Zimbra SSL behind ACME and HAProxy



  • Hi Guys,

    I've been recently installing the ACME Let's encrypt module to easily manage SSL certificates in HAProxy.
    This works like a charm and releases me from a lot of SSL headache.

    The HAProxy service is configured to catch and handle all */.well-known/acme-challenge so PFSense fully handles the ACME challenges and Key refresh.

    Now I'm running a Zimbra Mailserver in the backend that also uses SSL for IMAPS on port 993 and see two ways of "consuming" the ACME generated certificates.

    • Let HAProxy handle all SSL (To me this is the tidyest)

    • Copy the ACME generated certificates to Zimbra and script zimbra to import them

    I've been trying to find a method to WRAP HAProxy TCP requests to IMAPS and offload the SSL bit to HAProxy but haven't succeeded at it so far.
    I seem to be the only one trying this since I haven't found any documentation on it.

    I have now (temporary) adopted option 2 but hope that you guys can guide me on how I either:

    • Get the TCP SSL going (Maybe there is some hidden document on how to approach this with Zimbra

    • In the ACME refresh process SCP the key and crt files to my Zimbra backend

    For the second option I would like to build a cron script on my PFSense (yes; I'm sorry, I don't like it either) that extracts the needed .key and .crt files and put's them into a file which i would then SCP followed by a call of the Zimbra renew certificate script.

    Would really appreciate your help in this.



  • Is there a way to extract the SSL certificates from the config?



  • Hi,
    I'm very interrested by your configuration, since this is exactly what I want to perform.
    Is it possible to put your config (GUI) or a link to a tuto about.
    I expect that you put a DNS record to point to HaProxy for internals requests?
    Are you caching all Zimbra services behind HaProxy?
    Best.

    Hope this post will be read since it is a little outdated.; )


Log in to reply