使用 Let's Encrypt 爲 Zimbra-8.8.15 安裝可信任的SSL證書

上一篇我們已經安裝好了 Zimbra-8.8.15 ，但是登錄網頁版的時候會提示證書錯誤，在忽略證書錯誤以及25端口已經解封的情況下就已經可以正常的收發郵件了，但是一直提示證書錯誤很不友好，給人不安全的感覺，一個安全有效的SSL證書可有效保護數據的加密傳輸，使數據不易被輕易獲取，所以接下來本文將介紹如何使用 Let's Encrypt 爲 Zimbra-8.8.15 安裝可信任的SSL證書。

Let's Encrypt 證書是完全免費並且瀏覽器可信任的，但是有效期只有3個月，所以每3個月需要續期，後面我們可以通過腳本實現自動續期，避免每次手動操作帶來的煩惱。

本文整理自zimbra wiki，有需要的朋友可閱讀原文：https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

說明：本文適用於Zimbra8.7及以上，Zimbra8.6及以下請閱讀原文進行部署。

環境：

操作系統：CentOS7.7 64位

Zimbra版本：Zimbra-8.8.15

一、安裝 Let's Encrypt

1. 停止服務

[zimbra@mail ~]$ zmproxyctl stop
[zimbra@mail ~]$ zmmailboxdctl stop

2. 從github拉取letsencrypt倉庫到本地

拉取倉庫需要git的支持，如果沒有請運行命令進行安裝：

[root@mail ~]# yum -y install git

開始拉取：

[root@mail ~]# mkdir -p /opt/software
[root@mail ~]# cd /opt/software/
[root@mail software]# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Enumerating objects: 83, done.
remote: Counting objects: 100% (83/83), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 71624 (delta 42), reused 60 (delta 29), pack-reused 71541
Receiving objects: 100% (71624/71624), 23.59 MiB | 5.57 MiB/s, done.
Resolving deltas: 100% (52610/52610), done.

3. 開始生成證書

[root@mail software]# cd letsencrypt/
[root@mail letsencrypt]# ./letsencrypt-auto certonly --standalone
......
自動安裝一系列依賴包
......
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]         <-- 輸入一個可聯繫到你的郵箱

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a         <--輸入a同意協議

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n         <--詢問是否分享你的郵箱地址到他們基金會，這裏我輸入n不分享
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): mail.chenxie.net         <--輸入你的域名，如：mail.chenxie.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.chenxie.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.chenxie.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.chenxie.net/privkey.pem
   Your cert will expire on 2020-02-27. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

證書已生成。

證書位置在 /etc/letsencrypt/live/mail.chenxie.net/ 目錄下：

[root@mail ~]# ll /etc/letsencrypt/live/mail.chenxie.net/
total 4
lrwxrwxrwx 1 root root  40 Nov 29 11:54 cert.pem -> ../../archive/mail.chenxie.net/cert1.pem
lrwxrwxrwx 1 root root  41 Nov 29 11:54 chain.pem -> ../../archive/mail.chenxie.net/chain1.pem
lrwxrwxrwx 1 root root  45 Nov 29 11:54 fullchain.pem -> ../../archive/mail.chenxie.net/fullchain1.pem
lrwxrwxrwx 1 root root  43 Nov 29 11:54 privkey.pem -> ../../archive/mail.chenxie.net/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 29 11:54 README

cert.pem 是你的證書

chain.pem 是chain

fullchain.pem 是cert.pem和chain.pem合併後的

privkey.pem 是你的私鑰

 

二、構建中間證書和CA根證書

Let's Encrypt 生成的證書不包含CA根證書，所以你需要使用 Iden Trust 根證書並且追加到chain.pem後面。

Iden Trust 根證書地址：https://www.identrust.com/dst-root-ca-x3

將根證書內容追加到chain.pem之後，完成後你的chain.pem內容應該像下面這樣：

-----BEGIN CERTIFICATE-----
你的Chain內容
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

 

三、驗證你的商業證書

拷貝生成的所有證書從/etc/letsencrypt/live/mail.chenxie.net/ 到 /opt/zimbra/ssl/letsencrypt/ 目錄

[root@mail ~]# mkdir /opt/zimbra/ssl/letsencrypt
[root@mail ~]# cp /etc/letsencrypt/live/mail.chenxie.net/* /opt/zimbra/ssl/letsencrypt/
[root@mail ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt/*
[root@mail ~]# ls -l /opt/zimbra/ssl/letsencrypt/
total 20
-rw-r--r-- 1 zimbra zimbra 1915 Nov 29 12:20 cert.pem
-rw-r--r-- 1 zimbra zimbra 2847 Nov 29 12:20 chain.pem
-rw-r--r-- 1 zimbra zimbra 3562 Nov 29 12:20 fullchain.pem
-rw------- 1 zimbra zimbra 1704 Nov 29 12:20 privkey.pem
-rw-r--r-- 1 zimbra zimbra  692 Nov 29 12:20 README

切換到 zimbra 用戶：

[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK

 

四、部署證書

1. 備份

[root@mail ~]# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

 

2. 將私鑰拷貝到Zimbra認識的商業證書目錄

[root@mail ~]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
[root@mail ~]# chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

 

3. 開始部署

切換到 zimbra 用戶進行部署：

[root@mail ~]# su - zimbra
Last login: Fri Nov 29 12:29:32 CST 2019 on pts/0
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem 
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.chenxie.net...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.chenxie.net...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/a36b8486.0
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'a36b8486.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'

 

4. 重啓zimbra服務

[zimbra@mail ~]$ zmcontrol restart

 

五、測試證書是否生效

瀏覽器訪問你的服務器地址，看到沒有證書錯誤提示並且地址欄證書的地方是綠色就表示成功了。

下一篇將爲你講述使用腳本快速安裝和續期 Zimbra SSL證書，歡迎關注。