SSL Certificates on multidomain server

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Vortok
Posts: 4
Joined: Mon Jun 08, 2015 2:19 pm

SSL Certificates on multidomain server

Postby Vortok » Mon Jun 08, 2015 2:37 pm

Hi all :)


Here's the problem.


I run the 8.6.0_GA_1153.FOSS in single server environment. Till last week I had single domain, (lets call it domain1.com) installed on it and an commercial certificate installed and working fine according to this wiki page:
http://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools#ZCS_Certificate_CLI


Unfortunately things got complicated and I had to add 2nd domain (domain2.com) to the server. adding domain went just fine, i got e-mail accounts working in it already.


The problem started when I tried to add 2nd certificate for 2nd domain.
I fallowed instructions from here:
https://wiki.zimbra.com/wiki/SSL_certificates_per_domain


but without many successes...


I got my cert prepared and it verified OK, I also have both
zmprov gs SERVERNAME zimbraReverseProxyGenConfigPerVirtualHostname
zmprov gacf zimbraReverseProxyGenConfigPerVirtualHostname


set to TRUE


I got the :


/opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key


and


/opt/zimbra/libexec/zmdomaincertmgr deploycrts

without errors for the new domain2.com but ii produced "failed" result for the old domain1.com entries...
then I restarted the whole thing (zmcontrol restart)

unfortunately after checking with /opt/zimbra/bin/zmcertmgr viewdeployedcrt I still only see the old certificate deployed by the first method for the domain1.com

My guess is that I'd have to uninstall the first certificate for the whole server and then implement a domain base solution but I haven't got a clue how to do it and uncle google is of not much help ...

I'd really appreciate some help :)


 


.



phoenix
Ambassador
Ambassador
Posts: 26417
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

SSL Certificates on multidomain server

Postby phoenix » Mon Jun 08, 2015 2:44 pm

How about some of these answers?

Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
Vortok
Posts: 4
Joined: Mon Jun 08, 2015 2:19 pm

SSL Certificates on multidomain server

Postby Vortok » Mon Jun 08, 2015 3:01 pm

they point only to the same wiki page that I originally used without success...
DanielP211
Posts: 2
Joined: Wed Aug 12, 2015 10:36 am

SSL Certificates on multidomain server

Postby DanielP211 » Wed Aug 12, 2015 10:37 am

Did you by any chance figure this out? I am having the exact same problem... Thank you.
chauvetp
Outstanding Member
Outstanding Member
Posts: 350
Joined: Fri Sep 12, 2014 11:28 pm

SSL Certificates on multidomain server

Postby chauvetp » Wed Aug 12, 2015 10:43 am

Would using certificates with SANs (Subject Alternative Names) work? It's not exactly the same but we have the same domain with multiple names because people use it as different names (i.e. some use zmail.newpaltz.edu and some use zimbra.newpaltz.edu).
Vortok
Posts: 4
Joined: Mon Jun 08, 2015 2:19 pm

SSL Certificates on multidomain server

Postby Vortok » Wed Aug 12, 2015 10:58 am

Nope... I gave up some time ago, but if you succeed I'd be more then happy to use your solution ;)



As for SANs they work fine, I have *.domain.com certificate installed and it's working fine for mail.domain.com, pop3.domain.com and smtp.domain.com etc...

DanielP211
Posts: 2
Joined: Wed Aug 12, 2015 10:36 am

SSL Certificates on multidomain server

Postby DanielP211 » Fri Aug 14, 2015 1:24 am

Hello.



I solved my problem. I figured out there was no way to do it successfully following these instructions:

https://wiki.zimbra.com/wiki/SSL_certificates_per_domain



So I did it with apache and reverse proxy.



I installed apache2 on my Zimbra server. Enabled mod proxy and rewrite. Made apache listen on 80 and 443. Changed the default port on zimbra from 80 to 81:



Command:

zmprov ms server.com zimbraMailPort 81



Tell Zimbra to use the http authentication method.



Command:

zmtlsctl http

zmcontrol stop;zmcontrol start



Then I added two vhosts to apache, here are my files (different domain being domain1.com and domain2.com). The certificate location depends on where you have your certificate. I used the default locations in zimbra.



Vhost for new domain:



<VirtualHost *:80>



ServerName zimbra.domain1.com

Redirect / https://zimbra.domain1.com/



</VirtualHost>



<VirtualHost *:443>



ServerName zimbra.domain1.com



ProxyRequests On

ProxyVia On

<Proxy *>

Order deny,allow

Allow from any

</Proxy>



SSLProxyEngine ON

SSLEngine On

SSLCertificateFile /opt/zimbra/conf/domaincerts/domain1.com.crt

SSLCertificateKeyFile /opt/zimbra/conf/domaincerts/domain1.com.key



RewriteEngine On

RewriteCond %{HTTP_HOST} ^zimbra.domain1.com$

RewriteRule (.*)$ http://zimbra.domain1.com:81$1 [P,L]



</VirtualHost>



Vhost for original domain:



<VirtualHost *:80>



ServerName zimbra.domain2.com

Redirect / https://zimbra.domain2.com/



</VirtualHost>



<VirtualHost *:443>



ServerName zimbra.domain2.com



ProxyRequests On

ProxyVia On

<Proxy *>

Order deny,allow

Allow from any

</Proxy>



SSLProxyEngine ON

SSLEngine On

SSLCertificateFile /opt/zimbra/ssl/zimbra/commercial/commercial.crt

SSLCertificateKeyFile /opt/zimbra/ssl/zimbra/commercial/backup/commercial.key



RewriteEngine On

RewriteCond %{HTTP_HOST} ^zimbra.domain2.com$

RewriteRule (.*)$ http://zimbra.domain2.com:81$1 [P,L]



</VirtualHost>



Added the host to apache.



Command:

a2ensite domain1.com

a2ensite domain2.com



service apache2 restart



Now it works for both domains.



Best Regards,

Daniel
Vortok
Posts: 4
Joined: Mon Jun 08, 2015 2:19 pm

SSL Certificates on multidomain server

Postby Vortok » Fri Aug 14, 2015 2:07 am

I'll try that next week :) thanks for sharing !
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

SSL Certificates on multidomain server

Postby jorgedlcruz » Fri Aug 14, 2015 7:03 am

Hi, install apache in the same machine as Zimbra, to have Multiple SSL is not supported and the wrong steps.


The Wiki is telling you that you need different Public IPs per each domain, as zimbra doesn't Support SNI yet. So, please, follow the Wiki article:


We also wrote something in spanish time ago, maybe can help as well:


Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2083
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

SSL Certificates on multidomain server

Postby L. Mark Stone » Mon Aug 17, 2015 3:43 pm

Jorge,


You say you need to configure Public IPs for each domain, but all of our Zimbra servers are NAT'd to RFC1918 addresses; wouldn't this work OK with Private IPs, so long as they resolved in the DNS (Split DNS) used by ZImbra for resolution?


Thanks,


Mark

___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: Majestic-12 [Bot], MSN [Bot] and 9 guests