Created
August 1, 2021 16:17
-
-
Save SteveSimpson/4e062699439f4a71441228321637aa7f to your computer and use it in GitHub Desktop.
Cron script to deploy new Let's Encrypt Cert to Zimbra
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # /usr/local/scripts/zimbra_lets_encrypt_deploy.bash | |
| # This installs new certificates for zimbra. | |
| # Let's encrypt / ACME stuff works great for renewing certificates, just not for installing them in Zimbra. | |
| # This script does the latter, not the former. | |
| # | |
| # Steve Simpson | |
| # 8/1/2021 | |
| # Set your domain for let's encrypt | |
| MYDOMAIN='mail.example.com' | |
| # For this to work you need: | |
| # 1.) the X3 Root Cert installed at: /etc/letsencrypt/x3_root.pem | |
| # 2.) ln -s /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key | |
| ### DO NOT CHANGE BELOW | |
| if [ ! -d /etc/letsencrypt/live/${MYDOMAIN}/ ] ; then | |
| echo " ERROR DIRECTORY DOES NOT EXIST: /etc/letsencrypt/live/${MYDOMAIN}" | |
| echo You need to configure the script | |
| exit 1 | |
| fi | |
| NEWMOD=`openssl x509 -noout -modulus -in /etc/letsencrypt/live/${MYDOMAIN}/cert.pem` | |
| OLDMOD=`openssl x509 -noout -modulus -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt` | |
| # Don't do anythinge unless the certificate changed | |
| if [ "${NEWMOD}" != "${OLDMOD}" ] ; then | |
| sudo -u zimbra /opt/zimbra/bin/zmproxyctl stop | |
| sudo -u zimbra /opt/zimbra/bin/zmmailboxdctl stop | |
| cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d_%H%M%S") | |
| if [ ! -d /opt/zimbra/ssl/letsencrypt/ ] ; then | |
| mkdir -p /opt/zimbra/ssl/letsencrypt/ | |
| fi | |
| cp -f /etc/letsencrypt/live/${MYDOMAIN}/* /opt/zimbra/ssl/letsencrypt/ | |
| chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt | |
| pushd /opt/zimbra/ssl/letsencrypt/ | |
| chmod 400 privkey.pem | |
| chmod 644 cert.pem chain.pem fullchain.pem | |
| cat chain.pem > root_chain.pem | |
| echo >> root_chain.pem | |
| cat /etc/letsencrypt/x3_root.pem >> root_chain.pem | |
| # test with the full chain including the root certificate | |
| sudo -u zimbra /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem root_chain.pem | |
| echo $? | |
| if [ $? -eq 0 ] ; then | |
| # do not deploy the root certificate since root should be on the remote system | |
| sudo -u zimbra /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem root_chain.pem | |
| fi | |
| popd | |
| sudo -u zimbra /opt/zimbra/bin/zmcontrol restart | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you I was able to use this format with just some modifications base on our requirements. Now, our Zimbra certificate renewal is automated.