Zimbra SSL behind ACME and HAProxy
I've been recently installing the ACME Let's encrypt module to easily manage SSL certificates in HAProxy.
This works like a charm and releases me from a lot of SSL headache.
The HAProxy service is configured to catch and handle all */.well-known/acme-challenge so PFSense fully handles the ACME challenges and Key refresh.
Now I'm running a Zimbra Mailserver in the backend that also uses SSL for IMAPS on port 993 and see two ways of "consuming" the ACME generated certificates.
Let HAProxy handle all SSL (To me this is the tidyest)
Copy the ACME generated certificates to Zimbra and script zimbra to import them
I've been trying to find a method to WRAP HAProxy TCP requests to IMAPS and offload the SSL bit to HAProxy but haven't succeeded at it so far.
I seem to be the only one trying this since I haven't found any documentation on it.
I have now (temporary) adopted option 2 but hope that you guys can guide me on how I either:
Get the TCP SSL going (Maybe there is some hidden document on how to approach this with Zimbra
In the ACME refresh process SCP the key and crt files to my Zimbra backend
For the second option I would like to build a cron script on my PFSense (yes; I'm sorry, I don't like it either) that extracts the needed .key and .crt files and put's them into a file which i would then SCP followed by a call of the Zimbra renew certificate script.
Would really appreciate your help in this.
Is there a way to extract the SSL certificates from the config?
I'm very interrested by your configuration, since this is exactly what I want to perform.
Is it possible to put your config (GUI) or a link to a tuto about.
I expect that you put a DNS record to point to HaProxy for internals requests?
Are you caching all Zimbra services behind HaProxy?
Hope this post will be read since it is a little outdated.; )