://letsencrypt.org/certs/trustid-x3-root.pem.txt
  • Contenido
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
  • Ahora vamos abrir el archivo
nano /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem
  • Y vamos a pagar el contenido del root anterior al FINAL del chain (NOTA: El ORDEN ES IMPORTANTE), quedando así
-----BEGIN CERTIFICATE-----
YOURCHAIN
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
  • Ahora copiamos los certificados a zimbra
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/correo.siua.ac.cr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
  • Ahora ingresamos como usuario zimbra y ejecutamos
su zimbra
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem 
  • RESULTADO
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
  • Ahora antes de remplazar los certificados
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
  • Antes de desplegar el Certificado SSL, debemos hacer este pequeño truco para copiar la privatekey que ha generado Let’s Encrypt en la ruta donde Zimbra guarda el SSL commercial:
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/*
  • Ahora como usuario zimbra instalamos el certificado
su zimbra
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
  • RESULTADO
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer correo.siua.ac.cr...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer correo.siua.ac.cr...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/e5f800d1.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'e5f800d1.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
  • Reiniciamos el servicio
zmcontrol restart
  • Ahora podemos validar el certificado por la web
  • O podemos probarlo con OpenSSL (como usuario root)
echo QUIT | openssl s_client -connect correo.siua.ac.cr:443 | openssl x509 -noout -text | less
  • RESULTADO (q para salir)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:44:9f:13:90:44:0b:00:01:a9:a7:af:51:18:dd:b6:3d:03
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Sep  3 14:49:19 2020 GMT
            Not After : Dec  2 14:49:19 2020 GMT
        Subject: CN = correo.siua.ac.cr
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9f:dc:92:fc:9d:13:bb:37:48:96:83:96:c3:46:
                    43:d0:04:09:77:7f:3a:8e:d5:22:2b:a2:af:31:58:
                    58:6d:a9:57:1f:37:c3:b7:40:ec:19:ea:0d:00:f1:
                    85:df:bc:33:ee:0f:15:7a:1d:75:b3:d3:f7:2e:44:
                    ec:d0:97:12:0b:d0:84:57:d9:23:f5:07:cf:b8:09:
                    21:5e:fa:fb:0a:bd:14:66:5d:2f:d1:8b:5c:f5:5a:
                    c6:dd:f8:41:18:0e:02:f4:66:0a:37:ef:78:45:f4:
                    6f:32:a0:be:46:d5:d1:8b:da:af:0f:e3:8c:c9:b0:
                    e6:6f:d9:5b:d2:2f:f0:af:79:ea:ae:97:57:b3:0d:
                    ce:73:ce:a2:93:ba:7c:d6:50:5c:35:d3:31:30:80:
                    3a:1d:c2:43:94:ff:03:a3:f7:90:62:ff:4b:b7:ad:
                    3c:84:51:39:f0:af:41:1e:f2:11:73:67:f6:04:c6:
                    ee:44:f3:dc:a1:3d:71:27:f2:b6:37:64:e9:79:aa:
                    92:f8:1e:7f:96:b5:e2:a1:ab:aa:26:b2:f0:6c:99:
                    b8:8d:6e:c7:c3:a9:bd:c7:7c:15:86:51:98:28:d1:
                    2f:fd:72:c3:72:b6:39:1a:17:46:35:3d:27:db:d5:
                    bc:51:4f:bf:d3:90:e9:20:46:7e:1d:e2:f6:91:cb:
                    7d:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B4:B2:14:E5:EE:1C:EB:3E:F8:D7:0B:1D:5E:46:DD:7C:36:E1:31:18
            X509v3 Authority Key Identifier: 
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

Renovación automatica

  • Para que la renovación sea automática creamos el archivo
nano /root/ssh-renew.sh
  • Agregamos el contenido
printf "********************************************************\n"
printf "**********              APAGANDO ZIMBRA         ********\n"
printf "********************************************************\n"
su - zimbra -c "zmproxyctl stop && zmmailboxdctl stop"


printf "********************************************************\n"
printf "**********            RENOVANDO CERTIFICADOS    ********\n"
printf "********************************************************\n"
letsencrypt renew

printf "********************************************************\n"
printf "*            CONCATENANDO ROOT A CHAIN            ******\n"
printf "********************************************************\n"
#Salto de linea
echo >> /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem

echo '-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----' >> /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem

printf "********************************************************\n"
printf "*            RESULTADO CONTATENACION              ******\n"
printf "********************************************************\n"
echo /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem

printf "********************************************************\n"
printf "*                COPIANDO CERTIFICADOS            ******\n"
printf "********************************************************\n"
cp /etc/letsencrypt/live/correo.siua.ac.cr/* /opt/zimbra/ssl/letsencrypt/

printf "********************************************************\n"
printf "*            CAMBIANDO DE DUENO ZIMBRA            ******\n"
printf "********************************************************\n"
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*


printf "********************************************************\n"
printf "*            LISTAMOS CERTIFICADOS                ******\n"
printf "********************************************************\n"
ls -la /opt/zimbra/ssl/letsencrypt/


printf "********************************************************\n"
printf "*            VERIFICANDO CERTIFICADOS             ******\n"
printf "********************************************************\n"
su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem"


printf "********************************************************\n"
printf "*            RESPALDANDO CERTIFICADOS             ******\n"
printf "********************************************************\n"
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")


printf "********************************************************\n"
printf "*                 LLAVE COMERCIAL                 ******\n"
printf "********************************************************\n"
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/*


printf "********************************************************\n"
printf "*              INSTALAR CERTIFICADO               ******\n"
printf "********************************************************\n"
su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem"


printf "********************************************************\n"
printf "*              REINICIAR SERVICIO                 ******\n"
printf "********************************************************\n"
su - zimbra -c "zmcontrol restart"
  • Le damos permisos de ejecución
chmod 7777 -R /root/ssh-renew.sh
  • Agreamos un cron
crontab -e
  • Agregamos
@monthly /root/ssh-renew.sh