再來這一篇是要教怎麼使用 Let's Encrypt 來產生信任憑證，這個憑證是三個月期限，由於這是免費的憑證如果有什麼狀況可能要自行負責，如果是企業要用的話會建議買個安全憑證來保個險會比較安心。

運行環境

CentOS 7 、 Zimbra-8.8.15

首先安裝 acme.sh 服務

• 安裝 acme.sh 服務
  Check this project: https://github.com/Neilpang/acme.sh

curl https://get.acme.sh | sh
Or:

wget -O -  https://get.acme.sh | sh

安裝完之後會在 root 目錄下產生一個 .acme.sh 資料夾

• 設定 mail 的腳本，在 /opt 目錄下建立產生出來的憑證資料夾 ssl，由於 Zimbra 可以多網域在同一台主機上，那憑證可以集合成一張，那如果您只有一個網域，只要設定一組就可以了

export CF_Key="Your_CloudFlare_API_Key"
export CF_Email="Your_CloudFlare_Account@example.com"

DOMAIN1=網域1

/root/.acme.sh/acme.sh --issue --dns dns_cf --dnssleep 90 -d "mail.${DOMAIN1}" -d "imap.${DOMAIN1}" -d "smtp.${DOMAIN1}"  -d "pop.${DOMAIN1}" -d --log \
--cert-file /opt/ssl/cert.pem \
--key-file /opt/ssl/privkey.pem \
--fullchain-file /opt/ssl/fullchain.pem \
--ca-file /opt/ssl/chain.pem

建立中間憑證及 CA 根憑證

由於 Let's Encrypt 產生出來的憑證不包含 CA 根憑證，所以需要使用到 Iden Trust 根憑證並且增加到 chain.pem 後面，Iden Trust 根憑證網址
再將剛剛複製下來的憑證內容增加到 chain.pem，範例如下：

-----BEGIN CERTIFICATE-----
您的Chain內容
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

驗證您的憑證

• 將剛剛所產生的憑證都複製到 zimbra 目錄下

mkdir /opt/zimbra/ssl/letsencrypt
cp /opt/ssl/* /opt/zimbra/ssl/letsencrypt/
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
ls -l /opt/zimbra/ssl/letsencrypt/

-rw-r--r-- 1 zimbra zimbra 2106 12月 31 14:23 cert.pem
-rw-r--r-- 1 zimbra zimbra 2847 12月 31 14:23 chain.pem
-rw-r--r-- 1 zimbra zimbra 3754 12月 31 14:23 fullchain.pem
-rw------- 1 zimbra zimbra 1679 12月 31 14:23 privkey.pem

• 切換到 zimbra 使用者帳號

cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

• 結果如下，看到最後有顯示 ok 表示此憑證是可以使用的

部署憑證

1. 備份憑證

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

• 執行結果

drwxr-xr-x 2 zimbra zimbra 4096 12月 31 14:23 letsencrypt
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191230153933
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191230153936
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191230153939
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191230153941
drwxr-x--- 5 zimbra zimbra 4096 12月 30 15:39 zimbra.20191231  << 這是剛剛建立的目錄

2. 將憑證複製到 Zimbra 認識憑證目錄下

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

3. 切換到 zimbra 使用者帳號進行部署

su zimbra
cd letsencrypt/
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

• 執行結果如下

** Fixing newlines in 'chain.pem'
Can't rename chain.pem to chain.pem.bak: 拒絕不符權限的操作, skipping file at /opt/zimbra/bin/zmcertmgr line 1239.
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.freedomstu.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.freedomstu.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/2eecd714.0
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '2eecd714.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'

4. 重啟 zimbra 服務，開啟網頁連線看看憑證是否已生效。

zmcontrol restart

自動更新憑證及重啟服務

腳本給大家參考，在利用二個月排程方式來進行腳本

#!/bin/bash
#source /etc/profile

# Others vars
BACK_DIR="/opt/ssl"           # 要備份到目錄
DATE_TITILE=$(date +%F)       # 標題時間
DATE_TODAY=$(date +%F-%H%M%S) # 備份時間

# 如果該目錄不存在則建立新目錄
if [ ! -d $BACK_DIR ]; then
    mkdir -p $BACK_DIR
fi

# 進到備份目錄
cd $BACK_DIR

echo "-----$DATE_TITILE-----" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt

echo "寫入 chain.pem 檔" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
echo '''-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----''' >> $BACK_DIR/chain.pem

echo "在 zimbra 建立新目錄並且複製" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
if [ ! -d /opt/zimbra/ssl/letsencrypt ]; then
    mkdir /opt/zimbra/ssl/letsencrypt
fi
cp /opt/ssl/* /opt/zimbra/ssl/letsencrypt/
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt

echo "進入剛剛建立的目錄" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
cd /opt/zimbra/ssl/letsencrypt/

echo "切換成 zimbra 驗證看是否正常" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
su zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem' >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt

echo "備份憑證" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
su zimbra -c 'cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")'

echo "複製憑證到 zimbra 認可目錄下" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

echo "開始部署憑證" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
su zimbra -c 'cd /opt/zimbra/ssl/letsencrypt/ && /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem' >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt

echo "重啟 zimbra 服務" >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt
su - zimbra -c 'zmcontrol restart' >>$BACK_DIR/ssl_LOG${DATE_TODAY}.txt

參考相關網頁

• 使用 Let's Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书
• Zimbra SSL证书一键安装和续期脚本
• Letsencrypt - Another Method Using acme.sh to Generate Certs
• Installing a Let's Encrypt SSL Certificate
• DST Root CA X3