HOWTO: Install a Gandi Wildcard SSL Certificate on Zimbra 8.8.8

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1771
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 4 Network Edition
Contact:

HOWTO: Install a Gandi Wildcard SSL Certificate on Zimbra 8.8.8

Postby L. Mark Stone » Sat Jul 07, 2018 2:38 am

I've been using LetsEncrypt successfully but as the number of my Zimbra (and other) servers have been multiplying, it was time for a commercial SSL certificate. I bought a wildcard SSL certificate for the missioncriticalemail.com domain from Gandi.net.

All I could find about Gandi SSL certificates and Zimbra was an archived wiki article from Zimbra 5/6, so I thought I'd post the process here for others who want to use Gandi.net.

Gandi uses Comodo upstream, so you need to go through the process of building your own certificate chain. I also wanted to be able to rollback in case it didn't work, so that impacted how I generated the CSR. At the end of the day, it all worked, so I thought I'd document the abbreviated process here.

Two common "gotchas" in my experience are first that many system admins don't realize that creating a CSR alters the private key file, and second, that the order in which all the other root and intermediate certs are bundled is very important, and perhaps not so intuitive. So I tried to highlight these in the steps below.

Hope that helps,
Mark

Gandi.net Zimbra SSL Certificate Installation Notes

CREATE THE CSR:
1. As the Zimbra user:

Code: Select all

cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp
cd /tmp
openssl req -new -newkey rsa:2048 -nodes -keyout commercial.key -out yourserver.csr
    (Follow the prompts; hit "Enter" when asked for a password)

2. Paste the CSR in the Gandi SSL Certificate Wizard
3. Copy the /tmp/commercial.key file someplace safe (it's different now than the original!)

GET READY FOR THE INSTALLATION:
1. Download the issued SSL certificate and Gandi's intermediate bundle from Gandi
2. Download the Comodo Root and Intermediary bundle from:
https://support.comodo.com/index.php?/c ... tion-sha-2

FILES INVENTORY:
commercial.key - Private key file from /tmp/commercial.key - after the CSR creation -
>>>> must be copied to /opt/zimbra/ssl/zimbra/commercial/commercial.key after moving aside the existing commercial.key file.
_.missioncriticalemail.com.crt - The SSL Wildcard certificate
GandiStandardSSLCA2.pem - Gandi's Intermediate CA
comodo-rsa-domain-validation-sha-2-w-root.ca-bundle - Comodo's Root and Intermediates

INSTALLATION:
1. Copy commercial.key as above, ensuring ownership and permissions match the old commercial.key file you set aside to make room for this one.
2. As the Zimbra user, create the files:

Code: Select all

touch /tmp/commercial.crt
touch /tmp/commercial_ca.crt


3. As the Zimbra user, copy the contents of _.missioncriticalemail.com.crt to the /tmp/commercial.crt file on each Zimbra server.

4. As the Zimbra user, populate the /tmp/commercial_ca.crt file:

Code: Select all

-----BEGIN CERTIFICATE-----
Insert Contents of GandiStandardSLLCA2.pem (contains two certificates)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Insert Contents of comodo-rsa-domain-validation-sha-2-w-root.ca-bundle (contains three certificates)
-----END CERTIFICATE-----


5. As the Zimbra user, verify:

Code: Select all

~/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt


6. If all is good, As the Zimbra user, install:

Code: Select all

~/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt

7. And then restart:

Code: Select all

zmcontrol restart


_____________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP and Consulting https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 228
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: Release 8.7.11_GA_1854.RHEL6_64_201
Contact:

Re: HOWTO: Install a Gandi Wildcard SSL Certificate on Zimbra 8.8.8

Postby JDunphy » Sat Jul 07, 2018 1:51 pm

letsencrypt now supports wildcard with acme v2 clients.

https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

Code: Select all

acme.sh  --issue -d example.com  -d '*.example.com'  --dns dns_cf

The above example uses the automatic DNS method from cloudflare as a DNS provider.

As an aside: I am especially liking the automatic DNS alias mode these days which further mitigates access to only the _acme-challenge.example.com RR. This allows for a centralized opportunity to renew certs and push to the appropriate hosts after verification/validation. That is progress ... Now if we could get reloads vs restarts for certs, I would be much happier with Zimbra. :-)
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1771
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 4 Network Edition
Contact:

Re: HOWTO: Install a Gandi Wildcard SSL Certificate on Zimbra 8.8.8

Postby L. Mark Stone » Sat Jul 07, 2018 2:25 pm

That's great news about the LetsEncrypt wildcard certificates, but the need to restart Zimbra every <90 days also factored into my decision to go with a 2-year commercial SSL certificate.

I'm also spoiled by how easy LetsEncrypt can be when the application stack supports it; my website is on a Bitnami Wordpress instance at Amazon Lightsail. It's a simple cron job to renew and deploy the SSL certificates and reload Apache without any intervention from me. Hopefully Zimbra can get there as well -- they've got two years before I have to renew my cert! :-)

All the best,
Mark
_____________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP and Consulting https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 17 guests