Renew letsencrypt of Zimbra server

After installing Letsencrypt SSL according to https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate article you need to renew certificate later. To renew certificate you can do following:

Login to server as root

$ letsencrypt renew

Change directory to Zimbra Letsecnrpyt SSL folder

# cd /opt/zimbra/ssl/letsencrypt/

Copy new SSL files to Zimbra Letsencrypt folder then change owner to Zimbra.

# cp /etc/letsencrypt/live/yourdomain.com/* .
# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

Add X3 root certificate to our chain.pem as described in here at the bottom of chain.pem

# vim /opt/zimbra/ssl/letsencrypt/chain.pem

-----BEGIN CERTIFICATE-----
 OUR CHAIN PART
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
 MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
 DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
 PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
 Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
 rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
 OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
 xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
 aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
 HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
 SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
 AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
 R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
 Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
 -----END CERTIFICATE-----

Now let’s check our certificates are verified via Zimbra certificate manager

# /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

If you see done message in your console, first make a backup of course…

# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

Before deploying the SSL Certificate, you need to move the privkey.pem under the Zimbra SSL commercial path, like this:

# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

We are ready to deploy new certificates, run deploycrt command via zmcertmgr.

# /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

At last, restart.

# su zimbra
$ zmcontrol restart

Hopefully you now have renewed letsencrypt SSL of your Zimbra server. You can check your SSL here.

Leave a Reply

Your email address will not be published. Required fields are marked *