Commercial SSL Cert Problem

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
stormlcc
Posts: 6
Joined: Mon Jun 25, 2018 2:01 am

Commercial SSL Cert Problem

Post by stormlcc »

Good day to all,

I know that there are a lot of discussion related to this but I have yet to find a solution after almost a week of searching, or maybe I just missed it because I'm a newcomer to both Linux, Zimbra and also certificate stuff. Would appreciate your kind help to point me to the correct direction or please give me some hints about solving this.

I have purchased and installed the commercial cert (from SSLcertificate.com) in my single server Zimbra FOSS (v8.8.7_GA_1964.RHEL7_64).
Everything is standard in the server settings, server is a VM in VMware ESXi, both incoming / outgoing email is working fine. When I go to the admin web UI (with standard Zimbra port 7071) the browser (using Chrome and Firefox) certificate section shows "secured" and is working but when I open the webmail (using standard HTTPS port 443) the browser showed the "not secure" or "connection is not private" page and the error message is "NET::ERR_CERT_AUTHORITY_INVALID". I went into the security overview to see what is the issue, the certificate path status : This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

I asked the SLL provider ( SSLcertificate.com ) and their support says this:

The thing is that when you try to reach https://yourdomain/ in a browser, it automatically uses 443 port. According to our check, there is Nginx server running on that port. It means that the certificate should be installed on that server to make it work.

You can refer to this article on the matter: https://www.sslcertificate.com/knowledg ... ry_id=2230


I didn't find anything related to installing cert into Zimbra Nginx server in this forum or other help / support sites for Zimbra at all, please help! Thank you very much!
Last edited by stormlcc on Tue Jun 26, 2018 6:52 am, edited 1 time in total.
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: Commercial SSL Cert Problem

Post by axslingr »

Sounds like the hostname on the cert doesn't match the name you're using to access the web client.

Lance
stormlcc
Posts: 6
Joined: Mon Jun 25, 2018 2:01 am

Re: Commercial SSL Cert Problem

Post by stormlcc »

axslingr wrote:Sounds like the hostname on the cert doesn't match the name you're using to access the web client.

Lance
Hi axslingr, thank you for replying. The web client address is using the same domain name as the admin web login. I am just confused why admin don't have this issue but the web client has, because admin using port 7071 and web client using 443?
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: Commercial SSL Cert Problem

Post by axslingr »

stormlcc
Posts: 6
Joined: Mon Jun 25, 2018 2:01 am

Re: Commercial SSL Cert Problem

Post by stormlcc »

axslingr wrote:Have you seen this?

https://wiki.zimbra.com/wiki/Installing ... laboration

Lance

Yes I followed this exactly to install the cert.
User avatar
axslingr
Outstanding Member
Outstanding Member
Posts: 256
Joined: Sat Sep 13, 2014 2:20 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18

Re: Commercial SSL Cert Problem

Post by axslingr »

What do your web proxy settings look like in admin console > configure > server > right-click your server > edit > proxy?

Also, do you get an error when you try to connect to IMAPS or POP3S?

Lance
stormlcc
Posts: 6
Joined: Mon Jun 25, 2018 2:01 am

Re: Commercial SSL Cert Problem

Post by stormlcc »

axslingr wrote:What do your web proxy settings look like in admin console > configure > server > right-click your server > edit > proxy?

Also, do you get an error when you try to connect to IMAPS or POP3S?

Lance
Please see here for proxy settings.

https://www.dropbox.com/s/s6amq9cpf0kh1 ... y.PNG?dl=0

for IMAP yes the same cert warning comes up "certificate not valid". Did not use POP3 so I'm not sure.

Thanks.
User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 313
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

Re: Commercial SSL Cert Problem

Post by tonster »

It looks to me like you didn't properly include the intermediate certificates when you installed it. What commands did you run to install your certificate? Which intermediate/root certs did you include?
stormlcc
Posts: 6
Joined: Mon Jun 25, 2018 2:01 am

Re: Commercial SSL Cert Problem

Post by stormlcc »

tonster wrote:It looks to me like you didn't properly include the intermediate certificates when you installed it. What commands did you run to install your certificate? Which intermediate/root certs did you include?

Hi tonster, sorry for the late reply. The intermediate certs that have been installed are these:

ComodoSSL
[ inc. ComodoSSL Wildcard & ComodoSSL UCC ]
UserTrust / AddTrust External Root
COMODO RSA Certification Authority
COMODO RSA Domain Validation Secure Server CA
End-Entity/Domain Certificate

If the certs are wrong or have issues then why does the admin site can use it and does not show any problems? Thanks.
User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 313
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

Re: Commercial SSL Cert Problem

Post by tonster »

stormlcc wrote:
tonster wrote:It looks to me like you didn't properly include the intermediate certificates when you installed it. What commands did you run to install your certificate? Which intermediate/root certs did you include?

Hi tonster, sorry for the late reply. The intermediate certs that have been installed are these:

ComodoSSL
[ inc. ComodoSSL Wildcard & ComodoSSL UCC ]
UserTrust / AddTrust External Root
COMODO RSA Certification Authority
COMODO RSA Domain Validation Secure Server CA
End-Entity/Domain Certificate

If the certs are wrong or have issues then why does the admin site can use it and does not show any problems? Thanks.
The only thing I can think of is that you have certs installed as both global and domain certs, and the admin console would use the global cert (installed using zmcertmgr) while the domain could be using the domain cert (installed using zmdomaincertmgr).
Post Reply