当前位置: 首页 > 工具软件 > Zimbra > 使用案例 >

使用 Let‘s Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书

易弘亮
2023-12-01

 

 


前言

CentOS7不支持 Let's Encrypt 直接安装,报错如下

 

Skipping bootstrap because certbot-auto is deprecated on this system.

Your system is not supported by certbot-auto anymore.

Certbot cannot be installed.

Please visit https://certbot.eff.org/ to check for other alternatives.


一、安装snaps

先安装epel:   

[root@mail ~]# yum install epel-release

安装snaps:

[root@mail ~]# yum install snapd

启动snapd.socket:

[root@mail ~]# systemctl enable --now snapd.socket

创建/var/lib/snapd/snap和/snap之间的链接:

[root@mail ~]# ln -s /var/lib/snapd/snap /snap

重启系统,确保snap启用

将snap更新至最新版本:

[root@mail ~]# snap install core

[root@mail ~]# snap refresh core

 

二、certbot安装

卸载已安装的certbot和相关文件(如果有安装的话执行):

[root@mail ~]#yum remove certbot

[root@mail ~]#rm /usr/local/bin/certbot-auto

[root@mail ~]#rm -rf /opt/eff.org/certbot

安装certbot:

[root@mail ~]#snap install --classic certbot

创建/snap/bin/certbot的软链接,方便certbot命令的使用:

[root@mail ~]#ln -s /snap/bin/certbot /usr/bin/certbot

生成ssl证书:

[root@mail ~]#certbot certonly --standalone -d main.zimbra.com -m 123@qq.com --agree-tos                   //注意:main.zimbra.com是zimbra的域名,123@qq.com是你的邮箱

 

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for
mail.zimbra.com
Performing the following challenges:
http-01 challenge for mail.staginfo.com
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 123@qq.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/
mail.zimbra.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/
mail.zimbra.com/privkey.pem
   Your certificate will expire on 2021-08-19. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

证书位置在 /etc/letsencrypt/live/mail.chenxie.net/ 目录下:

[root@mail ~]# ll /etc/letsencrypt/live/mail.zimbra.com/

total 4

lrwxrwxrwx 1 root root  40 Nov 29 11:54 cert.pem -> ../../archive/mail.zimbra.com/cert1.pem

lrwxrwxrwx 1 root root  41 Nov 29 11:54 chain.pem -> ../../archive/mail.zimbra.com/chain1.pem

lrwxrwxrwx 1 root root  45 Nov 29 11:54 fullchain.pem -> ../../archive/mail.zimbra.com/fullchain1.pem

lrwxrwxrwx 1 root root  43 Nov 29 11:54 privkey.pem -> ../../archive/mail.zimbra.com/privkey1.pem

-rw-r--r-- 1 root root 692 Nov 29 11:54 README

将根证书内容追加到chain.pem之后,完成后你的chain.pem内容应该像下面这样:

-----BEGIN CERTIFICATE-----

你的Chain内容

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/

MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow

PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD

Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O

rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq

OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b

xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw

7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD

aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV

HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG

SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69

ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr

AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz

R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5

JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo

Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

-----END CERTIFICATE-----

拷贝生成的所有证书从/etc/letsencrypt/live/mail.chenxie.net/ 到 /opt/zimbra/ssl/letsencrypt/ 目录:

[root@mail ~]# mkdir /opt/zimbra/ssl/letsencrypt

[root@mail ~]# cp /etc/letsencrypt/live/mail.zimbra.com/* /opt/zimbra/ssl/letsencrypt/

[root@mail ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt/*

[root@mail ~]# ls -l /opt/zimbra/ssl/letsencrypt/

total 20

-rw-r--r-- 1 zimbra zimbra 1915 Nov 29 12:20 cert.pem

-rw-r--r-- 1 zimbra zimbra 2847 Nov 29 12:20 chain.pem

-rw-r--r-- 1 zimbra zimbra 3562 Nov 29 12:20 fullchain.pem

-rw------- 1 zimbra zimbra 1704 Nov 29 12:20 privkey.pem

-rw-r--r-- 1 zimbra zimbra  692 Nov 29 12:20 README

切换到 zimbra 用户:

[root@mail ~]#su - zimbra

[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/

[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

** Verifying 'cert.pem' against 'privkey.pem'

Certificate 'cert.pem' and private key 'privkey.pem' match.

** Verifying 'cert.pem' against 'chain.pem'

Valid certificate chain: cert.pem: OK

三、开始部署

切换到 zimbra 用户进行部署:

[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
 

备份:

[zimbra@mail letsencrypt]$ exit

[root@mail ssl]# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

将私钥拷贝到Zimbra认识的商业证书目录:

[root@mail ssl]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp: overwrite ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’? y
[root@mail ssl]# chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

配置生效:

[root@mail ssl]# su - zimbra
Last login: Fri May 21 09:38:24 CST 2021 on pts/0
[zimbra@mail ~]$ chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
[zimbra@mail ~]$  /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem 
ERROR: open input 'cert.pem' failed: No such file or directory
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem 
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.zimbra.com...failed (rc=1)
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/c97c4c49.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'c97c4c49.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_3.crt'
 

重启zimbra服务:

[zimbra@mail ~]$ zmcontrol restart

四、自动更新

默认证书有效期是3个月,所以需要续期

创建定时任务

[root@mail ssl]#sudo crontab -e

在最后添加:30 3 * * * /usr/bin/certbot renew  >> /var/log/le-renew.log,如下:

0 0 * * * /opt/search/es-index-clear.sh > /dev/null 2>&1
0 1 * * 6 /usr/sbin/ntpdate ntp.aliyun.com ;/sbin/hwclock -w > /dev/null 2>&1
#* * * * * /opt/search/reboot-kibana.sh >> /opt/search/reboot-kibana.log 2>&1
30 3 * * * /usr/bin/certbot renew  >> /var/log/le-renew.log

生效:sudo crontab -l

 

 

 


总结

参考了多位大神的文章后,根据自己实际情况并部署成功的总结

 类似资料: