Zimbra SSL behind ACME and HAProxy
-
Hi Guys,
I've been recently installing the ACME Let's encrypt module to easily manage SSL certificates in HAProxy.
This works like a charm and releases me from a lot of SSL headache.The HAProxy service is configured to catch and handle all */.well-known/acme-challenge so PFSense fully handles the ACME challenges and Key refresh.
Now I'm running a Zimbra Mailserver in the backend that also uses SSL for IMAPS on port 993 and see two ways of "consuming" the ACME generated certificates.
-
Let HAProxy handle all SSL (To me this is the tidyest)
-
Copy the ACME generated certificates to Zimbra and script zimbra to import them
I've been trying to find a method to WRAP HAProxy TCP requests to IMAPS and offload the SSL bit to HAProxy but haven't succeeded at it so far.
I seem to be the only one trying this since I haven't found any documentation on it.I have now (temporary) adopted option 2 but hope that you guys can guide me on how I either:
-
Get the TCP SSL going (Maybe there is some hidden document on how to approach this with Zimbra
-
In the ACME refresh process SCP the key and crt files to my Zimbra backend
For the second option I would like to build a cron script on my PFSense (yes; I'm sorry, I don't like it either) that extracts the needed .key and .crt files and put's them into a file which i would then SCP followed by a call of the Zimbra renew certificate script.
Would really appreciate your help in this.
-
-
Is there a way to extract the SSL certificates from the config?
-
Hi,
I'm very interrested by your configuration, since this is exactly what I want to perform.
Is it possible to put your config (GUI) or a link to a tuto about.
I expect that you put a DNS record to point to HaProxy for internals requests?
Are you caching all Zimbra services behind HaProxy?
Best.Hope this post will be read since it is a little outdated.; )