欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

使用 Let's Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书

程序员文章站 2022-07-15 15:46:55
...

上一篇我们已经安装好了 Zimbra-8.8.15 ,但是登录网页版的时候会提示证书错误,在忽略证书错误以及25端口已经解封的情况下就已经可以正常的收发邮件了,但是一直提示证书错误很不友好,给人不安全的感觉,一个安全有效的SSL证书可有效保护数据的加密传输,使数据不易被轻易获取,所以接下来本文将介绍如何使用 Let's Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书。

Let's Encrypt 证书是完全免费并且浏览器可信任的,但是有效期只有3个月,所以每3个月需要续期,后面我们可以通过脚本实现自动续期,避免每次手动操作带来的烦恼。

本文整理自zimbra wiki,有需要的朋友可阅读原文:https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

说明:本文适用于Zimbra8.7及以上,Zimbra8.6及以下请阅读原文进行部署。

环境:

操作系统:CentOS7.7 64位

Zimbra版本:Zimbra-8.8.15

一、安装 Let's Encrypt

1. 停止服务

[aaa@qq.com ~]$ zmproxyctl stop
[aaa@qq.com ~]$ zmmailboxdctl stop

2. 从github拉取letsencrypt仓库到本地

拉取仓库需要git的支持,如果没有请运行命令进行安装:

[aaa@qq.com ~]# yum -y install git

开始拉取:

[aaa@qq.com ~]# mkdir -p /opt/software
[aaa@qq.com ~]# cd /opt/software/
[aaa@qq.com software]# git clone https://github.com/letsencrypt/letsencrypt
Cloning into 'letsencrypt'...
remote: Enumerating objects: 83, done.
remote: Counting objects: 100% (83/83), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 71624 (delta 42), reused 60 (delta 29), pack-reused 71541
Receiving objects: 100% (71624/71624), 23.59 MiB | 5.57 MiB/s, done.
Resolving deltas: 100% (52610/52610), done.

3. 开始生成证书

[aaa@qq.com software]# cd letsencrypt/
[aaa@qq.com letsencrypt]# ./letsencrypt-auto certonly --standalone
......
自动安装一系列依赖包
......
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): aaa@qq.com         <-- 输入一个可联系到你的邮箱

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a         <--输入a同意协议

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n         <--询问是否分享你的邮箱地址到他们基金会,这里我输入n不分享
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): mail.chenxie.net         <--输入你的域名,如:mail.chenxie.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.chenxie.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.chenxie.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.chenxie.net/privkey.pem
   Your cert will expire on 2020-02-27. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书已生成。

证书位置在 /etc/letsencrypt/live/mail.chenxie.net/ 目录下:

[aaa@qq.com ~]# ll /etc/letsencrypt/live/mail.chenxie.net/
total 4
lrwxrwxrwx 1 root root  40 Nov 29 11:54 cert.pem -> ../../archive/mail.chenxie.net/cert1.pem
lrwxrwxrwx 1 root root  41 Nov 29 11:54 chain.pem -> ../../archive/mail.chenxie.net/chain1.pem
lrwxrwxrwx 1 root root  45 Nov 29 11:54 fullchain.pem -> ../../archive/mail.chenxie.net/fullchain1.pem
lrwxrwxrwx 1 root root  43 Nov 29 11:54 privkey.pem -> ../../archive/mail.chenxie.net/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 29 11:54 README

cert.pem 是你的证书

chain.pem 是chain

fullchain.pem 是cert.pem和chain.pem合并后的

privkey.pem 是你的私钥

 

二、构建中间证书和CA根证书

Let's Encrypt 生成的证书不包含CA根证书,所以你需要使用 Iden Trust 根证书并且追加到chain.pem后面。

Iden Trust 根证书地址:https://www.identrust.com/dst-root-ca-x3

将根证书内容追加到chain.pem之后,完成后你的chain.pem内容应该像下面这样:

-----BEGIN CERTIFICATE-----
你的Chain内容
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

 

三、验证你的商业证书

拷贝生成的所有证书从/etc/letsencrypt/live/mail.chenxie.net/ 到 /opt/zimbra/ssl/letsencrypt/ 目录

[aaa@qq.com ~]# mkdir /opt/zimbra/ssl/letsencrypt
[aaa@qq.com ~]# cp /etc/letsencrypt/live/mail.chenxie.net/* /opt/zimbra/ssl/letsencrypt/
[aaa@qq.com ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt/*
[aaa@qq.com ~]# ls -l /opt/zimbra/ssl/letsencrypt/
total 20
-rw-r--r-- 1 zimbra zimbra 1915 Nov 29 12:20 cert.pem
-rw-r--r-- 1 zimbra zimbra 2847 Nov 29 12:20 chain.pem
-rw-r--r-- 1 zimbra zimbra 3562 Nov 29 12:20 fullchain.pem
-rw------- 1 zimbra zimbra 1704 Nov 29 12:20 privkey.pem
-rw-r--r-- 1 zimbra zimbra  692 Nov 29 12:20 README

切换到 zimbra 用户:

[aaa@qq.com ~]$ cd /opt/zimbra/ssl/letsencrypt/
[aaa@qq.com letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK

 

四、部署证书

1. 备份

[aaa@qq.com ~]# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

 

2. 将私钥拷贝到Zimbra认识的商业证书目录

[aaa@qq.com ~]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
[aaa@qq.com ~]# chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

 

3. 开始部署

切换到 zimbra 用户进行部署:

[aaa@qq.com ~]# su - zimbra
Last login: Fri Nov 29 12:29:32 CST 2019 on pts/0
[aaa@qq.com ~]$ cd /opt/zimbra/ssl/letsencrypt/
[aaa@qq.com letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem 
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.chenxie.net...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.chenxie.net...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/a36b8486.0
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'a36b8486.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'

 

4. 重启zimbra服务

[aaa@qq.com ~]$ zmcontrol restart

 

五、测试证书是否生效

浏览器访问你的服务器地址,看到没有证书错误提示并且地址栏证书的地方是绿色就表示成功了。

使用 Let's Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书

下一篇将为你讲述使用脚本快速安装和续期 Zimbra SSL证书,欢迎关注。