More I see, more I like it!
Yes, the whole project have a lot of room to improvement, but there are so many new good tools available. Let’s Encryption built-in support is one of it. So let me tell you how to take advantage of it’s full potential.
Carbonio brings in it’s own updated certbot, so you don’t have to install it manually and it runs straight from the Admin UI, so… bye bye manual scripts =)
Keep in mind this are proxy certificates, meaning services that don’t use proxy, like SMTP, POP and IMAP will use your Carbonio root certificate. So it will work just for HTTPS access to Carbonio webmail.
Prerequisite
It’s only working on version 23.9.0
Reverse Proxy
In order to have Let’s Encrypt certificates issued your must allow connections through port 80 and 443. Carbonio comes out of the box with only 433 open. So we need to fix it’s reverse proxy setting to “redirect” mode. To do so, run the commands below as “zextras” user:
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
zmproxyctl restartDomain Setup
- Public Service Host Name
This is the most important setup of the whole thing. That’s used together with Virtual Domain to issue the certificate. By default, every new domain come with the server hostame set as their “Public Service Host Name” and that might be a problem if you don’t have a valid and DNS resolvable hostname.
Go into your domain General Setting and fix it’s “Public Service Host Name” to something you’ll use as virtual host later. Let’s say:
mail.yourawesomedomain.com- Virtual Host & Certificates
On this screen we’ll add virtual hosts to our domain, like:
mail.yourawesomedomain.com
webmail.yourawesomedomain.comIssuing the Certificate
1 – Go into your domain setup, on Virtual Host & Certificates and click on “UPLOAD AND VERIFY CERTIFICATE“.
2 – In the new screen, use the “Certificate Type” select box and choose “I want to use a Let’s Encrypt (longChain) certificate“.
3 – Click in “GENERATE CERTIFICATE”
4 – Wait 30 seconds to have the certificate issued and installed
Restarting the Proxy
To have it all working, your last step is restarting Carbonio proxy running the command below as “zextras” user:
zmproxyctl restartRenewing certificates
It must be done “by hand” meaning Carbonio will not renew it for you automatically. So the easiest way is adding a cron task to do it for you. I’ll say that run it once a week may be more than enough to cover all domain you may have.
Add this on your /etc/crontab
0 0 * * 0 zextras certbot renew ; /opt/zextras/libexec/zmproxyconfgen ; /opt/zextras/bin/zmproxyctl reloadStranger Things
There are some things that I didn’t figure yet and I’ll like to share it with you.
1 – I didn’t see any difference between “longChain” and “shortChain” under “Certificate Type” options. Both works fine;
2 – I didn’t like to have to restart the whole proxy to activate it
Published: 08/10/2023 | Updated: 22/10/2023
Setting up carbonio ce for the 1st time. v26.3.0. I am migrating a zimbra FOSS 8.8.15 server to it.
I have only the one domain on the host (client.com), and will likely only ever have one. The server’s public DNS name is mail.client.com, and has been for many years. The email addresses are [email protected], and the clients in use are betterbird/thunderbird, plus mac mail, and IOS mail. The server knows itself as mail.client.com (hostname –fqdn ==> mail.client.com)
I have become confused by the numerous descriptions involving let’s encrypt needing a virtual domain with the same name as the hosts fqdn and public DNS name.
I have, until now, been using Sectigo DV certs, which allow me to have mail.client.com as the “Subject common name”. Sectigo also tack on the completely worthless “Subject alt name” of http://www.mail.client.com to the mail.client.com.
of course with zimbra FOSS this involved a relatively arcane recipe of shell commands and zmcertmgr to make the CSR build the verification chain and install the new SSL cert.
So, how do I get a DV certificate for the mail server with the carbonio ce server and NO virtual domains (or does the FQDN of the host count as a virtual domain within client.com?)
I really appreciate your work.
Thanks in advance!
as an aside (‘cause of time pressure), if I understand correctly, using acme.sh relieves me of the need to repeat the process of renewing the certificate every 90 days. Is this correct?
Get into our group on Telegram @CarbonioMail and ask your questions there.