再來這一篇是要教怎麼使用 Let's Encrypt 來產生信任憑證,這個憑證是三個月期限,由於這是免費的憑證如果有什麼狀況可能要自行負責,如果是企業要用的話會建議買個安全憑證來保個險會比較安心。
CentOS 7 、 Zimbra-8.8.15
curl https://get.acme.sh | sh
Or:
wget -O - https://get.acme.sh | sh
安裝完之後會在 root 目錄下產生一個 .acme.sh 資料夾
/opt 目錄下建立產生出來的憑證資料夾 ssl,由於 Zimbra 可以多網域在同一台主機上,那憑證可以集合成一張,那如果您只有一個網域,只要設定一組就可以了export CF_Key="Your_CloudFlare_API_Key"
export CF_Email="Your_CloudFlare_Account@example.com"
DOMAIN1=網域1
/root/.acme.sh/acme.sh --issue --dns dns_cf --dnssleep 90 -d "mail.${DOMAIN1}" -d "imap.${DOMAIN1}" -d "smtp.${DOMAIN1}" -d "pop.${DOMAIN1}" -d --log \
--cert-file /opt/ssl/cert.pem \
--key-file /opt/ssl/privkey.pem \
--fullchain-file /opt/ssl/fullchain.pem \
--ca-file /opt/ssl/chain.pem
由於 Let's Encrypt 產生出來的憑證不包含 CA 根憑證,所以需要使用到 Iden Trust 根憑證並且增加到 chain.pem 後面,Iden Trust 根憑證網址
再將剛剛複製下來的憑證內容增加到 chain.pem,範例如下:
-----BEGIN CERTIFICATE-----
您的Chain內容
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
zimbra 目錄下mkdir /opt/zimbra/ssl/letsencrypt
cp /opt/ssl/* /opt/zimbra/ssl/letsencrypt/
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
ls -l /opt/zimbra/ssl/letsencrypt/
-rw-r--r-- 1 zimbra zimbra 2106 12月 31 14:23 cert.pem
-rw-r--r-- 1 zimbra zimbra 2847 12月 31 14:23 chain.pem
-rw-r--r-- 1 zimbra zimbra 3754 12月 31 14:23 fullchain.pem
-rw------- 1 zimbra zimbra 1679 12月 31 14:23 privkey.pem
zimbra 使用者帳號cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
drwxr-xr-x 2 zimbra zimbra 4096 12月 31 14:23 letsencrypt
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191230153933
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191230153936
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191230153939
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191230153941
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191231 << 這是剛剛建立的目錄
Zimbra 認識憑證目錄下cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
zimbra 使用者帳號進行部署su zimbra
cd letsencrypt/
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Fixing newlines in 'chain.pem'
Can't rename chain.pem to chain.pem.bak: 拒絕不符權限的操作, skipping file at /opt/zimbra/bin/zmcertmgr line 1239.
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.freedomstu.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.freedomstu.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/2eecd714.0
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '2eecd714.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
zimbra 服務,開啟網頁連線看看憑證是否已生效。zmcontrol restart
腳本給大家參考,在利用二個月排程方式來進行腳本
#!/bin/bash
#source /etc/profile
# Others vars
BACK_DIR="/opt/ssl" # 要備份到目錄
DATE_TITILE=$(date +%F) # 標題時間
DATE_TODAY=$(date +%F-%H%M%S) # 備份時間
# 如果該目錄不存在則建立新目錄
if [ ! -d $BACK_DIR ]; then
mkdir -p $BACK_DIR
fi
# 進到備份目錄
cd $BACK_DIR
echo "-----$DATE_TITILE-----" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
echo "寫入 chain.pem 檔" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
echo '''-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----''' >> $BACK_DIR/chain.pem
echo "在 zimbra 建立新目錄並且複製" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
if [ ! -d /opt/zimbra/ssl/letsencrypt ]; then
mkdir /opt/zimbra/ssl/letsencrypt
fi
cp /opt/ssl/* /opt/zimbra/ssl/letsencrypt/
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
echo "進入剛剛建立的目錄" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
cd /opt/zimbra/ssl/letsencrypt/
echo "切換成 zimbra 驗證看是否正常" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
su zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem' >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
echo "備份憑證" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
su zimbra -c 'cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")'
echo "複製憑證到 zimbra 認可目錄下" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
echo "開始部署憑證" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
su zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem' >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
echo "重啟 zimbra 服務" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
su - zimbra -c 'zmcontrol restart' >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
iThome鐵人賽
看影片追技術