How to Install Zimbra Free SSL Certificate with Let’s Encrypt?

Why is it important to install a Zimbra Free SSL certificate?

Zimbra is a collaborative groupware or software suite that functions as an e-mail server as well as a web client. Zimbra is one of the most popular collaboration software solutions, with more than 500 million users. There is no doubt that SSL encryption has become an essential component of server security. SSL is required for all servers, whether these are email servers or web servers.

In this article,we will show you steps to SSL Certificate installation and renew on a Zimbra Mail server with both Let’s Encrypt and regular SSL.

Free SSL Certificate and its benefits

Since there is no cost associated with a free SSL certificate, website owners can use as many as they need. This is quick and easy, and website owners find them appealing because they enable them to increase the revenue from their website Multiple SSL Certificates A user can transfer for his website without rigorous testing procedures. A free SSL certificate will only secure one domain.

It comes in two types: SSL Certificates signed by a Certificate Authority and Self-Signed Certificates. Its encryption level is on par with that of premium SSLs. 2048-bit key encryption and 256-bit certificate encryption are features of both free and premium SSL certificates.  When you decide to add a free SSL certificate to your website, you will receive the following benefits:

• Domain Verification SSL — As per our concept of Free SSL, it is only available for Domain Verification (DV). It is perfect for small websites and blogs that don’t need to gather information from visitors to their websites. There is only a minimal level of authentication required for these websites.

• Limited Use – Free SSL certificates are not recommended for use by businesses and only work well for basic blogging platforms that do not collect financial information. Dedicated business owners and website owners must go for Organization Validated or Extended Validation certificates instead, to prove their legitimacy.

• Short Validity Period –  The lifecycle of a free basic SSL certificate issued by a CA is between 30 and 90 days, and website owners frequently need to renew certificates.

• Technical Support – Users cannot expect technical support when problems arise because it is free. They must rely on  forums where other people who use free SSL gather to share advice and solutions for SSL-related problems.

How to install free ssl certificate in zimbra mail server

Verify the zimbra version and OS

The below command will tell you what version of zimbra you have.

[zimbra@zm ~]$ zmcontrol -v    
Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 FOSS edition, Patch 8.8.15_P33.
[zimbra@zm ~]$ cat /etc/os-release

Setting the LDAP variables

The variables used by LDAP can be set by running. This will set the values for variables like ‘$ldap_master_url’, ‘$zimbra_ldap_password’, etc.

[root@zm ~]# su - zimbra
[zimbra@zm ~]$ source ~/bin/zmshutil ; zmsetvars

Verify Hostname and zmhostname.

Verify “zmhostname” is the same as hostname –fqdn also check the version

[zimbra@zm ~]$ zmhostname
zm.yourdomain.com
[zimbra@zm ~]$ hostname --fqdn
zm.yourdomain.com

Installing Certbot

You can install Cerbot and obtain a certificate by running the below commands.

[root@zm ~]# yum install -y bind-utils net-tools
[root@zm ~]# yum install -y python3 python3-venv libaugeas0
[root@zm ~]# python3 -m venv /opt/certbot/
[root@zm ~]# yum install --upgrade pip
[root@zm ~]# /opt/certbot/bin/pip install certbot
[root@zm ~]# ln -s /opt/certbot/bin/certbot /usr/local/sbin/certbot
[root@zm ~]# /usr/local/sbin/certbot certonly -d $(hostname --fqdn) 
--standalone --preferred-chain  "ISRG Root X1" --agree-tos 
--register-unsafely-without-email

Deploy the certificate

Create the following script that deploys the Let’s Encrypt certificate.

[root@zm ~]# cat >> /usr/local/sbin/letsencrypt-zimbra << EOF
> #!/bin/bash
> /usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --manual-public-ip-logging-ok -n --preferred-chain  "ISRG Root X1" --agree-tos --register-unsafely-without-email
> cp "/etc/letsencrypt/live/$(hostname --fqdn)/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
> chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
> wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
> rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
> cp "/etc/letsencrypt/live/$(hostname --fqdn)/chain.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
> cat /tmp/ISRG-X1.pem >> "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
> chown zimbra:zimbra /etc/letsencrypt -R
> cd /tmp
> su zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/$(hostname --fqdn)/cert.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"'
> rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
> EOF

Permission and cron Setup

Set the correct permission, set up a cron job and run the deployment.

[root@zm ~]# chmod +rx /usr/local/sbin/letsencrypt-zimbra
[root@zm ~]# ln -s /usr/local/sbin/letsencrypt-zimbra /etc/cron.daily/letsencrypt-zimbra
[root@zm ~]# /etc/cron.daily/letsencrypt-zimbra

Restart zimbra services 

Restart the zimbra services using the below command.

[zimbra@zm ~]$ su - zimbra
[zimbra@zm ~]$ zmcontrol status

Note: The cron job will renew your certificate about 1 month prior to the zimbra SSL certificate expiration date. You need to manually restart Zimbra before the renewal date to load the new certificate.

Verify SSL certificate validity and issuer details from browser

You should try opening the site using HTTPS instead of HTTP, and then the site should open with a locked sign. Now check whether the site has become secure or not.

Commercial or Paid SSL certificate and its benefits

SSL certificates can be purchased from Certificate Authorities (CAs) or authorised third-party resellers. There are several types of SSL certificates, but the most common are Domain Validated (DV) SSL, Organization Validated (OV) SSL, and Extended Validation (EV) SSL.

• Domain Validated (DV) SSL: It has the lowest level of validation of the three SSL certificates because it is only checked against the domain registry. It is in charge of the “S” in the HTTPS connection, and the CA does not require a strict verification process in order to obtain this certificate. This method is also compatible with 99.99% of web and mobile browsers.

• Organization Validated (OV) SSL: OV certificates follow the X.509 RFC standards, which display all of the information required to validate an organization. The CA verifies the organization’s identity before issuing certificates, which can take several days.

• Extended Validation (EV) SSL: This type of SSL certificate is subject to strict validation by the CA. Trained professional agents authenticate the business identity using the government-hosted business registry databases.

Different SSL certificates provide different types of trust to website users. Apart from these features, you get the following benefits from the provided SSL certificates:

• Variety of Choices – commercial SSL certificates are widely used on e-commerce websites, social media websites, and lead generation websites as these websites collect sensitive information from their customers, therefore no compromise in security is expected for such cases. commercial SSLs provide three options: Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV). Each of these levels has authentication of their own and Extended Validation SSL is considered the most secure. Apart from the three popular types of SSL certificates, users can also opt to purchase single-domain, wildcard, and multi-domain certificates that provide website security. Depending on the level, these certificates shows the organization’s name, country, city, and state. Also, the website visitors can see which CA has issued the certificate.
• Level of Validation – CAs (certificate authority) conducts a thorough validation process to make sure the commercial SSL certificates (OV and EV) go to a legitimate, trustworthy owner.
• Extended Validity Period – Commercial SSL certificates are valid up to 27 months only. Once the validation period expires, the certificate must be renewed so that the certificate file components are up-to-date and compliant to industry standards.

How to Install Commercial SSL Certificate on Zimbra Mail Server

Generate CSR 

The following instructions will guide you through the CSR generation process on Zimbra Mail Server through Command Line Interface.

[root@zm ~]$ /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=IN/ST=Delhi/L=New Delhi/O=YOUR DAMAIN/OU=IT/CN=zimbra.yourdomain.com"


** Generating a server csr for download comm -new -keysize 2048 -subject /C=IN/ST=Delhi/L=NewDelhi/O=YOURDOMAIN/OU=IT/CN=zimbra.yourdomain.com

** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20150913150455

** Retrieving Commercial CA cert from ldap...done.

** Creating /opt/zimbra/conf/zmssl.cnf...done

** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.

** Saving server config key zimbraSSLPrivateKey...done.

You can check if your CSR is valid and correct using the link

The private key must exist as commercial.key and CSR as a name “commercial.csr” in the “/opt/zimbra/ssl/zimbra/commercial” directory

Download certificate 

Need to download the certificate and bundle from any SSL service provider. There should be two files, one is “your.domain.com.crt” and another is “your.domain.com.ca-bundle”. 

Place “your.domain.com.crt” in “/opt/zimbra/ssl/zimbra/commercial/commercial.crt” and your.”domain.com.ca-bundle” in”/opt/zimbra/ssl/zimbra/commercial/commercial.ca.crt”

Verify the certificate

Login as zimbra and go to /opt/zimbra/ssl/zimbra/commercial/ folder and run the below command to verify the certificate.

[root@zm ~]# su - zimbra
[zimbra@zm commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt ./commercial_ca.crt    
           
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK

Deploy the certificate 

Then, run the following command to apply the certificate:

[zimbra@zm commercial]$ /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt 
         
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Restart zimbra services 

Restart the zimbra services using the below command and Verify SSL security from browser as mentioned in the previous step.

[zimbra@zm ~]$ zmcontrol restart

Conclusion:

In this blog we have explained how to install ssl certificate in zimbra mail server with both Letsencypt and paid SSL options. 
You can check out our other helpful Zimbra admin articles for more information on the following topics: 

Install Zimbra Mail Server in CentOS7

Zimbra Admin Console – Beginners Guide for Mail Server Admins