Zimbra Certificate Replace

From Bitbull Wiki
Jump to navigation Jump to search

1 Zimbra SSL Cert Replace

1.1 Links

1.2 Download Certificate (just valid for acme)

  • https://www.thesslstore.com/
  • My Orders > Total Orders > "latest order with active status" > Download Certificate
  • Server Platform: nginx / File Type: Individual .crts (zipped) -> star_acme.com.pem file

1.3 Backup current certificates

root@srv-pmail-01:~# backup /opt/zimbra/ssl/zimbra/commercial
'/opt/zimbra/ssl/zimbra/commercial' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657'
'/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial_ca.crt'
'/opt/zimbra/ssl/zimbra/commercial/commercial.crt' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.crt'
'/opt/zimbra/ssl/zimbra/commercial/commercial.key' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.key'
'/opt/zimbra/ssl/zimbra/commercial/commercial.csr' -> '/opt/zimbra/ssl/zimbra/commercial.202306110657/commercial.csr'

1.4 Verify current Certificate

zimbra@srv-pmail-01:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm                                                  
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

zimbra@srv-pmail-01:/tmp$ openssl verify -CAfile /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt /opt/zimbra/ssl/zimbra/commercial/commercial.crt
/opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

zimbra@srv-pmail-01:/tmp$ cd /tmp
zimbra@srv-pmail-01:/tmp$ wget https://raw.githubusercontent.com/joe-speedboat/linux.scripts/master/shell/openssl_check_cert_chain.sh

zimbra@srv-pmail-01:/tmp$ bash openssl_check_cert_chain.sh /opt/zimbra/ssl/zimbra/commercial/commercial.crt 
 0: subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
 1: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
 2: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

zimbra@srv-pmail-01:/tmp$  openssl x509 -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -text -noout | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            77:66:55:44:33:22:11:77:66:55:44:33:22:11:11:11
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
        Validity
            Not Before: YYY
            Not After: ZZZ

1.5 Prepare new Certificate

Create/Edit this tree files:

/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
# ca chain without server certificate

/opt/zimbra/ssl/zimbra/commercial/commercial.crt
# server certificate (note that old certs above hat ca included, which is wrong but no show stopper)

/opt/zimbra/ssl/zimbra/commercial/commercial.key
# private key

1.6 Verify new Certificate

root@srv-pmail-01:~# bash /tmp/openssl_check_cert_chain.sh /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt 
 0: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
 1: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt: OK

root@srv-pmail-01:~#  cat /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt > /tmp/tmp.crt
root@srv-pmail-01:~# bash /tmp/openssl_check_cert_chain.sh /tmp/tmp.crt 
 0: subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
 1: subject=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
 2: subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
/tmp/tmp.crt: OK

root@srv-pmail-01:~# openssl x509 -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -text -noout | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
        Validity
            Not Before: YYY
            Not After: ZZZ

root@srv-pmail-01:~# su - zimbra
zimbra@srv-pmail-01:~$ cd /opt/zimbra/ssl/zimbra/commercial/
zimbra@srv-pmail-01:~/ssl/zimbra/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK

1.7 Deploy new Certficates

root@acme-mail-01:~# su - zimbra
zimbra@acme-mail-01:~$ cd /opt/zimbra/ssl/zimbra/commercial/
zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK

zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
[...]
# watch out for any errors

zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcertmgr viewdeployedcrt
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L = StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=xxx
notAfter=xxx
subject=C = US, ST = Nevada, L =StoneBridge, O = Coyote Enterprises, CN = *.acme.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
SubjectAltName=*.acme.com

zimbra@acme-mail-01:~/ssl/zimbra/commercial$ zmcontrol restart
Host mail01.acme.com
        Stopping vmware-ha...Done.
        Stopping zmconfigd...Done.
        Stopping zimlet webapp...Done.
        Stopping zimbraAdmin webapp...Done.
        Stopping zimbra webapp...Done.
        Stopping service webapp...Done.
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping cbpolicyd...Done.
        Stopping archiving...Done.
        Stopping opendkim...Done.
        Stopping amavis...Done.
        Stopping antivirus...Done.           
        Stopping antispam...Done.
        Stopping proxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping convertd...Done.
        Stopping logger...Done.
        Stopping dnscache...Done.
        Stopping ldap...Done.
Host mail01.acme.com
        Starting ldap...Done.
        Starting zmconfigd...Done.
        Starting logger...Done.
        Starting convertd...Done.
        Starting mailbox...Done.
        Starting memcached...Done.
        Starting proxy...Done.
        Starting amavis...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
        Starting service webapp...Done.
        Starting zimbra webapp...Done.
        Starting zimbraAdmin webapp...Done.
        Starting zimlet webapp...Done.