Zimbra Certbot Scripts

dbeato

I found the following scripts useful when using Zimbra and Let's Encrypt
https://github.com/VojtechMyslivec/letsencrypt-zimbra
https://github.com/yetopen/certbot-zimbra

Just thought some might appreciate it, although a reverse proxy is much better.

travisdh1

@dbeato said in Zimbra Certbot Scripts:

I found the following scripts useful when using Zimbra and Let's Encrypt
https://github.com/VojtechMyslivec/letsencrypt-zimbra
https://github.com/yetopen/certbot-zimbra

Just thought some might appreciate it, although a reverse proxy is much better.

I thought they had it built-in now? Need to upgrade my home lab, but don't know when I'll get around to it.

dbeato

@travisdh1 said in Zimbra Certbot Scripts:

@dbeato said in Zimbra Certbot Scripts:

I found the following scripts useful when using Zimbra and Let's Encrypt
https://github.com/VojtechMyslivec/letsencrypt-zimbra
https://github.com/yetopen/certbot-zimbra

Just thought some might appreciate it, although a reverse proxy is much better.

I thought they had it built-in now? Need to upgrade my home lab, but don't know when I'll get around to it.

It has not been, it has been always manual...
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

scottalanmiller

@dbeato said in Zimbra Certbot Scripts:

@travisdh1 said in Zimbra Certbot Scripts:

@dbeato said in Zimbra Certbot Scripts:

I found the following scripts useful when using Zimbra and Let's Encrypt
https://github.com/VojtechMyslivec/letsencrypt-zimbra
https://github.com/yetopen/certbot-zimbra

Just thought some might appreciate it, although a reverse proxy is much better.

I thought they had it built-in now? Need to upgrade my home lab, but don't know when I'll get around to it.

It has not been, it has been always manual...
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

Yup, pretty big pain. We have it nearly automated here at this point. It's a little more work as we have a reverse proxy in front of it.

dbeato

@scottalanmiller said in Zimbra Certbot Scripts:

We have it nearly automated here at this point. It's a little more work as we have a reverse proxy in front of it.

I setup a reverse proxy in front and no issue so far. Version 8.8.11 on Zimbra.

scottalanmiller

@dbeato said in Zimbra Certbot Scripts:

@scottalanmiller said in Zimbra Certbot Scripts:

We have it nearly automated here at this point. It's a little more work as we have a reverse proxy in front of it.

I setup a reverse proxy in front and no issue so far. Version 8.8.11 on Zimbra.

On the same box, or on a different box?

dbeato

@scottalanmiller said in Zimbra Certbot Scripts:

@dbeato said in Zimbra Certbot Scripts:

@scottalanmiller said in Zimbra Certbot Scripts:

We have it nearly automated here at this point. It's a little more work as we have a reverse proxy in front of it.

I setup a reverse proxy in front and no issue so far. Version 8.8.11 on Zimbra.

On the same box, or on a different box?

Different Box.

scottalanmiller

Because the issue is, the cert gets issued to the reverse proxy server. So you need a process to grab it from there.

dbeato

@scottalanmiller said in Zimbra Certbot Scripts:

Because the issue is, the cert gets issued to the reverse proxy server. So you need a process to grab it from there.

For me, the Reverse proxy handles everything, that is the Zimbra server never sees that Certificate ever.

scottalanmiller

@dbeato said in Zimbra Certbot Scripts:

@scottalanmiller said in Zimbra Certbot Scripts:

Because the issue is, the cert gets issued to the reverse proxy server. So you need a process to grab it from there.

For me, the Reverse proxy handles everything, that is the Zimbra server never sees that Certificate ever.

Ah ha. That's VERY different than our process.

EddieJennings

@dbeato said in Zimbra Certbot Scripts:

@scottalanmiller said in Zimbra Certbot Scripts:

Because the issue is, the cert gets issued to the reverse proxy server. So you need a process to grab it from there.

For me, the Reverse proxy handles everything, that is the Zimbra server never sees that Certificate ever.

Including IMAP and SMTP traffic?

dbeato

@EddieJennings said in Zimbra Certbot Scripts:

@dbeato said in Zimbra Certbot Scripts:

@scottalanmiller said in Zimbra Certbot Scripts:

Because the issue is, the cert gets issued to the reverse proxy server. So you need a process to grab it from there.

For me, the Reverse proxy handles everything, that is the Zimbra server never sees that Certificate ever.

Including IMAP and SMTP traffic?

As we talked on the private chat, not IMAP and certainly not SMPT as SMPT is not over TLS.

EddieJennings

Since acquiring and renewing a certificate can be automated with Certbot, would it make sense to have the cert in two places? HTTP/HTTPS traffic passes through your ngingX VM, which receives its certificate through its own instance of Certbot. And you have a second instance of certbot that functions on the Zimbra server itself, so you have a cert for IMAP and SMTP connections.

Or, for you, does it not matter that IMAP and SMTP connections are unencrypted? Since beyond your own mail server, there's no guarantee that encrypted connections will exist.

scottalanmiller

@dbeato said in Zimbra Certbot Scripts:

@EddieJennings said in Zimbra Certbot Scripts:

@dbeato said in Zimbra Certbot Scripts:

@scottalanmiller said in Zimbra Certbot Scripts:

Because the issue is, the cert gets issued to the reverse proxy server. So you need a process to grab it from there.

For me, the Reverse proxy handles everything, that is the Zimbra server never sees that Certificate ever.

Including IMAP and SMTP traffic?

As we talked on the private chat, not IMAP and certainly not SMPT as SMPT is not over TLS.

We do both over TLS.

scottalanmiller

@EddieJennings said in Zimbra Certbot Scripts:

Since acquiring and renewing a certificate can be automated with Certbot, would it make sense to have the cert in two places? HTTP/HTTPS traffic passes through your ngingX VM, which receives its certificate through its own instance of Certbot. And you have a second instance of certbot that functions on the Zimbra server itself, so you have a cert for IMAP and SMTP connections.

Or, for you, does it not matter that IMAP and SMTP connections are unencrypted? Since beyond your own mail server, there's no guarantee that encrypted connections will exist.

You could, but it would still be such a pain to automate as certbot can't renew the certs alone for Zimbra, that you might as well just use one.