文章目录

  • 前言
  • 一、pandas是什么?
  • 二、使用步骤
    • 1.引入库
    • 2.读入数据
  • 总结

前言

CentOS7不支持 Let's Encrypt 直接安装,报错如下

Skipping bootstrap because certbot-auto is deprecated on this system.

Your system is not supported by certbot-auto anymore.

Certbot cannot be installed.

Please visit https://certbot.eff.org/ to check for other alternatives.

一、安装snaps

先安装epel:

[root@mail ~]# yum install epel-release

安装snaps:

[root@mail ~]# yum install snapd

启动snapd.socket:

[root@mail ~]# systemctl enable --now snapd.socket

创建/var/lib/snapd/snap和/snap之间的链接:

[root@mail ~]# ln -s /var/lib/snapd/snap /snap

重启系统,确保snap启用

将snap更新至最新版本:

[root@mail ~]# snap install core

[root@mail ~]# snap refresh core

二、certbot安装

卸载已安装的certbot和相关文件(如果有安装的话执行):

[root@mail ~]#yum remove certbot

[root@mail ~]#rm /usr/local/bin/certbot-auto

[root@mail ~]#rm -rf /opt/eff.org/certbot

安装certbot:

[root@mail ~]#snap install --classic certbot

创建/snap/bin/certbot的软链接,方便certbot命令的使用:

[root@mail ~]#ln -s /snap/bin/certbot /usr/bin/certbot

生成ssl证书:

[root@mail ~]#certbot certonly --standalone -d main.zimbra.com -m 123@qq.com --agree-tos                   //注意:main.zimbra.com是zimbra的域名,123@qq.com是你的邮箱

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for mail.zimbra.com
Performing the following challenges:
http-01 challenge for mail.staginfo.com
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: 123@qq.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.zimbra.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.zimbra.com/privkey.pem
   Your certificate will expire on 2021-08-19. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书位置在 /etc/letsencrypt/live/mail.chenxie.net/ 目录下:

[root@mail ~]# ll /etc/letsencrypt/live/mail.zimbra.com/

total 4

lrwxrwxrwx 1 root root  40 Nov 29 11:54 cert.pem -> ../../archive/mail.zimbra.com/cert1.pem

lrwxrwxrwx 1 root root  41 Nov 29 11:54 chain.pem -> ../../archive/mail.zimbra.com/chain1.pem

lrwxrwxrwx 1 root root  45 Nov 29 11:54 fullchain.pem -> ../../archive/mail.zimbra.com/fullchain1.pem

lrwxrwxrwx 1 root root  43 Nov 29 11:54 privkey.pem -> ../../archive/mail.zimbra.com/privkey1.pem

-rw-r--r-- 1 root root 692 Nov 29 11:54 README

将根证书内容追加到chain.pem之后,完成后你的chain.pem内容应该像下面这样:

-----BEGIN CERTIFICATE-----

你的Chain内容

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/

MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow

PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD

Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O

rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq

OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b

xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw

7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD

aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV

HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG

SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69

ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr

AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz

R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5

JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo

Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

-----END CERTIFICATE-----

拷贝生成的所有证书从/etc/letsencrypt/live/mail.chenxie.net/ 到 /opt/zimbra/ssl/letsencrypt/ 目录:

[root@mail ~]# mkdir /opt/zimbra/ssl/letsencrypt

[root@mail ~]# cp /etc/letsencrypt/live/mail.zimbra.com/* /opt/zimbra/ssl/letsencrypt/

[root@mail ~]# chown zimbra.zimbra /opt/zimbra/ssl/letsencrypt/*

[root@mail ~]# ls -l /opt/zimbra/ssl/letsencrypt/

total 20

-rw-r--r-- 1 zimbra zimbra 1915 Nov 29 12:20 cert.pem

-rw-r--r-- 1 zimbra zimbra 2847 Nov 29 12:20 chain.pem

-rw-r--r-- 1 zimbra zimbra 3562 Nov 29 12:20 fullchain.pem

-rw------- 1 zimbra zimbra 1704 Nov 29 12:20 privkey.pem

-rw-r--r-- 1 zimbra zimbra  692 Nov 29 12:20 README

切换到 zimbra 用户:

[root@mail ~]#su - zimbra

[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/

[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

** Verifying 'cert.pem' against 'privkey.pem'

Certificate 'cert.pem' and private key 'privkey.pem' match.

** Verifying 'cert.pem' against 'chain.pem'

Valid certificate chain: cert.pem: OK

三、开始部署

切换到 zimbra 用户进行部署:

[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK

备份:

[zimbra@mail letsencrypt]$ exit

[root@mail ssl]# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

将私钥拷贝到Zimbra认识的商业证书目录:

[root@mail ssl]# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp: overwrite ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’? y
[root@mail ssl]# chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

配置生效:

[root@mail ssl]# su - zimbra
Last login: Fri May 21 09:38:24 CST 2021 on pts/0
[zimbra@mail ~]$ chown zimbra.zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
[zimbra@mail ~]$  /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem 
ERROR: open input 'cert.pem' failed: No such file or directory
[zimbra@mail ~]$ cd /opt/zimbra/ssl/letsencrypt/
[zimbra@mail letsencrypt]$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem 
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.zimbra.com...failed (rc=1)
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/2e5ac55d.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/c97c4c49.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'c97c4c49.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_3.crt'

重启zimbra服务:

[zimbra@mail ~]$ zmcontrol restart

四、自动更新

默认证书有效期是3个月,所以需要续期

创建定时任务

[root@mail ssl]#sudo crontab -e

在最后添加:30 3 * * * /usr/bin/certbot renew  >> /var/log/le-renew.log,如下:

0 0 * * * /opt/search/es-index-clear.sh > /dev/null 2>&1
0 1 * * 6 /usr/sbin/ntpdate ntp.aliyun.com ;/sbin/hwclock -w > /dev/null 2>&1
#* * * * * /opt/search/reboot-kibana.sh >> /opt/search/reboot-kibana.log 2>&1
30 3 * * * /usr/bin/certbot renew  >> /var/log/le-renew.log

生效:sudo crontab -l

总结

参考了多位大神的文章后,根据自己实际情况并部署成功的总结

使用 Let‘s Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书相关推荐

  1. 使用 Let's Encrypt 为 Zimbra-8.8.15 安装可信任的SSL证书

    上一篇我们已经安装好了 Zimbra-8.8.15 ,但是登录网页版的时候会提示证书错误,在忽略证书错误以及25端口已经解封的情况下就已经可以正常的收发邮件了,但是一直提示证书错误很不友好,给人不安全 ...

  2. 网站http改https Let’s Encrypt 安装 续期教程 免费ssl证书Let’s Encrypt使用教程Certbot...

    为什么80%的码农都做不了架构师?>>>    Certbot项目地址https://certbot.eff.org/ 一.安装 先选择你的web服务器程序和操作系统: 就会出来适合 ...

  3. Let's Encrypt 免费通配符 SSL 证书申请教程——但是也需要email,域名所有权等,如果是黑产用的话会这样用吗?会不会暴露自己身份???...

    Let's Encrypt 免费通配符 SSL 证书申请教程 from:https://blog.csdn.net/English0523/article/details/79608464 2018 ...

  4. 解决 Let’s Encrypt SSL 证书配置错误

    解决 Let's Encrypt SSL 证书配置错误"DNS problem: NXDOMAIN looking up A for xxx.com" 一.问题:Let's Enc ...

  5. 利用Certbot工具快速给网站部署Let's Encrypt免费SSL证书

    使用https证书的话,强制使用域名 很多商家也都提供免费证书,比如腾讯云提供免费一年GeoTrust DV SSL证书.Let's Encrypt永久免费但需要90天激活一次续约,当然如果要购买证书 ...

  6. Centos7.0安装 Lets encrypt 的SSL证书

    Centos7.0安装 Lets encrypt 的SSL证书 本文链接:https://blog.csdn.net/yangshuai518/article/details/99951202 1.安 ...

  7. 申请Let's Encrypt永久免费SSL证书

    申请Let's Encrypt永久免费SSL证书 申请Let's Encrypt永久免费SSL证书 Let's Encrypt简介 Let's Encrypt作为一个公共且免费SSL的项目逐渐被广大用 ...

  8. Let's Encrypt泛域名SSL证书申请

    操作系统:CentOS 7 github:https://github.com/Neilpang/acme.sh 有中文说明: https://github.com/Neilpang/acme.sh ...

  9. 实战申请Let's Encrypt永久免费SSL证书过程教程及常见问题

    最近需要https这里看到一份不错的博客,收录一下! Let's Encrypt作为一个公共且免费SSL的项目逐渐被广大用户传播和使用,是由Mozilla.Cisco.Akamai.IdenTrust ...

最新文章

  1. spring cloud config将配置存储在数据库中
  2. 会话管理之session技术
  3. VTK:Video之FFMPEG
  4. HTML5 + CSS 左右排版自适应高
  5. c语言条件编译的例子,C语言条件编译分析实例
  6. 【开发软件】推荐一款MAC OS X 下php集成开发环境mamp
  7. django 1.8 官方文档翻译: 1-1-2 快速安装指南
  8. linux分区压力测试,stress-Linux系统压力测试工具使用及系统负载很高的几种场景测试...
  9. oracle 表空间配置
  10. WPF UI布局之概述
  11. [Flex]实现Application未初始化前加载自定义配置内容
  12. 手机技巧之扩展内存的检测以及修复。
  13. 一文看不懂方差和标准差
  14. 【阿里网盘】阿里网盘使用全攻略
  15. CDA Level1知识点总结之业务分析报告与数据可视化报表
  16. mysql++裸盘_绑定裸设备(查看裸设备的大小)
  17. 全基因组选择中准确性的影响因素
  18. CAN总线通信——CAN通信的数据帧(Data Frame)
  19. 从控制台输入用户名和密码, 然后 判断输入的用户名是否是@“Frank”, 密码 是否是 @“lanou”, 如果用户名和密码都正确,则输出登录成功, 否则输出登录失败. 提示:
  20. 查题公众号搭建详细教程,提供永久免费接口

热门文章

  1. 使用mysqldump+WinRAR压缩备份数据库
  2. 全国企业信用信息公示系统 查公司信息
  3. 公示系统php,企业信用查询公示系统
  4. [USACO18DEC]Fine Dining
  5. 用ps魔棒工具选区域和改变区域颜色
  6. 用青龙面板跑闲趣赚(趣闲赚)脚本(收益超级稳定)
  7. 故宫景点功课23:宁寿宫区5
  8. 机房环境动力监控系统功能介绍及设计需求规划和选择
  9. iOS7 tabbar遮盖tableview的cell解决方法
  10. 家政服务:保姆朋友圈鄙视链在上海