Deploy Docker-based Nimbra Edge on an internal network

Deploying Docker-based Nimbra Edge on an internal network #

By default the system requires port 80 (HTTP) to be exposed to the internet for the automated TLS certificate process to work (ACME HTTP-01 challenges are used). If this is not possible or desired, alternative approaches are explained here.

Installing custom certificate #

Installing a custom certificate into Nimbra Edge is done using the connectit CLI-tool.

Run the following command with a valid certificate and private key (PEM-format). It can be run multiple times to replace previously installed certificate.

./connectit certificate install <path_to_certificate> <path_to_private_key>

Automatically managed certificate using ACME DNS-01 challenge #

ACME protocol defined multiple challenge types. A challenge type that doesn’t require any ports to be open from the internet is DNS-01 challenge. As the name suggests, it uses DNS to verify ownership of the domain. This requires API-access to your DNS provider to manage DNS TXT records.

Because there are so many different DNS providers this feature is not currently integrated into Nimbra Edge. It can still be automated externally and new certificates can be installed into the system upon renewal.

Example-script using lego with Cloudflare DNS #

A project supporting many different DNS providers is lego.

This script acquires (or renews) certificate and installs it into Nimbra Edge when necessary.

renew-cert-using-dns.sh # 

#!/bin/bash

set -eou pipefail

email=${EMAIL:?EMAIL environment variable is required}
domain=${DOMAIN:?DOMAIN environment variable is required}
cloudflare_dns_api_token=${CLOUDFLARE_DNS_API_TOKEN:?CLOUDFLARE_DNS_API_TOKEN environment variable is required}

lego_image=goacme/lego:latest
cli_path="$(pwd)/connectit"
lego_path="$(pwd)/lego"

lego_container_path="/etc/lego"
certs_dir="$lego_path/certificates"
cert_path="$certs_dir/$DOMAIN.crt"
key_path="$certs_dir/$DOMAIN.key"
deploy_flag=deploy.flag
deploy_flag_path="$lego_path/$deploy_flag"

function verify_exists() {
    if [[ ! -f "$1" ]]; then
        echo "File '$1' does not exist" >&2
        exit 1
    fi
}

function lego() {
    docker run --rm \
        -e CLOUDFLARE_DNS_API_TOKEN="$cloudflare_dns_api_token" \
        -v "$lego_path:$lego_container_path" \
        --user "$(id -u):$(id -g)" \
        "$lego_image"  \
        --path "$lego_container_path" \
        --accept-tos \
        --dns cloudflare \
        --email "$email" \
        --domains "$domain" \
        "$@"
}

function install_cert() {
    if [[ -f "$deploy_flag_path" ]]; then
        echo "Certificates acquired. Installing into Nimbra Edge..." >&2
        "$cli_path" certificate install "$cert_path" "$key_path"
        rm -f "$deploy_flag_path"
    fi
}

verify_exists "$cli_path"

mkdir -p "$lego_path"
if [[ -f "$cert_path" ]]; then
    lego renew --renew-hook "touch $lego_container_path/$deploy_flag"
else
    lego run --run-hook "touch $lego_container_path/$deploy_flag"
fi

install_cert

Usage # 

sudo \
DOMAIN=<domain> \
EMAIL=<your-email> \
CLOUDFLARE_DNS_API_TOKEN=<api-token> \
./renew-cert-using-dns.sh

Run this periodically to make sure your always have a valid certificate for your installation! For example like this: https://go-acme.github.io/lego/usage/cli/renew-a-certificate/index.html#automatic-renewal

Previous

Delete a region

Next

Fix public ip mapping alarm