首頁   >   LuckyWave幸運浪潮   >   技術知識   >   LINUX   >   LINUX內容

Zimbra使用 Let'sEncrypt SSL 證書

2022-03-29
作家
Jacky
關鍵字
憑證
安全性
郵件伺服器
Zimbra使用 Let'sEncrypt SSL 證書
SSL 證書
Zimbra使用 Let'sEncrypt
Let'sEncrypt
zimbra
活動攝影
Jacky

Zimbra使用 Let'sEncrypt SSL 證書

前言:因安裝完Zimbra Server後需加上用SSL憑證服務才能一切正常運作

中間因Iden Trust 根證書於2021/9/30過期 故需使用其他憑證才能正常簽屬

此文章記錄如何簽屬其他證書,中間安裝程式過程先省略,直接進入安裝憑證步驟

 

1.先將服務停止 用root執行下面兩行指令 (已有su Zimbra 故無需特地切換至zimbra帳號)

sudo su - Zimbra -c “zmproxyctl stop”

Stopping proxy...done.

sudo su - Zimbra -c “zmmailboxctl stop”

$Stopping mailboxd...done.

 

2.用root帳號 申請憑證 輸入以下指令,一定要加--preferred-chain "ISRG Root X1"

certbot certonly -d mail.domain.com.tw --preferred-chain "ISRG Root X1"

 

輸入指令並更新後 會出現以下視窗

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/mail.domail.com.tw/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/mail.domail.com.tw/privkey.pem

   Your cert will expire on 20XX-XX-XX. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot-auto

   again. To non-interactively renew *all* of your certificates, run

   "certbot-auto renew"

 

3.從下列網址複製金鑰

https://letsencrypt.org/certs/isrgrootx1.pem.txt

將上面網站根證書內容追加到/etc/letsencrypt/live/mail.domail.com.tw/chain.pem 中間或之後 (順序有差別)

 

4.複製金鑰到/opt/zimbra/ssl/letsencrypt/目錄 (如無此目錄須建立目錄,目錄裡權限也需改成zimbra:zimbra)

cp /etc/letsencrypt/live/mail.domail.com.tw/* /opt/zimbra/ssl/letsencrypt/

 

5.切換到 zimbra 帳號 並切換到下列此目錄裡

cd /opt/zimbra/ssl/letsencrypt/

 

6. 在 zimbra 帳號下 輸入下列指令確認金鑰

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

 

如無出錯會出現此訊息 並看到OK,表示金鑰確認成功

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/privkey.pem'

Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/letsencrypt/privkey.pem' match.

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'

Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK

 

7.切換到root備份金鑰 並覆蓋金鑰

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

 

8.切換到 zimbra 帳號,並切換到/opt/zimbra/ssl/letsencrypt/目錄驗證金鑰

cd /opt/zimbra/ssl/letsencrypt/

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

 

會出現以下訊息

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'

Certificate '/opt/zimbra/ssl/letsencrypt/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.

** Verifying '/opt/zimbra/ssl/letsencrypt/cert.pem' against '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'

Valid certificate chain: /opt/zimbra/ssl/letsencrypt/cert.pem: OK

** Copying '/opt/zimbra/ssl/letsencrypt/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'

** Copying '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'

** Appending ca chain '/opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'

** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

** NOTE: restart mailboxd to use the imported certificate.

** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.computingforgeeks.com...ok

** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.computingforgeeks.com...ok

** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'

** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'

** Creating keystore '/opt/zimbra/conf/imapd.keystore'

** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'

** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'

** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'

** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'

** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'

** NOTE: restart services to use the new certificates.

** Cleaning up 3 files from '/opt/zimbra/conf/ca'

** Removing /opt/zimbra/conf/ca/ca.key

** Removing /opt/zimbra/conf/ca/6703d76b.0

** Removing /opt/zimbra/conf/ca/ca.pem

** Copying CA to /opt/zimbra/conf/ca

** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'

** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'

** Creating CA hash symlink '6703d76b.0' -> 'ca.pem'

** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt

** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'

** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt

** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'

 

9.確認無誤後用zimbra 帳號重啟zmbra服務

zmcontrol restart

 

10.重新登入網頁後SSL金鑰已生效

回技術知識列表
分享