Let’s Encrypt SSL certificate installation on the Zimbra domain

Zimbra mail server is a type of dedicated server that manages, contacts, mailbox contents, attachments, calendar, etc,.

Here we are going to install Let’s Encrypt free SSL on a Zimbra mail domain.

How to install Let’s Encrypt SSL on a Zimbra domain?

You can install Let’s Encrypt SSL on the Zimbra domain using certbot utility.

First, you have to stop the jetty or nginx utility.

su zimbra
zmproxyctl stop
zmmailboxdctl stop
yum install certbot
certbot certonly

If your system is not supported certbot command, in that case you can use the snapd package to install certbot.

  • Install Epel repository to the server.
yum install epel-release
  • Install snapd package using the below command.
sudo yum install snapd
  • Enable snapd packge in the server.
sudo systemctl enable --now snapd.socket
  • On sometimes the above command does not work completely, then you can run the given command to create a symbolic link between /var/lib/snapd/snap and /snap.
sudo ln -s /var/lib/snapd/snap /snap
  • Install snap core.
sudo snap install core
sudo snap refresh core
  • Install certbot in the server .
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot/ /usr/bin/certbot
  • Now you can run the given command to generate the Let’s Encrypt certficates for the domain.
sudo certbot certonly

Choose option 1: Spin up a temporary webserver (standalone).

Then enter the domain name for your Zimbra installed domain.

For example,

Then the Let’s Encrypt SSL certificates can be found inside your system’s /etc/letsencrypt/live/ folder.

There you can see cert.pem , chain.pem, fullchain.pem, privkey.pem files.

  • Next you have to add the given text in end of your chain.pem file.
Your chain

  • Create a folder named /opt/zimbra/ssl/letsencrypt and copy these certificate files to there. (Copy each file manually by pasting the content of certificate file because there is a chance of conflicting the symlinks)
mkdir -p /opt/zimbra/ssl/letsencrypt/

copy the content of /etc/letsencrypt/live/, chain.pem, fullchain.pem, privkey.pem and paste them to /opt/zimbra/ssl/letsencrypt/cert.pem, chain.pem , fullchain.pem, privkey.pem correspondingly.

Next you have to change the ownership of the /opt/zimbra/ssl/letsencrypt folder to zimbra user.

chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt
  • Then you have to verify the certificates.
su zimbra
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
  • Deploy the certficates.
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Restart the Zimbra services as Zimbra user using the below command.

su zimbra
zmproxyctl start
zmmailboxdctl start
zmcontrol restart

You can now access the Zimbra domain with SSL (https).

It is easy to set up SL for the Zimbra domain, but most of the users are getting errors when installing let’s encrypt without following the proper way.

