Como muchos saben el pasado 30 de septiembre del 2021 se vencio el certificado raíz DST Root CA X3 que muchos de nosotros usabamos con Let’s Encrypt y a raiz de eso muchos servicios empezaron a dar problemas ya que los sistemas no reconocian dicho certificado, Buenos hoy les muestro como solicitar el certificado con el nuevo ISRG Root X1 y su integracion a zimbra.
Lo primero que haremos sera desintalara certbot e instalarlo via snap para tener la ultima version
Desintalar certbot
1 | apt-get remove certbot |
Instalando snap
1 | sudo apt-get install snap |
1 | sudo snap install core; sudo snap refresh core |
Instalando Certbot via snap
1 | sudo snap install --classic certbot |
Prepare the Certbot command
1 | sudo ln -s /snap/bin/certbot /usr/bin/certbot |
Una vez ya instalado el certbot Pasamos a crear el certificado
1 | certbot certonly --preferred-chain="ISRG Root X1" --manual -d *.dominio.cu -d dominio.cu --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory |
Ya una vez que obtengamos el certificado y es enviado a nuestro servidor zimbra mediante rsync
viene la segunda parte que es hacer que zimbra valide dicho certificado
Le comparto un script que pueden tener para pasar el certificado de donde lo obtengan digase su proxy inverso a su servidor zimbra
1 2 3 4 5 6 7 8 9 10 11 | #Borrar si existe un certificado anterior ssh root@correo.dominio.cu rm /etc/letsencrypt/ -R #copiar certificado rsync -avi --delete /etc/letsencrypt root@correo.dominio.cu:/etc/ #dar persmisos ssh root@correo.dominio.cu chmod 7777 /etc/letsencrypt/ -R #ejecutar script de validacion del certificado ssh root@correo.dominio.cu /opt/sslzimbra.sh |
Como notaron en el script anterior hago referencia al script /opt/sslzimbra.sh, bueno dicho script se lo comparto
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | #Impresion del ISRG Root X1 al chain.pem de nuestros certificado wget https://letsencrypt.org/certs/isrgrootx1.pem.txt -O /opt/root.pem cat /opt/root.pem >> /etc/letsencrypt/live/dominio.cu/chain.pem #Comprobamos el Certificado su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/dominio.cu/privkey.pem /etc/letsencrypt/live/dominio.cu/cert.pem /etc/letsencrypt/live/dominio.cu/chain.pem" #Copiamos el Certificado Privado de Let's Encrypt para Zimbra cp /etc/letsencrypt/live/dominio.cu/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key #Ejecutamos la actualización del Certificado de Zimbra su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/dominio.cu/cert.pem /etc/letsencrypt/live/dominio.cu/chain.pem" #Reiniciamos Zimbra service zimbra restart exit 0 |
Al correr el script debemos tener mas menos esta salida
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | root@correo:/opt# sh sslzimbra.sh ** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/privkey.pem' Certificate '/etc/letsencrypt/live/dominio.cu/cert.pem' and private key '/etc/letsencrypt/live/dominio.cu/privkey.pem' match. ** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/chain.pem' Valid certificate chain: /etc/letsencrypt/live/dominio.cu/cert.pem: OK ** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/etc/letsencrypt/live/dominio.cu/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/chain.pem' Valid certificate chain: /etc/letsencrypt/live/dominio.cu/cert.pem: OK ** Copying '/etc/letsencrypt/live/dominio.cu/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '/etc/letsencrypt/live/dominio.cu/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '/etc/letsencrypt/live/dominio.cu/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer correo.dominio.cu...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer correo.dominio.cu...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 9 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt ** Removing /opt/zimbra/conf/ca/2e5ac55d.0 ** Removing /opt/zimbra/conf/ca/8d33f237.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt ** Removing /opt/zimbra/conf/ca/07e4fe56.0 ** Removing /opt/zimbra/conf/ca/4042bcee.0 ** Removing /opt/zimbra/conf/ca/ca.pem ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink '07e4fe56.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt' |
Espero que les sirva
Dejar una contestacion