上一篇我们已经安装好了 Zimbra-8.8.15 ,但是登录网页版的时候会提示证书错误,在忽略证书错误以及25端口已经解封的情况下就已经可以正常的收发邮件了,但是一直提示证书错误很不友好,给人不安全的感觉,一个安全有效的SSL证书可有效保护数据的加密传输,使数据不易被轻易获取,所以接下来本文将介绍如何使用 Let's Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书。
Let's Encrypt 证书是完全免费并且浏览器可信任的,但是有效期只有3个月,所以每3个月需要续期,后面我们可以通过脚本实现自动续期,避免每次手动操作带来的烦恼。
本文整理自zimbra wiki,有需要的朋友可阅读原文:https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
说明:本文适用于Zimbra8.7及以上,Zimbra8.6及以下请阅读原文进行部署。
操作系统:CentOS7.7 64位
Zimbra版本:Zimbra-8.8.15
1. 停止服务
[zimbra@mail ~]$ zmproxyctl stop
[zimbra@mail ~]$ zmmailboxdctl stop
2. 从github拉取letsencrypt仓库到本地
拉取仓库需要git的支持,如果没有请运行命令进行安装:
[root@mail ~]# yum -y install git
开始拉取:
[root@mail ~]# mkdir -p /opt/software
[root@mail ~]# cd /opt/software/
[root@mail software]# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Enumerating objects: 83, done.
remote: Counting objects: 100% (83/83), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 71624 (delta 42), reused 60 (delta 29), pack-reused 71541
Receiving objects: 100% (71624/71624), 23.59 MiB | 5.57 MiB/s, done.
Resolving deltas: 100% (52610/52610), done.
3. 开始生成证书
[root@mail software]# cd letsencrypt/
[root@mail letsencrypt]# ./letsencrypt-auto certonly --standalone
......
自动安装一系列依赖包
......
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected] <-- 输入一个可联系到你的邮箱
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a <--输入a同意协议
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n <--询问是否分享你的邮箱地址到他们基金会,这里我输入n不分享
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mail.chenxie.net <--输入你的域名,如:mail.chenxie.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.chenxie.net
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.chenxie.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.chenxie.net/privkey.pem
Your cert will expire on 2020-02-27. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书已生成。
证书位置在 /etc/letsencrypt/live/mail.chenxie.net/ 目录下:
[root@mail ~]# ll /etc/letsencrypt/live/mail.chenxie.net/
total 4
lrwxrwxrwx 1 root root 40 Nov 29 11:54 cert.pem -> ../../archive/mail.chenxie.net/cert1.pem
lrwxrwxrwx 1 root root 41 Nov 29 11:54 chain.pem -> ../../archive/mail.chenxie.net/chain1.pem
lrwxrwxrwx 1 root root 45 Nov 29 11:54 fullchain.pem -> ../../archive/mail.chenxie.net/fullchain1.pem
lrwxrwxrwx 1 root root 43 Nov 29 11:54 privkey.pem -> ../../archive/mail.chenxie.net/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 29 11:54 README
cert.pem 是你的证书
chain.pem 是chain
fullchain.pem 是cert.pem和chain.pem合并后的
privkey.pem 是你的私钥
Let's Encrypt 生成的证书不包含CA根证书,所以你需要使用 Iden Trust 根证书并且追加到chain.pem后面。
Iden Trust 根证书地址:https://www.identrust.com/dst-root-ca-x3
将根证书内容追加到chain.pem之后,完成后你的chain.pem内容应该像下面这样:
-----BEGIN CERTIFICATE-----
你的Chain内容
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
拷贝生成的所有证书从/etc/letsencrypt/live/mail.chenxie.net/ 到 /opt/zimbra/ssl/letsencrypt/ 目录
[root@mail ~]# mkdir /opt/zimbra/ssl/letsencrypt
[root@mail ~]# cp /etc/letsencrypt/live/mail.chenxie.net/* /opt/zimbra/ssl/letsencrypt/
[root@mail ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt/*
[root@mail ~]# ls -l /opt/zimbra/ssl/letsencrypt/
total 20
-rw-r--r-- 1 zimbra zimbra 1915 Nov 29 12:20 cert.pem
-rw-r--r-- 1 zimbra zimbra 2847 Nov 29 12:20 chain.pem
-rw-r--r-- 1 zimbra zimbra 3562 Nov 29 12:20 fullchain.pem
-rw------- 1 zimbra zimbra 1704 Nov 29 12:20 privkey.pem
-rw-r--r-- 1 zimbra zimbra 692 Nov 29 12:20 README
切换到 zimbra 用户:
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
1. 备份
[root@mail ~]# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
2. 将私钥拷贝到Zimbra认识的商业证书目录
[root@mail ~]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
[root@mail ~]# chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
3. 开始部署
切换到 zimbra 用户进行部署:
[root@mail ~]# su - zimbra
Last login: Fri Nov 29 12:29:32 CST 2019 on pts/0
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.chenxie.net...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.chenxie.net...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/a36b8486.0
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'a36b8486.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
4. 重启zimbra服务
[zimbra@mail ~]$ zmcontrol restart
浏览器访问你的服务器地址,看到没有证书错误提示并且地址栏证书的地方是绿色就表示成功了。
下一篇将为你讲述使用脚本快速安装和续期 Zimbra SSL证书,欢迎关注。