使用 Let‘s Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书
前言
CentOS7不支持 Let's Encrypt 直接安装,报错如下
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
一、安装snaps
先安装epel:
[root@mail ~]# yum install epel-release
安装snaps:
[root@mail ~]# yum install snapd
启动snapd.socket:
[root@mail ~]# systemctl enable --now snapd.socket
创建/var/lib/snapd/snap和/snap之间的链接:
[root@mail ~]# ln -s /var/lib/snapd/snap /snap
重启系统,确保snap启用
将snap更新至最新版本:
[root@mail ~]# snap install core
[root@mail ~]# snap refresh core
二、certbot安装
卸载已安装的certbot和相关文件(如果有安装的话执行):
[root@mail ~]#yum remove certbot
[root@mail ~]#rm /usr/local/bin/certbot-auto
[root@mail ~]#rm -rf /opt/eff.org/certbot
安装certbot:
[root@mail ~]#snap install --classic certbot
创建/snap/bin/certbot的软链接,方便certbot命令的使用:
[root@mail ~]#ln -s /snap/bin/certbot /usr/bin/certbot
生成ssl证书:
[root@mail ~]#certbot certonly --standalone -d main.zimbra.com -m 123@qq.com --agree-tos //注意:main.zimbra.com是zimbra的域名,123@qq.com是你的邮箱
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for mail.zimbra.com
Performing the following challenges:
http-01 challenge for mail.staginfo.com
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 123@qq.com).IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.zimbra.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.zimbra.com/privkey.pem
Your certificate will expire on 2021-08-19. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书位置在 /etc/letsencrypt/live/mail.chenxie.net/ 目录下:
[root@mail ~]# ll /etc/letsencrypt/live/mail.zimbra.com/
total 4
lrwxrwxrwx 1 root root 40 Nov 29 11:54 cert.pem -> ../../archive/mail.zimbra.com/cert1.pem
lrwxrwxrwx 1 root root 41 Nov 29 11:54 chain.pem -> ../../archive/mail.zimbra.com/chain1.pem
lrwxrwxrwx 1 root root 45 Nov 29 11:54 fullchain.pem -> ../../archive/mail.zimbra.com/fullchain1.pem
lrwxrwxrwx 1 root root 43 Nov 29 11:54 privkey.pem -> ../../archive/mail.zimbra.com/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 29 11:54 README
将根证书内容追加到chain.pem之后,完成后你的chain.pem内容应该像下面这样:
-----BEGIN CERTIFICATE-----
你的Chain内容
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
拷贝生成的所有证书从/etc/letsencrypt/live/mail.chenxie.net/ 到 /opt/zimbra/ssl/letsencrypt/ 目录:
[root@mail ~]# mkdir /opt/zimbra/ssl/letsencrypt
[root@mail ~]# cp /etc/letsencrypt/live/mail.zimbra.com/* /opt/zimbra/ssl/letsencrypt/
[root@mail ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt/*
[root@mail ~]# ls -l /opt/zimbra/ssl/letsencrypt/
total 20
-rw-r--r-- 1 zimbra zimbra 1915 Nov 29 12:20 cert.pem
-rw-r--r-- 1 zimbra zimbra 2847 Nov 29 12:20 chain.pem
-rw-r--r-- 1 zimbra zimbra 3562 Nov 29 12:20 fullchain.pem
-rw------- 1 zimbra zimbra 1704 Nov 29 12:20 privkey.pem
-rw-r--r-- 1 zimbra zimbra 692 Nov 29 12:20 README
切换到 zimbra 用户:
[root@mail ~]#su - zimbra
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
三、开始部署
切换到 zimbra 用户进行部署:
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
备份:
[zimbra@mail letsencrypt]$ exit
[root@mail ssl]# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
将私钥拷贝到Zimbra认识的商业证书目录:
[root@mail ssl]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp: overwrite ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’? y
[root@mail ssl]# chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
配置生效:
[root@mail ssl]# su - zimbra
Last login: Fri May 21 09:38:24 CST 2021 on pts/0
[zimbra@mail ~]$ chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
ERROR: open input 'cert.pem' failed: No such file or directory
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.zimbra.com...failed (rc=1)
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/c97c4c49.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'c97c4c49.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_3.crt'
重启zimbra服务:
[zimbra@mail ~]$ zmcontrol restart
四、自动更新
默认证书有效期是3个月,所以需要续期
创建定时任务
[root@mail ssl]#sudo crontab -e
在最后添加:30 3 * * * /usr/bin/certbot renew >> /var/log/le-renew.log,如下:
0 0 * * * /opt/search/es-index-clear.sh > /dev/null 2>&1
0 1 * * 6 /usr/sbin/ntpdate ntp.aliyun.com ;/sbin/hwclock -w > /dev/null 2>&1
#* * * * * /opt/search/reboot-kibana.sh >> /opt/search/reboot-kibana.log 2>&1
30 3 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
生效:sudo crontab -l
总结
参考了多位大神的文章后,根据自己实际情况并部署成功的总结