Contents
Assalamualaikum, pada artikel kali ini saya akan membagikan tips instalasi SSL Let’s Encrypt di zimbra.
Mengapa Let’s Encrypt? Karena SSL Certificate ini bersifat open source dan SSL Certificate-nya pun valid/trusted untuk Webmail client zimbra.
Berikut langkah-langkah Instalasi Let’s Encrypt SSL Certificate Zimbra
Download dan validasi Let’s Encrypt
- Install command git, menggunakan perintah berikut (abaikan jika sudah terinstall)
1 |
yum -y install git |
- Kemudian download Let’s Encrypt menggunakan command git. pastikan paket sudah terunduh dengan selesai tanpa error.
1 2 3 4 5 6 7 8 9 |
[root@webmail ~]# cd /tmp [root@webmail /tmp/]# git clone https://github.com/letsencrypt/letsencrypt Cloning into 'letsencrypt'... remote: Enumerating objects: 54, done. remote: Counting objects: 100% (54/54), done. remote: Compressing objects: 100% (52/52), done. remote: Total 78440 (delta 12), reused 10 (delta 2), pack-reused 78386 Receiving objects: 100% (78440/78440), 41.87 MiB | 9.11 MiB/s, done. Resolving deltas: 100% (57631/57631), done. |
- Matikan service Proxy dan Mailbox zimbra sebelum melakukan instalasi.
1 2 |
zmproxyctl stop zmmailboxdctl stop |
- Masuk ke folder installer Let’s Encrypt dan lakukan validasi Let’s Encrypt SSL Certificate.
- Jalankan perintah berikut untuk validasi SSL dengan single hostname.
1 2 |
[root@webmail /tmp/]# cd letsencrypt [root@webmail /tmp/letsencrypt]# ./letsencrypt-auto certonly --standalone |
- Jalankan perintah berikut untuk validasi SSL dengan multiple hostname.
1 |
[root@webmail /tmp/letsencrypt]# ./letsencrypt-auto certonly --standalone -d zimbra.ilmuzimbra.lab -d box.ilmuzimbra.lab |
- Masukkan alamat email untuk pembaruan key dan notifikasi keamanan.
1 2 3 4 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): admin@ilmuzimbra.lab |
- Ketika A untuk melanjutkan proses validasi
1 2 3 4 5 6 |
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A |
- Masukkan hostname zimbra saya menggunakan webmail.ilmuzimbra.lab
1 2 |
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): webmail.ilmuzimbra.lab |
- Tunggu sampai proses validasi selesai.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
Obtaining a new certificate Performing the following challenges: http-01 challenge for webmail.ilmuzimbra.lab Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/webmail.ilmuzimbra.lab/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/webmail.ilmuzimbra.lab/privkey.pem Your cert will expire on 2020-09-24. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
- Pastikan Certificate SSL Let’s Encrypt yang sudah kita generate tadi pada direktori /etc/letsencrypt/live/hostname.
1 2 3 |
[root@webmail ~]# cd /etc/letsencrypt/live/webmail.ilmuzimbra.lab [root@webmail /etc/letsencrypt/live/webmail.ilmuzimbra.lab]# ls cert.pem chain.pem fullchain.pem privkey.pem README |
- Edit file chain.pem
1 |
vim chain.pem |
Dan tambahkan baris berikut pada paling bawah certificate simpan dan keluar, CA didapatkan pada https://letsencrypt.org/certs/trustid-x3-root.pem.txt.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- |
Verifikasi Let’s Encrypt SSL Certificate
- Salin semua file yang terdapat /etc/letsencrypt/live/hostname ke /opt/zimbra/ssl/letsencrypt
1 2 3 4 5 6 7 8 9 10 |
[root@webmail ~]# mkdir -p /opt/zimbra/ssl/letsencrypt [root@webmail ~]# cp /etc/letsencrypt/live/webmail.ilmuzimbra.lab/* /opt/zimbra/ssl/letsencrypt [root@webmail ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt -R [root@webmail ~]# ll /opt/zimbra/ssl/letsencrypt/ total 20 -rw-r----- 1 zimbra zimbra 1915 Jun 26 11:37 cert.pem -rw-r----- 1 zimbra zimbra 2847 Jun 26 11:37 chain.pem -rw-r----- 1 zimbra zimbra 3562 Jun 26 11:37 fullchain.pem -rw-r----- 1 zimbra zimbra 1704 Jun 26 11:37 privkey.pem -rw-r----- 1 zimbra zimbra 692 Jun 26 11:37 README |
- Jalankan perintah berikut dengan user zimbra untuk verifikasi SSL Certificate Let’s Encrypt yang telah kita generate
1 2 3 4 5 6 7 |
[root@webmail /opt/zimbra/ssl/letsencrypt]# su - zimbra [zimbra@webmail /opt/zimbra/ssl/letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem ** Verifying 'cert.pem' against 'privkey.pem' Certificate 'cert.pem' and private key 'privkey.pem' match. Certificate 'cert.pem' and private key 'privkey.pem' match. ** Verifying 'cert.pem' against 'chain.pem' Valid certificate chain: cert.pem: OK |
Pastikan hasilnya sudah OK atau match.
Deploy Let’s Encrypt SSL Certificate
- Backup terlebih dahulu direktori SSL zimbra
1 |
[root@webmail ~]# rsync -auvr /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") |
- Ubah nama file privkey.pem ke commercial.key
1 |
[root@webmail ~]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key |
- Langkah terakhir deploy SSL Certificate jalankan perintah berikut dengan user zimbra.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
[root@webmail ~]# cd /opt/zimbra/ssl/letsencrypt [zimbra@webmail /opt/zimbra/ssl/letsencrypt]# /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem ** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying 'cert.pem' against 'chain.pem' Valid certificate chain: cert.pem: OK ** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer webmail.ilmuzimbra.lab...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer webmail.ilmuzimbra.lab...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 3 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/ca.pem ** Removing /opt/zimbra/conf/ca/9baa92e2.0 ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink '9baa92e2.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt' |
- Pastikan tidak ada error saat melakukan deploy SSL Certificate.
- Restart service zimbra setelah SSL Certificate berhasil di deploy
1 |
zmcontrol restart |
- Cek SSL yang telah berhasil deploy dengan perintah
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
[zimbra@webmail ~]$ /opt/zimbra/bin/zmcertmgr viewdeployedcrt [5/405] - imapd: /opt/zimbra/conf/imapd.crt notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab - ldap: /opt/zimbra/conf/slapd.crt notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab - mta: /opt/zimbra/conf/smtpd.crt notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab - proxy: /opt/zimbra/conf/nginx.crt notBefore=Jun 26 03:26:48 2020 GMT notAfter=Sep 24 03:26:48 2020 GMT subject= /CN=webmail.ilmuzimbra.lab issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=webmail.ilmuzimbra.lab |
Sekian artikel kali ini semoga bermanfaat.
Wassalamualaikum.
Bagi Kamu Yang Ingin Mendapatkan Penawaran Incident Support atau Local Support Untuk Perusahaan/Institusi Kamu Saat Ini. Silahkan klik dibawah ini dan tuliskan pesan di layanan chat yang tersedia