apt-get install git -y
El primero paso será detener el servicio de nginx o de jetty, ya que Let´s Encrypt se comunica usando el puerto 443 para generar el Certificado SSL.
su zimbra
zmproxyctl stop
zmmailboxdctl stop
ingresamos a la carpeta /tmp
cd /tmp
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
En este ejemplo, vamos a ejecutar Let’s Encrypt de manera automática, y usar la opción de certonly, la cual nos generará los ficheros que necesitamos para después instalarlos en Zimbra, ya que actualmente en zimbra no se puede instalar directamente. La primera vez que ejecutamos el entorno letsencrypt descargará las dependencias necesarias de los repositorios, puede durar unos minutos
./letsencrypt-auto certonly --standalone
El proceso nos preguntará por una dirección Email para usar en caso de emergencia o recuperar una Private Key en caso necesario
El proceso nos preguntará también si estamos de acuerdo con las Condiciones de Uso
Nos indica si deseamos compartir nuestro correo NO
El último paso es introducir el FQDN que queremos proteger, en mi caso es correo.siua.ac.cr:
Si el proceso sale bien obtendrá
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for correo.siua.ac.cr
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/correo.siua.ac.cr/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/correo.siua.ac.cr/privkey.pem
Your cert will expire on 2020-12-02. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Ahora los certificados generados se encuentran a la ruta
ls /etc/letsencrypt/live/correo.siua.ac.cr/
Donde:cert.pem : es el certificadofullchain.pem esl a unión cert.pem + chain.pemprivkey.pem es la lave privada (Recuerde que esto es solo para usted)
Construyendo el fichero con el Intermediate CA y el Root CA especial para Zimbra
Let’s Encrypt es casi perfecto, pero eso no quita que Zimbra tenga su particular manera de aceptar los Certificados SSL, donde necesitamos un fichero con las Intermediate CA y el Root CA, Let’s Encrypt ya nos genera el chain.pem donde se encuentra el Intermediate CA, pero necesitamos además añadir el root después del Intermediate Por tanto abrimos la siguiente dirección web y copiamos el contenido https://letsencrypt.org/certs/trustid-x3-root.pem.txt Contenido
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
Ahora vamos abrir el archivo
nano /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem
Y vamos a pagar el contenido del root anterior al FINAL del chain (NOTA: El ORDEN ES IMPORTANTE), quedando así
-----BEGIN CERTIFICATE-----
YOURCHAIN
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
Ahora copiamos los certificados a zimbra
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/correo.siua.ac.cr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
ls -la /opt/zimbra/ssl/letsencrypt/
Ahora ingresamos como usuario zimbra y ejecutamos
su zimbra
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
Ahora antes de remplazar los certificados
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
Antes de desplegar el Certificado SSL, debemos hacer este pequeño truco para copiar la privatekey que ha generado Let’s Encrypt en la ruta donde Zimbra guarda el SSL commercial:
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/*
Ahora como usuario zimbra instalamos el certificado
su zimbra
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer correo.siua.ac.cr...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer correo.siua.ac.cr...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/e5f800d1.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'e5f800d1.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
zmcontrol restart
Ahora podemos validar el certificado por la web
O podemos probarlo con OpenSSL (como usuario root)
echo QUIT | openssl s_client -connect correo.siua.ac.cr:443 | openssl x509 -noout -text | less
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:44:9f:13:90:44:0b:00:01:a9:a7:af:51:18:dd:b6:3d:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Sep 3 14:49:19 2020 GMT
Not After : Dec 2 14:49:19 2020 GMT
Subject: CN = correo.siua.ac.cr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9f:dc:92:fc:9d:13:bb:37:48:96:83:96:c3:46:
43:d0:04:09:77:7f:3a:8e:d5:22:2b:a2:af:31:58:
58:6d:a9:57:1f:37:c3:b7:40:ec:19:ea:0d:00:f1:
85:df:bc:33:ee:0f:15:7a:1d:75:b3:d3:f7:2e:44:
ec:d0:97:12:0b:d0:84:57:d9:23:f5:07:cf:b8:09:
21:5e:fa:fb:0a:bd:14:66:5d:2f:d1:8b:5c:f5:5a:
c6:dd:f8:41:18:0e:02:f4:66:0a:37:ef:78:45:f4:
6f:32:a0:be:46:d5:d1:8b:da:af:0f:e3:8c:c9:b0:
e6:6f:d9:5b:d2:2f:f0:af:79:ea:ae:97:57:b3:0d:
ce:73:ce:a2:93:ba:7c:d6:50:5c:35:d3:31:30:80:
3a:1d:c2:43:94:ff:03:a3:f7:90:62:ff:4b:b7:ad:
3c:84:51:39:f0:af:41:1e:f2:11:73:67:f6:04:c6:
ee:44:f3:dc:a1:3d:71:27:f2:b6:37:64:e9:79:aa:
92:f8:1e:7f:96:b5:e2:a1:ab:aa:26:b2:f0:6c:99:
b8:8d:6e:c7:c3:a9:bd:c7:7c:15:86:51:98:28:d1:
2f:fd:72:c3:72:b6:39:1a:17:46:35:3d:27:db:d5:
bc:51:4f:bf:d3:90:e9:20:46:7e:1d:e2:f6:91:cb:
7d:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
B4:B2:14:E5:EE:1C:EB:3E:F8:D7:0B:1D:5E:46:DD:7C:36:E1:31:18
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
Renovación automatica
Para que la renovación sea automática creamos el archivo
nano /root/ssh-renew.sh
printf "********************************************************\n"
printf "********** APAGANDO ZIMBRA ********\n"
printf "********************************************************\n"
su - zimbra -c "zmproxyctl stop && zmmailboxdctl stop"
printf "********************************************************\n"
printf "********** RENOVANDO CERTIFICADOS ********\n"
printf "********************************************************\n"
letsencrypt renew
printf "********************************************************\n"
printf "* CONCATENANDO ROOT A CHAIN ******\n"
printf "********************************************************\n"
#Salto de linea
echo >> /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem
echo '-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----' >> /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem
printf "********************************************************\n"
printf "* RESULTADO CONTATENACION ******\n"
printf "********************************************************\n"
echo /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem
printf "********************************************************\n"
printf "* COPIANDO CERTIFICADOS ******\n"
printf "********************************************************\n"
cp /etc/letsencrypt/live/correo.siua.ac.cr/* /opt/zimbra/ssl/letsencrypt/
printf "********************************************************\n"
printf "* CAMBIANDO DE DUENO ZIMBRA ******\n"
printf "********************************************************\n"
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
printf "********************************************************\n"
printf "* LISTAMOS CERTIFICADOS ******\n"
printf "********************************************************\n"
ls -la /opt/zimbra/ssl/letsencrypt/
printf "********************************************************\n"
printf "* VERIFICANDO CERTIFICADOS ******\n"
printf "********************************************************\n"
su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem"
printf "********************************************************\n"
printf "* RESPALDANDO CERTIFICADOS ******\n"
printf "********************************************************\n"
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
printf "********************************************************\n"
printf "* LLAVE COMERCIAL ******\n"
printf "********************************************************\n"
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/*
printf "********************************************************\n"
printf "* INSTALAR CERTIFICADO ******\n"
printf "********************************************************\n"
su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem"
printf "********************************************************\n"
printf "* REINICIAR SERVICIO ******\n"
printf "********************************************************\n"
su - zimbra -c "zmcontrol restart"
Le damos permisos de ejecución
chmod 7777 -R /root/ssh-renew.sh
crontab -e
@monthly /root/ssh-renew.sh