Hướng dẫn Cấu hình, Renew SSL free LetsEncrypt cho Zimbra Email Server

Hướng dẫn Cấu hình, Renew SSL free LetsEncrypt cho Zimbra Email Server

 

1./ Stop Email server

su - zimbra

zmproxyctl stop

zmmailboxdctl stop

 

2./ Tiến hành git clone letsencrypt về server local

​​ đây mình down về​​ /opt/letencrypt

cd /opt/

git clone​​ https://github.com/letsencrypt/letsencrypt

cd letsencrypt

3./ Tiến hành tạo certs

Đối với 1 domain thì chạy lệnh này

./letsencrypt-auto certonly​​ --standalone

Đối với nhiều domain thì chạy lệnh này

./letsencrypt-auto certonly --standalone -d xmpp.example.com -d conference.example.com

Điền email

Letsencrypt-002.png

Đồng ý

Letsencrypt-003.png

Nhập domain với trường hợp chỉ​​ đăng ký cho 1 domain

Letsencrypt-004.png

Kết quả

IMPORTANT NOTES:

​​ -​​ Congratulations! Your certificate and chain have been saved at:

 ​​ ​​​​ /etc/letsencrypt/live/mail.fixloinhanh.com/fullchain.pem

 ​​ ​​​​ Your key file has been saved at:

 ​​ ​​​​ /etc/letsencrypt/live/mail.fixloinhanh.com/privkey.pem

 ​​ ​​​​ Your cert will expire on 2020-08-23. To obtain a new or tweaked

 ​​ ​​​​ version of this certificate in the future, simply run

 ​​ ​​​​ letsencrypt-auto again. To non-interactively renew *all* of your

 ​​ ​​​​ certificates, run "letsencrypt-auto renew"

​​ - Your account credentials have been saved in your Certbot

 ​​ ​​​​ configuration directory at /etc/letsencrypt. You should make a

 ​​ ​​​​ secure backup of this folder now. This configuration directory will

 ​​ ​​​​ also contain certificates and private keys obtained by Certbot so

 ​​ ​​​​ making regular backups of this folder is ideal.

​​ - If you like Certbot, please consider supporting our work by:

 

 ​​ ​​​​ Donating to ISRG / Let's Encrypt:  ​​​​ https://letsencrypt.org/donate

 ​​ ​​​​ Donating to EFF:  ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ https://eff.org/donate-le

sau khi​​ tạo certs xong vào thư mục /etc/letsencrypt/live/mail.fixloinhanh.com/

sẽ​​ có những file như sau:

 

cert.pem is the certificate

chain.pem is the chain

fullchain.pem is the concatenation of cert.pem + chain.pem

privkey.pem is the private key

Please keep in​​ mind that the private key is only for you.

4./ Tiến hành sửa file chain.pem

Chỉnh sửa file chain.pem như sau:

Mở​​ file chain.pem và thêm vào đoạn bôi vàng sau:​​ 

Your chain.pem should look like:

-----BEGIN CERTIFICATE-----

YOURCHAIN

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/

MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow

PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD

Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O

rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq

OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b

xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw

7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD

aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV

HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG

SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69

ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr

AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz

R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5

JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo

Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

-----END CERTIFICATE-----

Bước này rất quan trọng phải copy root CA vào sau file chain.pem

File được thêm vào có nội dung ở link dưới:

https://letsencrypt.org/certs/trustid-x3-root.pem.txt

5./​​ Tiến hành Build certs

mkdir /opt/zimbra/ssl/letsencrypt

cp /etc/letsencrypt/live/mail.fixloinhanh.com/* /opt/zimbra/ssl/letsencrypt/

chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

ls -la /opt/zimbra/ssl/letsencrypt/

 

total 24

drwxr-xr-x 2 root  ​​​​ root  ​​​​ 4096 Jul 15 22:59 .

drwxr-xr-x 8 zimbra zimbra 4096 Jul 15 22:59 ..

-rw-r--r-- 1 zimbra zimbra 1809 Jul 15 22:59 cert.pem

-rw-r--r-- 1 zimbra zimbra 2847 Jul 15 22:59 chain.pem

-rw-r--r-- 1 zimbra zimbra 3456 Jul 15 22:59 fullchain.pem

-rw-r--r-- 1 zimbra zimbra 1704 Jul 15 22:59 privkey.pem

Login bằng user zimbra

su - zimbra

cd /opt/zimbra/ssl/letsencrypt

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem​​ 

 

** Verifying 'cert.pem' against 'privkey.pem'

Certificate 'cert.pem' and private key 'privkey.pem' match.

** Verifying 'cert.pem' against 'chain.pem'

Valid certificate chain: cert.pem: OK

Tiến hành​​ backup thư mục zimbra

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/*

chmod 755 /opt/zimbra/ssl/zimbra/commercial/*

 

 

 

zimbra@mail:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem​​ 

** Verifying 'cert.pem' against 'privkey.pem'

Certificate 'cert.pem' and private key 'privkey.pem' match.

** Verifying​​ 'cert.pem' against 'chain.pem'

Valid certificate chain: cert.pem: OK

 

zimbra@mail:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem​​ 

** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'

Certificate​​ 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.

** Verifying 'cert.pem' against 'chain.pem'

Valid certificate chain: cert.pem: OK

** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'

** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'

** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'

** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca'​​ into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'

** NOTE: restart mailboxd to use the imported certificate.

** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.fixloinhanh.com...ok

** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.fixloinhanh.com...ok

** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'

**​​ Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'

** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'

** Creating keystore '/opt/zimbra/conf/imapd.keystore'

** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'

** Creating file​​ '/opt/zimbra/ssl/zimbra/jetty.pkcs12'

** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'

** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to​​ '/opt/zimbra/conf/smtpd.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'

** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'

** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'

** NOTE: restart services to use the new certificates.

** Cleaning up 3 files from '/opt/zimbra/conf/ca'

** Removing /opt/zimbra/conf/ca/9deea024.0

** Removing /opt/zimbra/conf/ca/ca.pem

** Removing /opt/zimbra/conf/ca/ca.key

** Copying CA to /opt/zimbra/conf/ca

** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'

** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'

** Creating CA hash symlink '9deea024.0' -> 'ca.pem'

** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt

** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'

** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt

** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt'

 

zmcontrol restart

Đợi khoảng 2 phút để​​ tất cả​​ services được bật lại

6./ Mở​​ trình duyệt kiểm tra lại cert

https://mail.yourdomain.com

Test the new SSL​​ Certificate with OpenSSL

You can use openssl cli tools to check and test the new SSL certificate:

echo QUIT | openssl s_client -connect $domain:443 | openssl x509 -noout -text | less

 

echo QUIT | openssl s_client -connect mail.fixloinhanh.com:443 | openssl​​ x509 -noout -text | less

Kết quả

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

verify return:1

depth=0 CN = mail.fixloinhanh.com

verify return:1

DONE

Certificate:

 ​​ ​​ ​​​​ Data:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Version: 3 (0x2)

 ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Serial Number:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 04:10:50:68:52:61:5f:36:3c:82:ee:26:e2:de:71:60:cb:bc

 ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Signature Algorithm: sha256WithRSAEncryption

 ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt​​ Authority X3

 ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Validity

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Not Before: May 26 02:04:02 2020 GMT

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Not After : Aug 24 02:04:02 2020 GMT

 ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Subject: CN = mail.fixloinhanh.com

 ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Subject Public Key Info:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Public Key Algorithm: rsaEncryption

 ​​ ​​ ​​​​  ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ RSA Public-Key: (2048 bit)

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Modulus:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 00:eb:87:a1:80:d0:f0:b2:e6:45:40:e5:99:11:b2:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 04:f3:32:3e:6e:1b:86:65:d5:40:e2:ef:12:fd:ea:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 47:99:f8:76:25:1d:a6:1e:65:e1:12:75:22:37:e7:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ d8:a8:7a:97:28:dc:3d:30:8a:6b:cb:e2:52:58:9f:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ af:bc:78:93:43:3b:96:30:75:56:d8:41:83:c5:0f:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ ab:32:b6:00:eb:a2:cf:77:f9:8e:e3:1f:5d:f4:a2:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 6d:ae:20:c2:10:66:63:9b:4a:c8:fd:b2:1b:82:b1:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 7e:59:90:0e:28:db:58:83:e1:98:f1:11:11:12:bc:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 3a:59:b6:b3:a8:c4:14:5d:1b:dc:1b:88:a5:37:d4:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ f5:b3:f4:a3:b7:bf:17:e1:3f:0f:10:85:03:97:37:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ b0:11:a8:5b:89:d9:87:1e:36:ad:27:c5:6a:ba:0e:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ a4:d4:14:e1:25:4e:19:1b:ab:d0:42:65:6d:15:86:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 7e:02:56:4a:35:b3:5f:5e:28:f4:81:4d:1a:49:cf:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ ca:27:5d:65:8b:7a:d9:80:b8:9e:02:5c:10:9a:0d:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 8c:53:9d:72:b1:44:cf:8f:9f:df:42:6a:a1:48:37:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 84:3d:27:69:39:04:50:14:58:8e:54:66:cc:50:5a:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 67:99:0a:9b:3c:6e:fa:96:41:49:fb:3b:0d:48:61:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 14:6f

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Exponent: 65537 (0x10001)

 ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ X509v3 extensions:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ X509v3 Key Usage: critical

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Digital Signature, Key Encipherment

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ X509v3 Extended Key Usage:​​ 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ TLS Web Server Authentication, TLS Web Client Authentication

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ X509v3 Basic Constraints: critical

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ CA:FALSE

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ X509v3 Subject Key Identifier:​​ 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ EB:AC:6B:3B:4F:44:2A:87:72:5A:80:14:2D:37:4A:6D:B1:11:B0:13

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ X509v3 Authority Key Identifier:​​ 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Authority Information Access:​​ 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ OCSP - URI:http://ocsp.int-x3.letsencrypt.org

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ X509v3 Subject Alternative Name:​​ 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ DNS:mail.fixloinhanh.com

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ X509v3 Certificate Policies:​​ 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Policy: 2.23.140.1.2.1

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Policy: 1.3.6.1.4.1.44947.1.1.1

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ CPS: http://cps.letsencrypt.org

 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ CT Precertificate SCTs:​​ 

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​  ​​​​ Signed Certificate Timestamp:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Version  ​​​​ : v1 (0x0)

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Log ID  ​​ ​​​​ : E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Timestamp : May 26 03:04:02.410 2020 GMT

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Extensions: none

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Signature : ecdsa-with-SHA256

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 30:44:02:20:1D:EE:26:5B:6B:3C:BF:66:42:64:2C:82:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 5D:FD:7C:8A:DF:A1:6A:C2:9C:86:53:FA:BB:D0:09:6B:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 18:43:19:E3:02:20:68:65:CD:42:4B:CD:3B:C8:68:3F:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 6F:80:9B:B5:39:58:21:34:D4:55:57:97:D9:27:30:38:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 07:F1:BD:F3:A2:5D

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Signed Certificate Timestamp:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Version  ​​​​ : v1 (0x0)

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Log ID  ​​ ​​​​ : B2:1E:05:CC:8B:A2:CD:8A:20:4E:87:66:F9:2B:B9:8A:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 25:20:67:6B:DA:FA:70:E7:B2:49:53:2D:EF:8B:90:5E

 ​​ ​​​​  ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Timestamp : May 26 03:04:02.400 2020 GMT

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Extensions: none

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ Signature : ecdsa-with-SHA256

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 30:46:02:21:00:BF:AE:07:C3:A9:59:2C:17:48:A6:A2:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​  ​​​​ E6:06:DC:87:7A:89:7C:98:9E:E9:D9:E3:05:C4:EE:08:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ FA:09:69:7F:C2:02:21:00:BA:0C:DE:41:5B:3B:31:76:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 31:75:06:D8:61:E0:7D:24:F7:8F:DE:1D:A4:BE:FA:84:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 28:9D:25:CE:BA:BE:2D:6D

 ​​ ​​ ​​​​ Signature Algorithm: sha256WithRSAEncryption

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 37:46:36:9c:f5:3f:ad:9c:63:55:7e:b2:13:ea:ae:0f:8a:e6:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 27:e4:cb:59:be:aa:fe:a5:99:28:17:98:7b:58:f9:cf:2f:0f:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ aa:c4:10:90:ff:f9:5d:28:59:fe:a0:8a:8b:f7:7b:38:57:ec:

 ​​​​  ​​ ​​ ​​ ​​ ​​ ​​​​ 4c:3d:a0:6c:14:33:92:1d:e5:13:50:06:e9:91:ee:68:f9:c3:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 94:1f:a0:e3:92:0b:8c:c8:ec:20:84:e0:73:15:8b:55:b9:f9:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 1c:19:73:a4:e1:25:ba:52:7c:1b:a8:07:4b:69:60:c8:92:f5:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 8a:06:dd:44:58:85:be:2f:5a:71:ad:19:31:53:13:5c:b0:34:

 ​​​​  ​​ ​​ ​​ ​​ ​​ ​​​​ 20:d4:6c:cd:d6:90:5a:07:95:39:04:da:af:94:4b:40:32:11:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ b8:cf:7e:2d:ba:2c:63:e8:d0:77:57:09:c1:fe:e0:71:26:eb:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ d1:a2:ea:dc:2d:ae:14:dc:c3:c8:2f:e9:42:30:07:9e:6b:b0:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ f2:3e:21:e9:aa:6f:80:04:5d:f2:fd:ab:38:ed:b1:6b:7f:f2:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 62:5f:16:4b:b4:af:91:03:33:72:57:d3:93:2e:11:56:83:07:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ 0d:21:c5:37:47:d5:f4:28:8c:1d:78:ef:e7:70:64:c5:0c:55:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ cd:61:7c:80:be:06:8f:0c:9d:c2:01:0e:f7:0e:cb:bc:25:c5:

 ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​​ f1:e3:bf:bc

Tham khảo:

https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

7./ Để​​ Renew SSL thực hiện các bước như sau:

Backup và xoá toàn bộ​​ file trong thư mục

/opt/zimbra/ssl/zimbra/commercial

cp -R /opt/zimbra/ssl/zimbra/commercial /opt/backup/comercial_$(date "+%Y%m%d")

\rm -rf /opt/zimbra/ssl/zimbra/commercial/*

Backup và xoá toàn bộ​​ file trong thư mục

/opt/zimbra/ssl/letsencrypt

cp -R /opt/zimbra/ssl/letsencrypt /opt/backup_$(date "+%Y%m%d")

\rm -rf /opt/zimbra/ssl/letsencrypt

#xoá và tạo lại cert ssl

cp -R /etc/letsencrypt /opt/backup/letsencrypt_$(date "+%Y%m%d")

\rm -rf /etc/letsencrypt

cd /opt/letsencrypt

./letsencrypt-auto certonly --standalone

Sau đó làm tiếp theo các bước 3 đến bước 6

 

Chúc các bạn thành công!

SaKuRai

Xin chào, Mình là Sakurai. Blog này là nơi để note lại và chia sẻ những kiến thức, kinh nghiệm mà mình và anh em trong Team. Cảm ơn các bạn đã quan tâm theo dõi!

You may also like...

Leave a Reply

Your email address will not be published.