Instalasi SSL Certificate Let’s Encrypt di Zimbra – Assalamualaikum, SSL Certificate pada zimbra sangat diperlukan sebagai pengaman jalur komunikasi dari sisi end user ke server. SSL Certificate umumnya bersifat komersial (berbayar). Namun apakah bisa kita menggunakan yang versi gratis? Tentu bisa.
Berikut ialah panduan untuk Instalasi SSL Certificae Let’s Encrypt di Zimbra :
- Lakukan stop service zimbra proxy dan mailbox menggunakan user zimbra
# su - zimbra $ zmproxyctl stop $ zmmailboxdctl stop
- Langkah kedua adalah Menginstal git di Server (apt-get install git / yum install git), dan kemudian lakukan klon git dari proyek pada folder yang kita inginkan. Catatan: Pada RedHat / CentOS 6 Anda harus mengaktifkan repositori EPEL sebelum menginstall.
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt- Masuk ke folder letsencrypt dan jalankan perintah Let’s Encrypt, jika menggunakan single domain, bisa menggunakan perintah berikut :
# ./letsencrypt-auto certonly --standalone- Jika menggunakan multi domain, bisa menggunakan perintah berikut :
# ./letsencrypt-auto certonly --standalone -d mail.rizkiana.my.id -d mail.yogi.id- Tunggu beberapa saat sampai proses berjalan seperti berikut dan masukan alamat email anda :
Creating virtual environment...
Updating letsencrypt and virtual environment dependencies...../root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
./root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
[email protected]- Pilih A (Agree) untuk melanjutkan proses
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A- Masukkan hostname server zimbra. dalam hal ini yang digunakan mail.rizkiana.my.id
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):
mail.rizkiana.my.id- Tunggu beberapa saat sampai proses validasi selesai.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mail.rizkiana.my.id/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mail.provident-agro.com/privkey.pem
Your cert will expire on 2020-06-25. To obtain a new or tweaked
version of this certificate in the future, simply run
letsencrypt-auto again. To non-interactively renew *all* of your
certificates, run "letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Catatan : Lokasi certificate berada pada folder /etc/letsencrypt/live/$domain. Disini directory yang digunakan, /etc/letsencrypt/live/mail.rizkiana.my.id
- Edit file chain.pem yang berada di direktori /etc/letsencrypt/live/mail.rizkiana.my.id dan tambahkan pada baris paling bawah untuk Root CA, Root CA bisa diperoleh melalui link berikut: https://www.identrust.com/certificates/trustid/root-download-x3.html
# vim/etc/letsencrypt/live/mail.rizkiana.my.id/chain.pem
-----BEGIN CERTIFICATE-----
YOURCHAIN
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE------ Copy seluruh file /etc/letsencrypt/live/mail.rizkiana.my.id ke dalam /opt/zimbra/ssl/letsencrypt dan ubah ownership file tersebut
# mkdir /opt/zimbra/ssl/letsencrypt
# cp /etc/letsencrypt/live/mail.rizkiana.my.id/* /opt/zimbra/ssl/letsencrypt/
# chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*- Buka folder /opt/zimbra/ssl/letsencrypt yang baru dibuat tadi dan lakukan verifikasi SSL menggunakan user zimbra
# su - zimbra
$ cd /opt/zimbra/ssl/letsencrypt
$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem- Apabila proses verifikasi berhasil, maka akan muncul output seperti berikut, pastikan antara ketiga file tersebut tidak terbalik
$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK- Backup terlebih dahulu folder ssl zimbra bawaan dengan perintah berikut:
# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
- Copy priv.key ke commercial.key dengan perintah berikut :
# cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
- Ubah ownership file tersebut menjadi zimbra.
# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/*
- Lakukan deploy SSL Let’s Encrypt dengan perintah berikut :
# su - zimbra
$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem- Restart service zimbra untuk melihat hasilnya.
$ zmcontrol restart- Berikut adalah hasil instalasi SSL Let’s Encrypt
Sekian cara untuk melakukan Instalasi SSL Certificate Let’s Encrypt di Zimbra.
Refrensi | Baca juga : Cara Menghapus List User Forwarding Zimbra
Semoga bermanfaat & enjoy. Wassalamualaikum