Zimbra – Actualizar certificados SSL tras la expiración del DST Root CA X3 de Let’s Encrypt

zimbra_certbot_lets-encrypt

El 30 de Septiembre de 2021 caducaba el certificado DST Root CA X3 de Let’s Encrypt. Este certificado es usado para firmar todos los certificados SSL que se generan con Let’s Encrypt.

Para evitar graves problemas, Let’s Encrypt creó un nuevo certificado ISRG Root X1 que debía ser utilizado en adelante para generar certificados.

Renovar Certificados SSL forzando ISRG Root X1

Intentando renovar los certificados forzando el uso del nuevo ISRG Root X1 de Let’s Encypt no parecía funcionar:

certbot --force-renewal --preferred-chain "ISRG Root X1" renew
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --preferred-chain ISRG Root X1

Instalar versión correcta de Certbot

La versión de certbot que utilizaba ya era algo antigua, y no soportaba el argumento --preferred-chain, así que había que reemplazarlo por una versión mas nueva. La EFF (Electronic Frontier Foundation) recomienda usar la versión de Snap:

sudo snap install --classic certbot
mv /usr/bin/certbot /usr/bin/certbot-old
sudo ln -s /snap/bin/certbot /usr/bin/certbot

A continuación probaba de renovar el certificado de nuevo:

certbot --force-renewal --preferred-chain "ISRG Root X1" renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.DOMINIO.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for mail.DOMINIO.com and 4 more domains

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/mail.DOMINIO.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Sin problemas esta vez!

Implementar certificados nuevos en Zimbra

En mi caso, utilizo un script llamado Certbot-Zimbra que automatiza el proceso de implementar los certificados en Zimbra, dado que hacer esto manualmente es un proceso tedioso y es muy fácil de cometer errores que luego se convierten en quebraderos de cabeza.

root@mail:/home/mqc/certbot-zimbra# ./certbot_zimbra.sh -d -H mail.DOMINIO.com
certbot-zimbra v0.7.12 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU16_64
Using domain mail.DOMINIO.com (as certificate DN)
Preparing certificates for deployment.
Testing with zmcertmgr.
** Verifying '/run/certbot-zimbra/certs-MXMcy89c/cert.pem' against '/run/certbot-zimbra/certs-MXMcy89c/privkey.pem'
Certificate '/run/certbot-zimbra/certs-MXMcy89c/cert.pem' and private key '/run/certbot-zimbra/certs-MXMcy89c/privkey.pem' match.
** Verifying '/run/certbot-zimbra/certs-MXMcy89c/cert.pem' against '/run/certbot-zimbra/certs-MXMcy89c/zimbra_chain.pem'
Valid certificate chain: /run/certbot-zimbra/certs-MXMcy89c/cert.pem: OK
Deploying certificates.
** Verifying '/run/certbot-zimbra/certs-MXMcy89c/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/run/certbot-zimbra/certs-MXMcy89c/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/run/certbot-zimbra/certs-MXMcy89c/cert.pem' against '/run/certbot-zimbra/certs-MXMcy89c/zimbra_chain.pem'
Valid certificate chain: /run/certbot-zimbra/certs-MXMcy89c/cert.pem: OK
** Copying '/run/certbot-zimbra/certs-MXMcy89c/cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/run/certbot-zimbra/certs-MXMcy89c/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/run/certbot-zimbra/certs-MXMcy89c/zimbra_chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.DOMINIO.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.DOMINIO.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 7 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/4042bcee.0
** Removing /opt/zimbra/conf/ca/8d33f237.0
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/a6222139.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'a6222139.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '8d33f237.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '4042bcee.0' -> 'commercial_ca_2.crt'
Removing temporary files in /run/certbot-zimbra/certs-MXMcy89c
Restarting Zimbra.
Host mail.DOMINIO.com
        Stopping zmconfigd...Done.
        Stopping zimlet webapp...Done.
        Stopping zimbraAdmin webapp...Done.
        Stopping zimbra webapp...Done.
        Stopping service webapp...Done.
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping cbpolicyd...Done.
        Stopping archiving...Done.
        Stopping opendkim...Done.
        Stopping amavis...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping proxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping dnscache...Done.
        Stopping ldap...Done.
Host mail.DOMINIO.com
        Starting ldap...Done.
        Starting zmconfigd...Done.
        Starting logger...Done.
        Starting mailbox...Done.
        Starting memcached...Done.
        Starting proxy...Done.
        Starting amavis...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting opendkim...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.
        Starting service webapp...Done.
        Starting zimbra webapp...Done.
        Starting zimbraAdmin webapp...Done.
        Starting zimlet webapp...Done.

Como veis, se encarga de implementar los certificados y de reiniciar el servidor Zimbra.

Posibles problemas

Al principio, cuando lanzaba el proceso, recibía este resultado:

certbot-zimbra v0.7.12 - https://github.com/YetOpen/certbot-zimbra
Checking for dependencies...
Detected Zimbra 8.8.15 on UBUNTU16_64
Using domain mail.DOMINIO.com (as certificate DN)
Preparing certificates for deployment.
cat: /etc/ssl/certs/2e5ac55d.0: No such file or directory

Para solucionar esto, primero verifica que tienes los ca-certificates instalados:

root@mail:/# apt-cache policy ca-certificates
ca-certificates:
  Installed: 20210119~16.04.1ubuntu0.1~esm1
  Candidate: 20210119~16.04.1ubuntu0.1~esm1

Si no están instalados, instalalos utilizando el siguiente comando:

apt-get install ca-certificates

A continuación, sigue los pasos de arriba para instalar la versión Snap de Certbot, y fuerza una renovación de certificados utilizando el ISRG Root X1.

Enlaces útiles