Como muchos saben el pasado 30 de septiembre del 2021 se vencio el certificado raíz DST Root CA X3 que muchos de nosotros usabamos con Let’s Encrypt y a raiz de eso muchos servicios empezaron a dar problemas ya que los sistemas no reconocian dicho certificado, Buenos hoy les muestro como solicitar el certificado con el nuevo ISRG Root X1 y su integracion a zimbra.
Lo primero que haremos sera desintalara certbot e instalarlo via snap para tener la ultima version
Desintalar certbot
apt-get remove certbot
Instalando snap
sudo apt-get install snap
sudo snap install core; sudo snap refresh core
Instalando Certbot via snap
sudo snap install --classic certbot
Prepare the Certbot command
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Una vez ya instalado el certbot Pasamos a crear el certificado
certbot certonly --preferred-chain="ISRG Root X1" --manual -d *.dominio.cu -d dominio.cu --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
Ya una vez que obtengamos el certificado y es enviado a nuestro servidor zimbra mediante rsync
viene la segunda parte que es hacer que zimbra valide dicho certificado
Le comparto un script que pueden tener para pasar el certificado de donde lo obtengan digase su proxy inverso a su servidor zimbra
#Borrar si existe un certificado anterior ssh [email protected] rm /etc/letsencrypt/ -R #copiar certificado rsync -avi --delete /etc/letsencrypt [email protected]:/etc/ #dar persmisos ssh [email protected] chmod 7777 /etc/letsencrypt/ -R #ejecutar script de validacion del certificado ssh [email protected] /opt/sslzimbra.sh
Como notaron en el script anterior hago referencia al script /opt/sslzimbra.sh, bueno dicho script se lo comparto
#Impresion del ISRG Root X1 al chain.pem de nuestros certificado wget https://letsencrypt.org/certs/isrgrootx1.pem.txt -O /opt/root.pem cat /opt/root.pem >> /etc/letsencrypt/live/dominio.cu/chain.pem #Comprobamos el Certificado su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/dominio.cu/privkey.pem /etc/letsencrypt/live/dominio.cu/cert.pem /etc/letsencrypt/live/dominio.cu/chain.pem" #Copiamos el Certificado Privado de Let's Encrypt para Zimbra cp /etc/letsencrypt/live/dominio.cu/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key #Ejecutamos la actualización del Certificado de Zimbra su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/dominio.cu/cert.pem /etc/letsencrypt/live/dominio.cu/chain.pem" #Reiniciamos Zimbra service zimbra restart exit 0
Al correr el script debemos tener mas menos esta salida
root@correo:/opt# sh sslzimbra.sh ** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/privkey.pem' Certificate '/etc/letsencrypt/live/dominio.cu/cert.pem' and private key '/etc/letsencrypt/live/dominio.cu/privkey.pem' match. ** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/chain.pem' Valid certificate chain: /etc/letsencrypt/live/dominio.cu/cert.pem: OK ** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/etc/letsencrypt/live/dominio.cu/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/chain.pem' Valid certificate chain: /etc/letsencrypt/live/dominio.cu/cert.pem: OK ** Copying '/etc/letsencrypt/live/dominio.cu/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '/etc/letsencrypt/live/dominio.cu/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '/etc/letsencrypt/live/dominio.cu/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer correo.dominio.cu...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer correo.dominio.cu...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 9 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt ** Removing /opt/zimbra/conf/ca/2e5ac55d.0 ** Removing /opt/zimbra/conf/ca/8d33f237.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt ** Removing /opt/zimbra/conf/ca/07e4fe56.0 ** Removing /opt/zimbra/conf/ca/4042bcee.0 ** Removing /opt/zimbra/conf/ca/ca.pem ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink '07e4fe56.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
Espero que les sirva
Dejar una contestacion