Wildcard SSL de Let’s Encrypt con ISRG Root X1 Integrado a Zimbra

Como muchos saben el pasado 30 de septiembre del 2021 se vencio el certificado raíz DST Root CA X3 que muchos de nosotros usabamos con Let’s Encrypt y a raiz de eso muchos servicios empezaron a dar problemas ya que los sistemas no reconocian dicho certificado, Buenos hoy les muestro como solicitar el certificado con el nuevo ISRG Root X1 y su integracion a zimbra.

Lo primero que haremos sera desintalara certbot e instalarlo via snap para tener la ultima version

Desintalar certbot

apt-get remove certbot

Instalando snap

sudo apt-get install snap

sudo snap install core; sudo snap refresh core

Instalando Certbot via snap

sudo snap install --classic certbot

Prepare the Certbot command

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Una vez ya instalado el certbot Pasamos a crear el certificado

certbot certonly --preferred-chain="ISRG Root X1" --manual -d *.dominio.cu -d dominio.cu --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Ya una vez que obtengamos el certificado y es enviado a nuestro servidor zimbra mediante rsync
viene la segunda parte que es hacer que zimbra valide dicho certificado

Le comparto un script que pueden tener para pasar el certificado de donde lo obtengan digase su proxy inverso a su servidor zimbra

#Borrar si existe un certificado anterior
ssh root@correo.dominio.cu rm /etc/letsencrypt/ -R

#copiar certificado
rsync -avi --delete /etc/letsencrypt root@correo.dominio.cu:/etc/

#dar persmisos
ssh root@correo.dominio.cu chmod 7777 /etc/letsencrypt/ -R

#ejecutar script de validacion del certificado
ssh root@correo.dominio.cu /opt/sslzimbra.sh

Como notaron en el script anterior hago referencia al script /opt/sslzimbra.sh, bueno dicho script se lo comparto

#Impresion del ISRG Root X1 al chain.pem de nuestros certificado
wget https://letsencrypt.org/certs/isrgrootx1.pem.txt -O /opt/root.pem
cat /opt/root.pem >> /etc/letsencrypt/live/dominio.cu/chain.pem

#Comprobamos el Certificado
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/dominio.cu/privkey.pem /etc/letsencrypt/live/dominio.cu/cert.pem /etc/letsencrypt/live/dominio.cu/chain.pem"

#Copiamos el Certificado Privado de Let's Encrypt para Zimbra
cp /etc/letsencrypt/live/dominio.cu/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

#Ejecutamos la actualización del Certificado de Zimbra
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/dominio.cu/cert.pem /etc/letsencrypt/live/dominio.cu/chain.pem"

#Reiniciamos Zimbra
service zimbra restart
exit 0

Al correr el script debemos tener mas menos esta salida

root@correo:/opt# sh sslzimbra.sh 
** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/privkey.pem'
Certificate '/etc/letsencrypt/live/dominio.cu/cert.pem' and private key '/etc/letsencrypt/live/dominio.cu/privkey.pem' match.
** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/dominio.cu/cert.pem: OK
** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/dominio.cu/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/dominio.cu/cert.pem' against '/etc/letsencrypt/live/dominio.cu/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/dominio.cu/cert.pem: OK
** Copying '/etc/letsencrypt/live/dominio.cu/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/etc/letsencrypt/live/dominio.cu/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/etc/letsencrypt/live/dominio.cu/chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer correo.dominio.cu...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer correo.dominio.cu...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 9 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/07e4fe56.0
** Removing /opt/zimbra/conf/ca/4042bcee.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '07e4fe56.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'

Espero que les sirva