Let’s Encrypt SSL certificate installation on the Zimbra domain

Zimbra mail server is a type of dedicated server that manages, contacts, mailbox contents, attachments, calendar, etc,.

Here we are going to install Let’s Encrypt free SSL on a Zimbra mail domain.

How to install Let’s Encrypt SSL on a Zimbra domain?

You can install Let’s Encrypt SSL on the Zimbra domain using certbot utility.

First, you have to stop the jetty or nginx utility.

su zimbra
zmproxyctl stop
zmmailboxdctl stop
yum install certbot
certbot certonly

If your system is not supported certbot command, in that case you can use the snapd package to install certbot.

  • Install Epel repository to the server.
yum install epel-release
  • Install snapd package using the below command.
sudo yum install snapd
  • Enable snapd packge in the server.
sudo systemctl enable --now snapd.socket
  • On sometimes the above command does not work completely, then you can run the given command to create a symbolic link between /var/lib/snapd/snap and /snap.
sudo ln -s /var/lib/snapd/snap /snap
  • Install snap core.
sudo snap install core
sudo snap refresh core
  • Install certbot in the server .
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot/ /usr/bin/certbot
  • Now you can run the given command to generate the Let’s Encrypt certficates for the domain.
sudo certbot certonly

Choose option 1: Spin up a temporary webserver (standalone).

Then enter the domain name for your Zimbra installed domain.

For example, mail.skynats.com

Then the Let’s Encrypt SSL certificates can be found inside your system’s /etc/letsencrypt/live/mail.skynats.com/ folder.

There you can see cert.pem , chain.pem, fullchain.pem, privkey.pem files.

  • Next you have to add the given text in end of your chain.pem file.
-----BEGIN CERTIFICATE-----
Your chain
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
  • Create a folder named /opt/zimbra/ssl/letsencrypt and copy these certificate files to there. (Copy each file manually by pasting the content of certificate file because there is a chance of conflicting the symlinks)
mkdir -p /opt/zimbra/ssl/letsencrypt/

copy the content of /etc/letsencrypt/live/mail.skynats.com/cert.pem, chain.pem, fullchain.pem, privkey.pem and paste them to /opt/zimbra/ssl/letsencrypt/cert.pem, chain.pem , fullchain.pem, privkey.pem correspondingly.

Next you have to change the ownership of the /opt/zimbra/ssl/letsencrypt folder to zimbra user.

chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
  • Then you have to verify the certificates.
su zimbra
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
  • Deploy the certficates.
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Restart the Zimbra services as Zimbra user using the below command.

su zimbra
zmproxyctl start
zmmailboxdctl start
zmcontrol restart

You can now access the Zimbra domain with SSL (https).

https://domain.com

It is easy to set up SL for the Zimbra domain, but most of the users are getting errors when installing let’s encrypt without following the proper way.

Our technical team with proficient knowledge in Mail Servers will help you at any time troubleshooting issues with any kind of mail server.

FREE SERVER AUDITING

Get Auditing Report of Your Server for FREE!!