Learn how to install a Let’s Encrypt SSL Certificate on your Zimbra Mail Server with our detailed guide. This tutorial will help you implement Zimbra SSL Installation to secure your email communication using POP3/IMAP/SMTP over TLS and enable HTTPS access to the Zimbra web console. Follow these steps to effectively use LetsEncrypt SSL with Zimbra and ensure your server is protected.

Installing Zimbra SSL Installation With Let’s Encrypt

Prerequisites

  • Certbot or a similar tool to obtain a Let’s Encrypt certificate
  • A domain properly configured in your DNS

Installing Certbot

First, download Certbot, make it executable, and move it to the appropriate directory:

Once installed, verify that Certbot is working correctly by checking its version:

If everything is set up properly, you should see something like this:

Create SSL with ISRG Root X1

UPDATE:
As of September 30, 2021, the IdenTrust DST Root CA X3 has expired, but don’t worry! The new ISRG Root X1, which is cross-signed, will be valid until September 30, 2024.

Now, we’re using ISRG Root X1.

To create your SSL certificate with ISRG Root X1, run the following command:

Stop Zimbra Proxy Service

Before proceeding, you’ll need to stop certain Zimbra services like zimbra-proxy and zimbra-mailboxd:

Install Let’s Encrypt SSL for Your Hostname

Now, install the Let’s Encrypt SSL certificate for your domain:

Check your certificates in the following directory:

Create a Directory for Zimbra SSL

Create a new directory to store the SSL files for Zimbra:

Then, change the directory’s ownership to Zimbra:

In this directory, you’ll find the following files:

  • cert.pem: The actual SSL certificate.
  • chain.pem: The certificate chain file.
  • fullchain.pem: A combination of cert.pem and chain.pem.
  • privkey.pem: The private key for the certificate.
Baca juga:  Mengenal Istilah cur new dan tmp Email

Setup Your Zimbra with Let’s Encrypt SSL Certificate

Create directory that will hold Let’s Encrypt certificates for Zimbra Server.

Copy Certificate files.

Confirm files are copied successfully.

NOTE: We now need to build a proper Intermediate CA plus Root CA. You must to use the IdenTrust root Certificate and merge it after the chain.pem

  • https://letsencrypt.org/certs/trustid-x3-root.pem.txt
  • ISRG Root X1

View the file contents:

OR

Baca juga:  Tips Zimbra Terindikasi Spam

Set Correct Directory Permissions:

First, make sure the directory containing the Let’s Encrypt certificates has the right permissions. This ensures that only the zimbra user has full access.

Verify Access as the zimbra User

Log in as the zimbra user and check that you can access the directory and its files.

Verify Your Zimbra SSL Installation

Run the following command to ensure your commercial certificate is set up correctly. The result should show OK if everything is correct.

The result should look like this:

Backup Current Certificate Files (Optional)

If you want, you can back up the current certificate files before making changes.

Copy the Private Key to the Zimbra SSL Path

Next, copy the private key to the Zimbra SSL directory and set the correct permissions.

Deploy the New Zimbra Install Let’s Encrypt

Finally, deploy the new Let’s Encrypt certificate to Zimbra.

The installation result should be displayed.

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK
** Copying '/opt/zimbra/ssl/letsencrypt/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.computingforgeeks.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.computingforgeeks.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/6703d76b.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '6703d76b.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'

Restart Zimbra Services

To apply the changes, restart the Zimbra services with the following command:

And that’s it! You’ve successfully installed SSL on your Zimbra Mail Server. For certificate renewal, follow these steps:

Looking to streamline your Zimbra Mail Server setup and ensure seamless SSL certificate integration? We offer professional installation and maintenance services to keep your email communications secure and efficient.

Contact us for expert assistance with Zimbra SSL installation and ongoing support.