Let’s Encrypt on Carbonio – Easy as never before

More I see, more I like it!

Yes, the whole project have a lot of room to improvement, but there are so many new good tools available. Let’s Encryption built-in support is one of it. So let me tell you how to take advantage of it’s full potential.

Carbonio brings in it’s own updated certbot, so you don’t have to install it manually and it runs straight from the Admin UI, so… bye bye manual scripts =)

Keep in mind this are proxy certificates, meaning services that don’t use proxy, like SMTP, POP and IMAP will use your Carbonio root certificate. So it will work just for HTTPS access to Carbonio webmail.


It’s only working on version 23.9.0

Reverse Proxy

In order to have Let’s Encrypt certificates issued your must allow connections through port 80 and 443. Carbonio comes out of the box with only 433 open. So we need to fix it’s reverse proxy setting to “redirect” mode. To do so, run the commands below as “zextras” user:

zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
zmproxyctl restart

Domain Setup

  • Public Service Host Name

This is the most important setup of the whole thing. That’s used together with Virtual Domain to issue the certificate. By default, every new domain come with the server hostame set as their “Public Service Host Name” and that might be a problem if you don’t have a valid and DNS resolvable hostname.

Go into your domain General Setting and fix it’s “Public Service Host Name” to something you’ll use as virtual host later. Let’s say:

  • Virtual Host & Certificates

On this screen we’ll add virtual hosts to our domain, like:


Issuing the Certificate

1 – Go into your domain setup, on Virtual Host & Certificates and click on “UPLOAD AND VERIFY CERTIFICATE“.

2 – In the new screen, use the “Certificate Type” select box and choose “I want to use a Let’s Encrypt (longChain) certificate“.


4 – Wait 30 seconds to have the certificate issued and installed

Restarting the Proxy

To have it all working, your last step is restarting Carbonio proxy running the command below as “zextras” user:

zmproxyctl restart

Renewing certificates

It must be done “by hand” meaning Carbonio will not renew it for you automatically. So the easiest way is adding a cron task to do it for you. I’ll say that run it once a week may be more than enough to cover all domain you may have.

Add this on your /etc/crontab

0 0 * * 0 zextras certbot renew ; /opt/zextras/libexec/zmproxyconfgen ; /opt/zextras/bin/zmproxyctl reload

Stranger Things

There are some things that I didn’t figure yet and I’ll like to share it with you.

1 – I didn’t see any difference between “longChain” and “shortChain” under “Certificate Type” options. Both works fine;

2 – I didn’t like to have to restart the whole proxy to activate it

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *