Learn how to install a Let’s Encrypt SSL Certificate on your Zimbra Mail Server with our detailed guide. This tutorial will help you implement Zimbra SSL Installation to secure your email communication using POP3/IMAP/SMTP over TLS and enable HTTPS access to the Zimbra web console. Follow these steps to effectively use LetsEncrypt SSL with Zimbra and ensure your server is protected.
Installing Zimbra SSL Installation With Let’s Encrypt
Prerequisites
- Certbot or a similar tool to obtain a Let’s Encrypt certificate
- A domain properly configured in your DNS
Installing Certbot
First, download Certbot, make it executable, and move it to the appropriate directory:
|
1 2 3 |
https://dl.eff.org/certbot-auto chmod +x certbot-auto sudo mv certbot-auto /usr/local/bin |
Once installed, verify that Certbot is working correctly by checking its version:
|
1 |
certbot-auto --version |
If everything is set up properly, you should see something like this:
|
1 2 3 4 5 6 |
Unofficial certbot-auto version detected, self-upgrade is disabled: 1.9.0.dev0 Creating virtual environment... Installing Python packages... Installation succeeded. certbot 1.8.0 |
Create SSL with ISRG Root X1
UPDATE:
As of September 30, 2021, theIdenTrust DST Root CA X3has expired, but don’t worry! The new ISRG Root X1, which is cross-signed, will be valid until September 30, 2024.Now, we’re using ISRG Root X1.
To create your SSL certificate with ISRG Root X1, run the following command:
|
1 |
certbot-auto certonly --standalone --preferred-chain "ISRG Root X1" |
Stop Zimbra Proxy Service
Before proceeding, you’ll need to stop certain Zimbra services like zimbra-proxy and zimbra-mailboxd:
|
1 2 3 4 5 |
sudo su - zimbra -c "zmproxyctl stop" Stopping proxy...done. sudo su - zimbra -c "zmmailboxdctl stop" Stopping mailboxd...done. |
Install Let’s Encrypt SSL for Your Hostname
Now, install the Let’s Encrypt SSL certificate for your domain:
|
1 |
certbot-auto certonly --standalone -d mail.gemaroprek.com -d mail.secondarydomain.com |
Check your certificates in the following directory:
|
1 |
ls -lh /etc/letsencrypt/live/ |
Create a Directory for Zimbra SSL
Create a new directory to store the SSL files for Zimbra:
|
1 |
sudo mkdir /opt/zimbra/ssl/letsencrypt |
Then, change the directory’s ownership to Zimbra:
|
1 |
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/mail.gemaroprek.com |
In this directory, you’ll find the following files:
- cert.pem: The actual SSL certificate.
- chain.pem: The certificate chain file.
- fullchain.pem: A combination of cert.pem and chain.pem.
- privkey.pem: The private key for the certificate.
Setup Your Zimbra with Let’s Encrypt SSL Certificate
Create directory that will hold Let’s Encrypt certificates for Zimbra Server.
|
1 2 |
sudo mkdir /opt/zimbra/ssl/letsencrypt |
Copy Certificate files.
|
1 2 3 |
CERTPATH=/etc/letsencrypt/live/mail.gemaroprek.com sudo cp $CERTPATH/* /opt/zimbra/ssl/letsencrypt/ |
Confirm files are copied successfully.
|
1 2 3 |
ls /opt/zimbra/ssl/letsencrypt/ cert.pem chain.pem fullchain.pem privkey.pem README |
NOTE: We now need to build a proper Intermediate CA plus Root CA. You must to use the IdenTrust root Certificate and merge it after the chain.pem
https://letsencrypt.org/certs/trustid-x3-root.pem.txt- ISRG Root X1
|
1 2 |
cat $CERTPATH/chain.pem | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem |
View the file contents:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
-----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 nLRbwHOoq7hHwg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y sR2bvAP5SQXYDWLWMZl6VbI5l8u2+seiz20/E+VOxL4iVj7haKf1tVS5A2Y3ceDy NLgUUKzmKCFg7gHQI+CUfHpWYYNVFfnZpLbQKmKZ0Te5luToHbHxwJKaK61iLLau E+dOhXQXsngj0aGgPfRhWrgh9IIF+QeJpR5o9tPsO6Plz71vMx2/Hda9J1G+xJxt gCyH6k+DuGmD/jM/TaHfVRsPpN2JtyAdoNUzAvP4YrKUNcOp6VgnDrU4Pmk58u5N wnakz5foHqDcBwtyb1ubZYng0Iz3SK8KkEwM9Bo5aUAsgEsxBu24LUT80rsn4p8O GwDtzcSzg4Ny1/CWT2PZVQIDAQABo4IBRzCCAUMwHQYDVR0OBBYEFJxfAN+qAdcw kFX+FkwK9Kf1BVZkMB8GA1UdIwQYMBaAFNLEsNKRpII+/ztKShd/YOvpSWX1MFsG A1UdHwRUMFIwXKBeoFyGW2h0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EU1RSb290 Q0FYM2NybC5jcmwwWqBYoFaGVGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EU1RS b290Q0FYM2NybC5jcmwwTAYDVR0gBEUwQzA3BglghkgBhvhFAQcDMCkwJwYIKwYB BQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwdQYI KwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcDIuZGlnaWNlcnQu Y29tMEIGA1UdEQQ7MDmCESouaWRuaXgubmV0gg1pZG5peC5uZXQwLzAsBgNVHR8E JTAjMCKgIKAehhxodHRwOi8vY3JsMi5sZXRzZW5jcnlwdC5vcmcvMBMGA1UdJQQM MAoGCCsGAQUFBwMDMAsGA1UdDwQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEArUXg TEv4I+CzLyG+82Lv/lPpyMM0BGD33LkZ1zK9PEvE1yd+P4wme9Vjj4/WoA39I9gE WLx2TVE+9AnGj4mBCkpCbxJloM6SEbPi9L3gF7G1WXgTR6EyQtXg27HGm6qFG2vq kPdmyhg2nt8D8JaBSPaxCFfW+ifXfJpS5wHD/IuQ7gXsGHk5O3EORzDTEjAbVwLN JeHQF9a+G5EwHvAX/ubhtnP80/BQ9eEZ6ETz5hciH1yZpV99+6KOB5l7PHvqpLfz YASZOFI+NiOKN+DSbHSp0ViX8kUHQYXy7hCtw9KwOiOgEesHiFqQFJmM9J7In3pZ PXbov9gP4XM8WVP7tJ4mXYd+T0W5OF7uI6DkEN5AKXTbN9z0nDFlmOIs5dN9JbMN D4VYY2v8kDgdUArh8dU1n4cJw2yRShXoHp2uD+8GyNsEY9HtPUOKjptdYk5KGzVN 4BAgtFjL1sN7Xt2kZ/5vGNEqA1AFM40AVdKhjPRnFMI4tC/PHnqikxjCXGVF6rs8 U7I8TWNZFehzKuDr/KXx5UJOPv6ybQtxB+0MeCK/XQ8XtMzd2f4BnlbfiD2bqLRV G6WkJ/uBtbQf7c/NNOKBzOkl3cyGUmJ4tTQXc3xBgAXQqX1h5h1frndkIQcz9SM= |
OR
|
1 2 |
wget -O - https://gist.githubusercontent.com/GemarOprek/b0d4065254cfe73c2a594cb2021c89a4/raw/700651a70dc4e57dfeac89765b14184d328daaea/letsencryptCA.txt | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem |
Set Correct Directory Permissions:
First, make sure the directory containing the Let’s Encrypt certificates has the right permissions. This ensures that only the zimbra user has full access.
|
1 |
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/ |
Verify Access as the zimbra User
Log in as the zimbra user and check that you can access the directory and its files.
|
1 2 3 4 5 6 7 8 9 10 11 |
$ ls -lha /opt/zimbra/ssl/letsencrypt/ total 124K drwxr-xr-x 2 zimbra zimbra 117 Jun 19 23:29 . drwxr-xr-x. 87 zimbra zimbra 4.0K Sep 1 03:30 .. -rw-r--r-- 1 zimbra zimbra 692 Jun 19 23:29 README -rw-r--r-- 1 zimbra zimbra 1.9K Jun 19 23:29 cert.pem -rw-r--r-- 1 zimbra zimbra 91K Sep 1 03:30 chain.pem -rw-r--r-- 1 zimbra zimbra 5.5K Jun 19 23:29 fullchain.pem -rw------- 1 zimbra zimbra 1.7K Jun 19 23:29 privkey.pem -rw-r--r-- 1 zimbra zimbra 4.9K Jun 19 23:29 zimbra_chain.pem |
Verify Your Zimbra SSL Installation
Run the following command to ensure your commercial certificate is set up correctly. The result should show OK if everything is correct.
|
1 |
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' |
The result should look like this:
|
1 2 3 4 5 |
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem' Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match. ** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK |
Backup Current Certificate Files (Optional)
If you want, you can back up the current certificate files before making changes.
|
1 |
sudo cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d-%H%M") |
Copy the Private Key to the Zimbra SSL Path
Next, copy the private key to the Zimbra SSL directory and set the correct permissions.
|
1 2 |
sudo cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key |
Deploy the New Zimbra Install Let’s Encrypt
Finally, deploy the new Let’s Encrypt certificate to Zimbra.
|
1 |
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' |
The installation result should be displayed.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK ** Copying '/opt/zimbra/ssl/letsencrypt/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.computingforgeeks.com...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.computingforgeeks.com...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 3 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/6703d76b.0 ** Removing /opt/zimbra/conf/ca/ca.pem ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink '6703d76b.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Restart Zimbra Services
To apply the changes, restart the Zimbra services with the following command:
|
1 |
sudo su - zimbra -c "zmcontrol restart" |
And that’s it! You’ve successfully installed SSL on your Zimbra Mail Server. For certificate renewal, follow these steps:
- Stop Zimbra Services
- Renew your Let’s Encrypt SSL certificate
- Then, follow the remaining steps from Install Let’s Encrypt SSL for Your Hostname or you can make your own script
Looking to streamline your Zimbra Mail Server setup and ensure seamless SSL certificate integration? We offer professional installation and maintenance services to keep your email communications secure and efficient.
Contact us for expert assistance with Zimbra SSL installation and ongoing support.
