Zimbra adalah salah satu Open Source Exchange Mail Server yang powerfull. Kebanyakan orang setelah menginstall Zimbra OSE, bingung untuk mengaktifkan SSL, dikarenakan certificate yang tertanam di Zimbra adalah Self Sign yang tidak diterima oleh Web Browser yang ber-edar saat ini.
Untuk itu kali ini saya akan mencoba untuk melakukan Instalasi Lets Encrypt (Sebagai salah satu penyedia layanan SSL Gratis) di Zimbra OSE.
Tahap pertama adalah dengan mematikan beberapa service yang dilakukan di “zimbra privilages”
zmproxyctl stop
zmmailboxdctl stop
Langkah selanjutnya adalah “Mendownload Git Source Lets Encrypt” di dalam server Zimbra
Notes : Untuk Redhat / CentOS 6 agar menggunakan Repo EPEL sebelum melakukan instalasi
cd /usr/local/src
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
Sekarang kita bisa melakukan proses pembuatan Sertifikat SSL menggunakan Lets Encrypt
[root@srv letsencrypt]
# /letsencrypt-auto certonly –standalone -d example.com
Kemudian akan muncul beberapa proses notifikasi. Proses pembuatan Sertifikasi SSL ini memerlukan waktu beberapa menit hingga muncul
IMPORTANT NOTES: - Congratulations! Yourcertificate
and chain have been saved at /etc/letsencrypt/live/zimbra86.zimbra.io/fullchain.pem. Your cert will expire on 2016-03-04. To obtain a new version of thecertificate
in the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Dimana letak SSL Sertifikat nya ??
Sertifikat SSL yang sudah dibuat akan diletakkan di /etc/letsencrypt/live/$domain
[root@srv mail.example.com][root@srv mail.example.com]# ls -al total 12 drwxr-xr-x 2 root root 4096 Feb 3 11:40 . drwx------ 3 root root 4096 Feb 2 19:42 .. lrwxrwxrwx 1 root root 48 Feb 3 11:40 cert.pem -> ../../archive/mail.example.com/cert2.pem lrwxrwxrwx 1 root root 49 Feb 3 11:40 chain.pem -> ../../archive/mail.example.com/chain2.pem lrwxrwxrwx 1 root root 53 Feb 3 11:40 fullchain.pem -> ../../archive/mail.example.com/fullchain2.pem lrwxrwxrwx 1 root root 51 Feb 3 11:40 privkey.pem -> ../../archive/mail.example.com/privkey2.pem -rw-r--r-- 1 root root 543 Feb 2 19:42 README
#
cert.pem adalah certificate
chain.pem adalah chain
fullchain.pem adalah gabungan certificate dan chain
privkey.pem adalah private key
Membuat CA yang ada di tambah dari ROOT CA
LetsEncrypt sebenarnya hampir sempurna, namun selama proses pembuatan sertifikasi system hanya menambahkan file chain.pem tanpa ada ROOT CA. Kita harus menggunakan Fasilitas IdenTrust ROOT CERTIFICATE kemudian menggabungkannya.
Buka File chain.pem dan tambahkan ROOT CA diatas isi dari chain.pem
-----BEGIN CERTIFICATE----- IdenTrust ROOT CERTIFICATE -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
Memeriksa Sertifikat SSL
Copy semua file yang ada di /etc/letsencrypt/live/$domain ke /opt/zimbra/ssl/letsencrypt
[root@srv mail.example.com][root@srv mail.example.com]# mkdir -p /opt/zimbra/ssl/letsencrypt
# cp /etc/letsencrypt/live/mail.example.com/* /opt/zimbra/ssl/letsencrypt/
[root@srv mail.example.com]# chown zimbra. zimbra
/opt/zimbra/ssl/letsencrypt/*
Langkah untuk Zimbra 8.7 keatas
Masuk sebagai zimbra user (privilages)
[root@srv mail.example.com]# /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem ** Verifying cert.pem against privkey.pem Certificate (cert.pem) and private key (privkey.pem) match. Valid Certificate: cert.pem: OK
Mengaktifkan SSL Certificate LetsEncrypt
Sebelum melakukan aktifasi SSL Certificate, ada baiknya kita melakukan backup terlebih dahulu
cp -a /opt/zimbra/ssl/zimbra
/opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
Copy file private key ke Zimbra Direktory
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
Aktifasi SSL Certificate
[root@srv mail.example.com]# /opt/zimbra/ssl/letsencrypt/$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem ** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying 'cert.pem' against 'chain.pem' Validcertificate
chain: cert.pem: OK ** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts' ** NOTE: restart mailboxd to use the importedcertificate
. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail2.next.zimbra.io...failed (rc=1) ** Installing ldapcertificate
'/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mtacertificate
'/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxycertificate
'/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 3 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/41b01cbb.0 ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/ca.pem ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink '41b01cbb.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'
Restart Zimbra Service
zmcontrol restart
Lakukan testing pada domain yang telah di lakukan instalasi
Leave a Reply