Let’s Encrypt on Carbonio – System Root with ACME.sh

Carbonio deal with certificates in layers. First there is the root certificate. That’s the main certificate used by all services, including the ones that can’t deploy certificates using a proxy, like SMTP, IMAP and POP.

The root certificate will be used for ALL services on the main domain.

In a second layer there are services that use the proxy to deploy a specific certificate for it, like HTPPS connections. Those are usually virtualdomains you may add to the server. Carbonio also use it to to it’s admin panel through port 6071. This layer is setting up VirtualHost do a domain and then generating and deploying the proper certificate to it.

So, if you are hosting many domains on Carbonio and like to have a specific certificate to each one of them to be able to access webmail with the right one, refer to this other Let’s Encrypt on Carbonio – Easy as never before. Carbonio makes is very easy to accomplish, but have in mind that e-mail clients like Outlook and Thunderbird must need a valid, non self-signed certificate, to work properly using SMTP and IMAP/POP services, so you’ll need to use the main domain for that.

So, let’s say your main domain is example.com and your server hostname is mail.example.com. That’s what we’ll call root domain. And in the same server you have more domains like consul.com, brastemp.com and eletrolux.com. To add a valid certificate to each one of those extra domains you must follow one of two paths:

1 – You may do virtualhosts certificates to them. Meaning they will be able to access the webmail fine with a valid certificate, but e-mail clients must be setup to use root hostname “mail.example.com”, because SMTP and IMAP/POP doesn’t use proxy.

This is the best approach when you have a server that get’s new domains frequently, like a public e-mail provider. Easy to deploy a new domain and it’s certificate to use webmail and it’s e-mail clients need to use root hostname.

2 – A single certificate containing all domains in the server. In that case there is no need to setup virtualhosts for each domain. All services will use the very same certificate. This approach is mostly indicated when you don’t have new domain getting add and removed frequently.

This tutorial is about setup root certificate using acme.sh on Ubuntu 20.04. Replace example.com for your domain.

ACME instead of certbot

I like acme.sh better because there is no need to install snapd

A bit about Let’s Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

There are many ways to issue a certificate: DNS challenge, webroot or local http(s) methods. In this tutorial well use the most common one where acme.sh will open a temporary web server on ports 80 and 443 and ask Let’s Encrypt to connect to it.

Once Let’s Encrypt connects and do it’s checking it will issue the certificate for that domain. So have in mind that your Carbonio must be reachable from the Internet on both ports 80 and 443 using the names you’re asking it to issue the certificates to. You must do all network and firewall settings to allow it.

Generate Let’s Encrypt certificate

  • Stop Carbonio
su - zextras -c "zmcontrol stop"

  • Install socat
apt -y install socat
  • Get acme.sh
cd /root
wget -O - https://get.acme.sh | sh
cd /root/.acme.sh
  • Setting acme.sh to make a dry-run and test it
./acme.sh --set-default-ca --server letsencrypt_test
./acme.sh --issue --standalone --preferred-chain "ISRG Root X1" --keylength 2048 -d mail.example.com -d webmail.example.com -d othersub.example.com
  • All good? let’s rock!
./acme.sh --set-default-ca --server letsencrypt
./acme.sh --issue --standalone --preferred-chain "ISRG Root X1" --keylength 2048 -d mail.example.com -d webmail.example.com -d othersub.example.com

Fixing certificate chains to deploy

when a certificate is well generated, acme.sh will create a folder with the first hostname listed on “-d” option on the command above. In this tutorial it’s mail.example.com. So….

  • Moving into certificate folder
cd mail.example.com
  • Creating a temp folder in /tmp

Zextras user doesn’t have permission to read a folder under root directory. So we need to fix a temporary folder to be used by Carbonio:

mkdir /tmp/lets.example.com
  • Copying the Let’s Encrypt certificate to temporary folder
cp * /tmp/lets.example.com
  • Moving into temporary folder
cd /tmp/lets.example.com
  • Downloading Let’s Encrypt root CA
wget --no-check-certificate -O ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
  • Concatenating CA chain in the proper way
cat fullchain.cer ISRG-X1.pem > zextras_ca.pem
  • Fixing permissions
chown zextras: /tmp/lets.example.com -R

Deploying it

  • Verifying new certificate

If there is something we DON’T want to do is to deploy and invalid certificate. That’s would lead to a whole new set of issues, so let’s test it before deploy it

su - zextras -c"cd /tmp/lets.example.com ; /opt/zextras/bin/zmcertmgr verifycrt comm example.com.key example.com.cer zextras_ca.pem"
  • Copy commercial.key and fixing permissions
cp example.com.key /opt/zextras/ssl/carbonio/commercial/commercial.key -rf
chown zextras: /opt/zextras/ssl/carbonio/commercial/commercial.key
  • Deploying new certificate to Carbonio
su - zextras -c"cd /tmp/lets.example.com ; /opt/zextras/bin/zmcertmgr deploycrt comm example.com.cer zextras_ca.pem"
  • Start Carbonio
su - zextras -c "zmcontrol start"

Access ports and enjoy your new valid certificate!

Script to make it easy to do every 90 days

On the link below I’ sharing my script to automate this procedure.

But you MUST fix this variables at the beginning of it:

dom_list="-d mail.example.com -d webmail.example.com -d othersub.example.com"
  • Replace example.com for your domain
  • Set certs_dom with the main hostname to be used by the certificate. Usually it’s the server hostname, but it doesn’t have to be.
  • Add as many valid domains you like in dom_list variable
  • cert_path MUST be set with the name of the first domain listed on dom_list variable

Download cb_ssl_acme.sh from here

wget https://www.anahuac.eu/cb_ssl_acme.sh.gz

And yes… that script can also generate and deploy certificates from ZeroSSL but that’s a subject for another article=)

2 comentários em “Let’s Encrypt on Carbonio – System Root with ACME.sh”

  1. Permissions ok but I can’t get past Verifying new certificate: ERROR: Can’t read file ‘zextras_ca.pem’ Permissions are good directory is owned by zextras.

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *