Contents
Assalamualaikum, pada artikel kali ini saya akan membagikan tips instalasi SSL Let’s Encrypt di zimbra.
Mengapa Let’s Encrypt? Karena SSL Certificate ini bersifat open source dan SSL Certificate-nya pun valid/trusted untuk Webmail client zimbra.
Berikut langkah-langkah Instalasi Let’s Encrypt SSL Certificate Zimbra
Download dan validasi Let’s Encrypt
- Install command git, menggunakan perintah berikut (abaikan jika sudah terinstall)
|
1 |
yum -y install git |
- Kemudian download Let’s Encrypt menggunakan command git. pastikan paket sudah terunduh dengan selesai tanpa error.
|
1 2 3 4 5 6 7 8 9 |
[root@webmail ~]# cd /tmp [root@webmail /tmp/]# git clone https://github.com/letsencrypt/letsencrypt Cloning into 'letsencrypt'... remote: Enumerating objects: 54, done. remote: Counting objects: 100% (54/54), done. remote: Compressing objects: 100% (52/52), done. remote: Total 78440 (delta 12), reused 10 (delta 2), pack-reused 78386 Receiving objects: 100% (78440/78440), 41.87 MiB | 9.11 MiB/s, done. Resolving deltas: 100% (57631/57631), done. |
- Matikan service Proxy dan Mailbox zimbra sebelum melakukan instalasi.
|
1 2 |
zmproxyctl stop zmmailboxdctl stop |
- Masuk ke folder installer Let’s Encrypt dan lakukan validasi Let’s Encrypt SSL Certificate.
- Jalankan perintah berikut untuk validasi SSL dengan single hostname.
|
1 2 |
[root@webmail /tmp/]# cd letsencrypt [root@webmail /tmp/letsencrypt]# ./letsencrypt-auto certonly --standalone |
- Jalankan perintah berikut untuk validasi SSL dengan multiple hostname.
|
1 |
[root@webmail /tmp/letsencrypt]# ./letsencrypt-auto certonly --standalone -d zimbra.ilmuzimbra.lab -d box.ilmuzimbra.lab |
- Masukkan alamat email untuk pembaruan key dan notifikasi keamanan.
|
1 2 3 4 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@ilmuzimbra.lab |
- Ketika A untuk melanjutkan proses validasi
|
1 2 3 4 5 6 |
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A |
- Masukkan hostname zimbra saya menggunakan webmail.ilmuzimbra.lab
|
1 2 |
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): webmail.ilmuzimbra.lab |
- Tunggu sampai proses validasi selesai.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
Obtaining a new certificate Performing the following challenges: http-01 challenge for webmail.ilmuzimbra.lab Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/webmail.ilmuzimbra.lab/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/webmail.ilmuzimbra.lab/privkey.pem Your cert will expire on 2020-09-24. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
- Pastikan Certificate SSL Let’s Encrypt yang sudah kita generate tadi pada direktori /etc/letsencrypt/live/hostname.
|
1 2 3 |
[root@webmail ~]# cd /etc/letsencrypt/live/webmail.ilmuzimbra.lab [root@webmail /etc/letsencrypt/live/webmail.ilmuzimbra.lab]# ls cert.pem chain.pem fullchain.pem privkey.pem README |
- Edit file chain.pem
|
1 |
vim chain.pem |
Dan tambahkan baris berikut pada paling bawah certificate simpan dan keluar, CA didapatkan pada https://letsencrypt.org/certs/trustid-x3-root.pem.txt.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- |
Verifikasi Let’s Encrypt SSL Certificate
- Salin semua file yang terdapat /etc/letsencrypt/live/hostname ke /opt/zimbra/ssl/letsencrypt
|
1 2 3 4 5 6 7 8 9 10 |
[root@webmail ~]# mkdir -p /opt/zimbra/ssl/letsencrypt [root@webmail ~]# cp /etc/letsencrypt/live/webmail.ilmuzimbra.lab/* /opt/zimbra/ssl/letsencrypt [root@webmail ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt -R [root@webmail ~]# ll /opt/zimbra/ssl/letsencrypt/ total 20 -rw-r----- 1 zimbra zimbra 1915 Jun 26 11:37 cert.pem -rw-r----- 1 zimbra zimbra 2847 Jun 26 11:37 chain.pem -rw-r----- 1 zimbra zimbra 3562 Jun 26 11:37 fullchain.pem -rw-r----- 1 zimbra zimbra 1704 Jun 26 11:37 privkey.pem -rw-r----- 1 zimbra zimbra 692 Jun 26 11:37 README |
- Jalankan perintah berikut dengan user zimbra untuk verifikasi SSL Certificate Let’s Encrypt yang telah kita generate
|
1 2 3 4 5 6 7 |
[root@webmail /opt/zimbra/ssl/letsencrypt]# su - zimbra [zimbra@webmail /opt/zimbra/ssl/letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem ** Verifying 'cert.pem' against 'privkey.pem' Certificate 'cert.pem' and private key 'privkey.pem' match. Certificate 'cert.pem' and private key 'privkey.pem' match. ** Verifying 'cert.pem' against 'chain.pem' Valid certificate chain: cert.pem: OK |
Pastikan hasilnya sudah OK atau match.
Deploy Let’s Encrypt SSL Certificate
- Backup terlebih dahulu direktori SSL zimbra
|
1 |
[root@webmail ~]# rsync -auvr /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") |
- Ubah nama file privkey.pem ke commercial.key
|
1 |
[root@webmail ~]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key |
- Langkah terakhir deploy SSL Certificate jalankan perintah berikut dengan user zimbra.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
[root@webmail ~]# cd /opt/zimbra/ssl/letsencrypt [zimbra@webmail /opt/zimbra/ssl/letsencrypt]# /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem ** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying 'cert.pem' against 'chain.pem' Valid certificate chain: cert.pem: OK ** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer webmail.ilmuzimbra.lab...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer webmail.ilmuzimbra.lab...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 3 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/ca.pem ** Removing /opt/zimbra/conf/ca/9baa92e2.0 ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink '9baa92e2.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt' |
- Pastikan tidak ada error saat melakukan deploy SSL Certificate.
- Restart service zimbra setelah SSL Certificate berhasil di deploy
|
1 |
zmcontrol restart |
- Cek SSL yang telah berhasil deploy dengan perintah
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
[zimbra@webmail ~]$ /opt/zimbra/bin/zmcertmgr viewdeployedcrt [5/405] - imapd: /opt/zimbra/conf/imapd.crt notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab - ldap: /opt/zimbra/conf/slapd.crt notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab - mta: /opt/zimbra/conf/smtpd.crt notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab - proxy: /opt/zimbra/conf/nginx.crt notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab |
Sekian artikel kali ini semoga bermanfaat.
Wassalamualaikum.
Bagi Kamu Yang Ingin Mendapatkan Penawaran Incident Support atau Local Support Untuk Perusahaan/Institusi Kamu Saat Ini. Silahkan klik dibawah ini dan tuliskan pesan di layanan chat yang tersedia
untuk autorenew nya ada contoh configuration nya ga gan?
Hi Ardi,
Ada dong bro nanti dinext article ya.
ada beberapa zimbra 8 centos 7 tidak berjalan menggunakan :
./letsencrypt-auto certonly –standalone
sulusi dengan:
yum install certbot certbot-nginx mod-ssl -y
certbot certonly –standalone -d domainkamu.com
untuk langkah selanjutnya sama ..
mungkin bermanfaat ..
Hai,
Terima kasih atas masukannya.
halo mas, saya pake zimbra multi domain, nah itu perdomain pake let’s encrypt. untuk konfigurasinya g mna ya? sama aaja atau beda ?
Hi Mas,
Untuk konfigurasi bisa disamakan ya, option -d untuk menentukan domain tinggal masukin saja domain.
Atau bisa ikuti referensi ini https://computingforgeeks.com/using-letsencrypt-wildcard-certificate-nginx-apache/
Selamat mencoba ya!
halo mas, mau tanya yaa
kalau di server ada 2 domain, 1 domain sudah terpasang rapidssl, untuk yg domain satu lagi apa bisa saya install let’s encrypt ssl?
zimbra versi 8.04
Hi Mas,
Saran saya lebih baik menggunakan Multi SAN (Subject Alt Names) Certificates, jadi dengan menggunakan satu sertifikat SSL yang sama sudah bisa provide beberapa domain yang berbeda. Misalkan ada 2 domain a.com dan b.com.
Let’s Encrypt sudah support untuk Multi SAN Certificates, pada atribut -d domain.com bisa ditambahkan untuk domain-domain lain, misalkan -d a.com -d b.com. Bisa cek dokumentasi let’s encrypt-nya mas untuk info lengkapnya.