Zimbra 8.8. Parte IV. (Letsencrypt v2) 2022

  • Actualizamos e instalamos
  • Debe seer snap para que permita certbot certonly –standalone -d correo.siua.ac.cr –force-renewal –preferred-chain «ISRG Root X1»
  • Si tratamos de instalar snap y no da el error
  • https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
  • https://www.netntw.com/archivos/679
  • https://www.youtube.com/watch?v=ct0Q2RVBvAA
error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount: 
  • sudo apt install acl

HADES

  • Debemos hacer la modificación en el archivo de configuración de la MV en PROXMOX
nano /etc/pve/lxc/140.conf
  • Y agregarle
features: fuse=1,mount=fuse,nesting=1
y esto
lxc.mount.auto: cgroup:rw
lxc.mount.auto: sys:rw
  • Quedando así
arch: amd64
cores: 4
features: fuse=1,mount=fuse,nesting=1
hostname: correo
memory: 8192
nameserver: 127.0.0.1
net1: name=eth1,bridge=vmbr0,gw=181.193.87.1,hwaddr=8E:8F:73:63:8B:C1,ip=181.193.87.9/28,tag=111,type=v>
onboot: 1
ostype: ubuntu
rootfs: STN01-VM:140/vm-140-disk-0.raw,size=50G
searchdomain: siua.ac.cr
swap: 8192
unprivileged: 1
lxc.mount.auto: cgroup:rw
lxc.mount.auto: sys:rw

CORREO

sudo apt update
sudo apt install squashfuse fuse squashfs-tools
sudo apt install snap snapd
sudo snap install core
sudo snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/cerbot
  • verificamos la versión
certbot --version

#Resultado
certbot 0.27.0
  • Detenemos los servicios
sudo su - zimbra -c "zmproxyctl stop"
sudo su - zimbra -c "zmmailboxdctl stop"
  • ejecutamos

certbot certonly --standalone -d correo.siua.ac.cr --force-renewal --preferred-chain "ISRG Root X1"
  • Resultado
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for correo.siua.ac.cr

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/correo.siua.ac.cr/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/correo.siua.ac.cr/privkey.pem
This certificate expires on 2022-09-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le

  • Donde:
    • cert.pem: es el certificado
    • fullchain.pem esl a unión cert.pem + chain.pem
    • privkey.pem es la lave privada (Recuerde que esto es solo para usted)
  • Ahora como usuario root
cp /etc/letsencrypt/live/correo.siua.ac.cr/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem

//Permisos
chmod 777 -R /etc/letsencrypt/
  • Para mantener los permisos
sudo apt install acl
sudo setfacl -R -m u:zimbra:rwx /etc/letsencrypt/
  • Ahora como usuario zimbra
sudo su zimbra 
  • Revisamos que los servicios esten apagados
zmproxyctl stop
zmmailboxdctl stop
  • Ejecutamos
cd ~
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/correo.siua.ac.cr/cert.pem /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem
  • Resultados
** Verifying '/etc/letsencrypt/live/correo.siua.ac.cr/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/correo.siua.ac.cr/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/correo.siua.ac.cr/cert.pem' against '/etc/letsencrypt/live/correo.siua.ac.cr/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/correo.siua.ac.cr/cert.pem: OK
  • Luego ejecutamos
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/correo.siua.ac.cr/cert.pem /etc/letsencrypt/live/correo.siua.ac.cr/chain.pem
  • Resultados
** Verifying '/etc/letsencrypt/live/correo.siua.ac.cr/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/correo.siua.ac.cr/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/correo.siua.ac.cr/cert.pem' against '/etc/letsencrypt/live/correo.siua.ac.cr/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/correo.siua.ac.cr/cert.pem: OK
** Copying '/etc/letsencrypt/live/correo.siua.ac.cr/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/etc/letsencrypt/live/correo.siua.ac.cr/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/etc/letsencrypt/live/correo.siua.ac.cr/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer correo.siua.ac.cr...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer correo.siua.ac.cr...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/e5f800d1.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'e5f800d1.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
  • Reiniciamos zimbra
zmcontrol restart

Cambiar logo zimbra

  • Primero debemos hacer las imagenes en las medidas
  • 440×60 pixels – Logo del pagina de login
  • 200×35 pixels – Logo cuando ya se esta logeado (top left corner)
  • Descargamos: aquí
  • Ahora se recomienda almacenar los logos en otra parte que puedan ser accedidos de forma remota para cuando se actualice el sistema estos no se remplacen
su - zimbra
zmprov md siua.ac.cr zimbraSkinLogoURL https://correo.siua.ac.cr
zmprov md siua.ac.cr zimbraSkinLogoLoginBanner http://proxy.siua.ac.cr/logos_zimbra/correo_login.png
zmprov md siua.ac.cr zimbraSkinLogoAppBanner http://proxy.siua.ac.cr/logos_zimbra/correo_app.png
zmmailboxdctl restart