zimbra: multiple letsencrypt certificates and Unable to start TLS error

The following guide is tested against zimbra 8.8: Installing a Let’s Encrypt SSL Certificate

If this error occurs: ‘Unable to start TLS: hostname verification failed when connecting to ldap master.
make sure you have included your hostname in your letsencrypt signing domains and follow the guide once again.
For instance, if your hostname is mail5.example.com, use letsencrypt to sign mail5.example.com along with all other domains.

Example:

[email protected]:~/tmp/letsencrypt# ./letsencrypt-auto certonly --standalone -d mail5.example.com -d mail.example.com -d webmail.example.com -d mail.test.com -d webmail.test.com

Make also sure you append https://www.identrust.com/certificates/trustid/root-download-x3.html to chain.pem

The whole procedure seems a bit tricky but actually it’s easy and it works.

Hopefully, some clever people have developed a bunch of scripts to automate the whole procedure, not all of them work in all cases. We have successfully tested the first automated method (https://github.com/VojtechMyslivec/letsencrypt-zimbra/) and it works great, as long as you keep incuding hostname in your config to avoid the “Unable to start TLS” error.

So open up your config at:

/opt/letsencrypt-zimbra/letsencrypt-zimbra.cfg

And edit the line with common names:


common_names=( "mail5.example.com" "mail.example.com" "webmail.example.com" "mail.test.com" "webmail.test.com" )

 

Automated method installation instructions are very simple – just follow them here: https://github.com/VojtechMyslivec/letsencrypt-zimbra/

The manual method, although hasn’t any real difficulties, has some steps though that might prove a nightmare when it comes to renew certs every 3 months for letsencrypt certs. Anyhow, for all of you manual people, steps are the following:

  • Stop zimbra services: zmcontrol stop
  • Use letsencrypt to fetch the certificates: ./letsencrypt-auto certonly --standalone -d mail5.example.com -d mail.example.com -d webmail.example.com -d mail.test.com -d webmail.test.com. If asked, select expand (E).
  • Append missing certificate to chain.pem
  • Copy created certificates to zimbra location: cp /etc/letsencrypt/live/mail5.example.com/* /opt/zimbra/ssl/letsencrypt/
  • Set rights: chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
  • Login as zimbra: su - zimbra
  • Goto certificates path: cd /opt/zimbra/ssl/letsencrypt
  • Check certificate validity: /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
  • Take a backup: cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
  • Deploy certificates to zimbra installation: /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
  • Restart zimbra: zmcontrol restart

migrate from zimbra to zimbra

Guide below is tested against zimbra 8.6, 8.7, 8.8. It’s not a full zimbra to zimbra migration, missed some things, but it works to migrating most important stuff. There might also exist some minor bugs, but if you have a basic experience in linux shell you won’t have a problem tweaking commands.

install certbot on ubuntu 16.04

On Ubuntu systems, the Certbot team maintains a PPA. Once you add it to your list of repositories all you’ll need to do is apt-get the following packages. $ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-apache Reference: https://help.ubuntu.com/community/Repositories/Ubuntu#Adding_PPAs

protect zimbra from memcached attack

Zimbra uses memcached and if not properly configured could lead to a vulnerable system. If you want to read more on memcached attack read this: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ How to resolve this vulnerability in 3 steps: Enable firewall on your server Setup zimbra specific rules Bind memcached to localhost Deny memcached port from localhost Let’s start.

remove banned ip from microsoft ban lists

This works for hotmail.com, live.com, outlook.com and possibly other microsoft related email addresses. Use this form to request removal: http://go.microsoft.com/fwlink/?linkid=614866 Make sure you ‘re registered: https://postmaster.live.com/snds/data.aspx This was an old one and does not seem to work anymore: https://support.live.com/eform.aspx?productKey=edfsmsbl3&ct=eformts&scrx=1 Source: https://answers.microsoft.com/en-us/outlook_com/forum/oemail-osend/hotmailoutlook-blacklist-removal-form/86c71c17-80c9-48e9-b822-1d3678f19673

osticket and self-signed-certificates on email server

This has to do with PHP >= 5.6, where php changed its behavior with self signed certificates.  This has caused osticket users to keep old PHP versions in order to operate with self signed mail servers. But actually the fix is relatively simple: Go to {osTicket directory}/include/pear/Net/SMTP.php line 173 and change this line: ‘ssl’ => array(‘verify_peer_name’ => false)… Continue reading osticket and self-signed-certificates on email server