使用 Let‘s Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书
文章目录
- 前言
- 一、pandas是什么?
- 二、使用步骤
- 1.引入库
- 2.读入数据
- 总结
前言
CentOS7不支持 Let's Encrypt 直接安装,报错如下
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
一、安装snaps
先安装epel:
[root@mail ~]# yum install epel-release
安装snaps:
[root@mail ~]# yum install snapd
启动snapd.socket:
[root@mail ~]# systemctl enable --now snapd.socket
创建/var/lib/snapd/snap和/snap之间的链接:
[root@mail ~]# ln -s /var/lib/snapd/snap /snap
重启系统,确保snap启用
将snap更新至最新版本:
[root@mail ~]# snap install core
[root@mail ~]# snap refresh core
二、certbot安装
卸载已安装的certbot和相关文件(如果有安装的话执行):
[root@mail ~]#yum remove certbot
[root@mail ~]#rm /usr/local/bin/certbot-auto
[root@mail ~]#rm -rf /opt/eff.org/certbot
安装certbot:
[root@mail ~]#snap install --classic certbot
创建/snap/bin/certbot的软链接,方便certbot命令的使用:
[root@mail ~]#ln -s /snap/bin/certbot /usr/bin/certbot
生成ssl证书:
[root@mail ~]#certbot certonly --standalone -d main.zimbra.com -m 123@qq.com --agree-tos //注意:main.zimbra.com是zimbra的域名,123@qq.com是你的邮箱
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for mail.zimbra.com
Performing the following challenges:
http-01 challenge for mail.staginfo.com
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 123@qq.com).IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.zimbra.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.zimbra.com/privkey.pem
Your certificate will expire on 2021-08-19. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书位置在 /etc/letsencrypt/live/mail.chenxie.net/ 目录下:
[root@mail ~]# ll /etc/letsencrypt/live/mail.zimbra.com/
total 4
lrwxrwxrwx 1 root root 40 Nov 29 11:54 cert.pem -> ../../archive/mail.zimbra.com/cert1.pem
lrwxrwxrwx 1 root root 41 Nov 29 11:54 chain.pem -> ../../archive/mail.zimbra.com/chain1.pem
lrwxrwxrwx 1 root root 45 Nov 29 11:54 fullchain.pem -> ../../archive/mail.zimbra.com/fullchain1.pem
lrwxrwxrwx 1 root root 43 Nov 29 11:54 privkey.pem -> ../../archive/mail.zimbra.com/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 29 11:54 README
将根证书内容追加到chain.pem之后,完成后你的chain.pem内容应该像下面这样:
-----BEGIN CERTIFICATE-----
你的Chain内容
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
拷贝生成的所有证书从/etc/letsencrypt/live/mail.chenxie.net/ 到 /opt/zimbra/ssl/letsencrypt/ 目录:
[root@mail ~]# mkdir /opt/zimbra/ssl/letsencrypt
[root@mail ~]# cp /etc/letsencrypt/live/mail.zimbra.com/* /opt/zimbra/ssl/letsencrypt/
[root@mail ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt/*
[root@mail ~]# ls -l /opt/zimbra/ssl/letsencrypt/
total 20
-rw-r--r-- 1 zimbra zimbra 1915 Nov 29 12:20 cert.pem
-rw-r--r-- 1 zimbra zimbra 2847 Nov 29 12:20 chain.pem
-rw-r--r-- 1 zimbra zimbra 3562 Nov 29 12:20 fullchain.pem
-rw------- 1 zimbra zimbra 1704 Nov 29 12:20 privkey.pem
-rw-r--r-- 1 zimbra zimbra 692 Nov 29 12:20 README
切换到 zimbra 用户:
[root@mail ~]#su - zimbra
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
三、开始部署
切换到 zimbra 用户进行部署:
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
备份:
[zimbra@mail letsencrypt]$ exit
[root@mail ssl]# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
将私钥拷贝到Zimbra认识的商业证书目录:
[root@mail ssl]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp: overwrite ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’? y
[root@mail ssl]# chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
配置生效:
[root@mail ssl]# su - zimbra
Last login: Fri May 21 09:38:24 CST 2021 on pts/0
[zimbra@mail ~]$ chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
ERROR: open input 'cert.pem' failed: No such file or directory
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.zimbra.com...failed (rc=1)
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/c97c4c49.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'c97c4c49.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_3.crt'
重启zimbra服务:
[zimbra@mail ~]$ zmcontrol restart
四、自动更新
默认证书有效期是3个月,所以需要续期
创建定时任务
[root@mail ssl]#sudo crontab -e
在最后添加:30 3 * * * /usr/bin/certbot renew >> /var/log/le-renew.log,如下:
0 0 * * * /opt/search/es-index-clear.sh > /dev/null 2>&1
0 1 * * 6 /usr/sbin/ntpdate ntp.aliyun.com ;/sbin/hwclock -w > /dev/null 2>&1
#* * * * * /opt/search/reboot-kibana.sh >> /opt/search/reboot-kibana.log 2>&1
30 3 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
生效:sudo crontab -l
总结
参考了多位大神的文章后,根据自己实际情况并部署成功的总结
使用 Let‘s Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书相关推荐
- 使用 Let's Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书
上一篇我们已经安装好了 Zimbra-8.8.15 ,但是登录网页版的时候会提示证书错误,在忽略证书错误以及25端口已经解封的情况下就已经可以正常的收发邮件了,但是一直提示证书错误很不友好,给人不安全 ...
- 网站http改https Let’s Encrypt 安装 续期教程 免费ssl证书Let’s Encrypt使用教程Certbot...
为什么80%的码农都做不了架构师?>>> Certbot项目地址https://certbot.eff.org/ 一.安装 先选择你的web服务器程序和操作系统: 就会出来适合 ...
- Let's Encrypt 免费通配符 SSL 证书申请教程——但是也需要email,域名所有权等,如果是黑产用的话会这样用吗?会不会暴露自己身份???...
Let's Encrypt 免费通配符 SSL 证书申请教程 from:https://blog.csdn.net/English0523/article/details/79608464 2018 ...
- 解决 Let’s Encrypt SSL 证书配置错误
解决 Let's Encrypt SSL 证书配置错误"DNS problem: NXDOMAIN looking up A for xxx.com" 一.问题:Let's Enc ...
- 利用Certbot工具快速给网站部署Let's Encrypt免费SSL证书
使用https证书的话,强制使用域名 很多商家也都提供免费证书,比如腾讯云提供免费一年GeoTrust DV SSL证书.Let's Encrypt永久免费但需要90天激活一次续约,当然如果要购买证书 ...
- Centos7.0安装 Lets encrypt 的SSL证书
Centos7.0安装 Lets encrypt 的SSL证书 本文链接:https://blog.csdn.net/yangshuai518/article/details/99951202 1.安 ...
- 申请Let's Encrypt永久免费SSL证书
申请Let's Encrypt永久免费SSL证书 申请Let's Encrypt永久免费SSL证书 Let's Encrypt简介 Let's Encrypt作为一个公共且免费SSL的项目逐渐被广大用 ...
- Let's Encrypt泛域名SSL证书申请
操作系统:CentOS 7 github:https://github.com/Neilpang/acme.sh 有中文说明: https://github.com/Neilpang/acme.sh ...
- 实战申请Let's Encrypt永久免费SSL证书过程教程及常见问题
最近需要https这里看到一份不错的博客,收录一下! Let's Encrypt作为一个公共且免费SSL的项目逐渐被广大用户传播和使用,是由Mozilla.Cisco.Akamai.IdenTrust ...
最新文章
- spring cloud config将配置存储在数据库中
- 会话管理之session技术
- VTK:Video之FFMPEG
- HTML5 + CSS 左右排版自适应高
- c语言条件编译的例子,C语言条件编译分析实例
- 【开发软件】推荐一款MAC OS X 下php集成开发环境mamp
- django 1.8 官方文档翻译: 1-1-2 快速安装指南
- linux分区压力测试,stress-Linux系统压力测试工具使用及系统负载很高的几种场景测试...
- oracle 表空间配置
- WPF UI布局之概述
- [Flex]实现Application未初始化前加载自定义配置内容
- 手机技巧之扩展内存的检测以及修复。
- 一文看不懂方差和标准差
- 【阿里网盘】阿里网盘使用全攻略
- CDA Level1知识点总结之业务分析报告与数据可视化报表
- mysql++裸盘_绑定裸设备(查看裸设备的大小)
- 全基因组选择中准确性的影响因素
- CAN总线通信——CAN通信的数据帧(Data Frame)
- 从控制台输入用户名和密码, 然后 判断输入的用户名是否是@“Frank”, 密码 是否是 @“lanou”, 如果用户名和密码都正确,则输出登录成功, 否则输出登录失败. 提示:
- 查题公众号搭建详细教程,提供永久免费接口