SSL Certificates on multidomain server

Vortok · Post by **Vortok** » Mon Jun 08, 2015 2:37 pm

Hi all

Here's the problem.
I run the 8.6.0_GA_1153.FOSS in single server environment. Till last week I had single domain, (lets call it domain1.com) installed on it and an commercial certificate installed and working fine according to this wiki page:
http://wiki.zimbra.com/wiki/Administrat ... ficate_CLI
Unfortunately things got complicated and I had to add 2nd domain (domain2.com) to the server. adding domain went just fine, i got e-mail accounts working in it already.
The problem started when I tried to add 2nd certificate for 2nd domain.
I fallowed instructions from here:
https://wiki.zimbra.com/wiki/SSL_certif ... per_domain
but without many successes...
I got my cert prepared and it verified OK, I also have both
zmprov gs SERVERNAME zimbraReverseProxyGenConfigPerVirtualHostname
zmprov gacf zimbraReverseProxyGenConfigPerVirtualHostname
set to TRUE
I got the :
/opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key
and
/opt/zimbra/libexec/zmdomaincertmgr deploycrts

without errors for the new domain2.com but ii produced "failed" result for the old domain1.com entries...
then I restarted the whole thing (zmcontrol restart)

unfortunately after checking with /opt/zimbra/bin/zmcertmgr viewdeployedcrt I still only see the old certificate deployed by the first method for the domain1.com

My guess is that I'd have to uninstall the first certificate for the whole server and then implement a domain base solution but I haven't got a clue how to do it and uncle google is of not much help ...

I'd really appreciate some help

.

phoenix · Post by **phoenix** » Mon Jun 08, 2015 2:44 pm

How about some of these answers?

Vortok · Post by **Vortok** » Mon Jun 08, 2015 3:01 pm

they point only to the same wiki page that I originally used without success...

DanielP211 · Post by **DanielP211** » Wed Aug 12, 2015 10:37 am

Did you by any chance figure this out? I am having the exact same problem... Thank you.

chauvetp · Post by **chauvetp** » Wed Aug 12, 2015 10:43 am

Would using certificates with SANs (Subject Alternative Names) work? It's not exactly the same but we have the same domain with multiple names because people use it as different names (i.e. some use zmail.newpaltz.edu and some use zimbra.newpaltz.edu).

Vortok · Post by **Vortok** » Wed Aug 12, 2015 10:58 am

Nope... I gave up some time ago, but if you succeed I'd be more then happy to use your solution

As for SANs they work fine, I have *.domain.com certificate installed and it's working fine for mail.domain.com, pop3.domain.com and smtp.domain.com etc...

DanielP211 · Post by **DanielP211** » Fri Aug 14, 2015 1:24 am

Hello.

I solved my problem. I figured out there was no way to do it successfully following these instructions:

https://wiki.zimbra.com/wiki/SSL_certif ... per_domain

So I did it with apache and reverse proxy.

I installed apache2 on my Zimbra server. Enabled mod proxy and rewrite. Made apache listen on 80 and 443. Changed the default port on zimbra from 80 to 81:

Command:

zmprov ms server.com zimbraMailPort 81

Tell Zimbra to use the http authentication method.

Command:

zmtlsctl http

zmcontrol stop;zmcontrol start

Then I added two vhosts to apache, here are my files (different domain being domain1.com and domain2.com). The certificate location depends on where you have your certificate. I used the default locations in zimbra.

Vhost for new domain:

<VirtualHost *:80>

ServerName zimbra.domain1.com

Redirect / https://zimbra.domain1.com/

</VirtualHost>

<VirtualHost *:443>

ServerName zimbra.domain1.com

ProxyRequests On

ProxyVia On

<Proxy *>

Order deny,allow

Allow from any

</Proxy>

SSLProxyEngine ON

SSLEngine On

SSLCertificateFile /opt/zimbra/conf/domaincerts/domain1.com.crt

SSLCertificateKeyFile /opt/zimbra/conf/domaincerts/domain1.com.key

RewriteEngine On

RewriteCond %{HTTP_HOST} ^zimbra.domain1.com$

RewriteRule (.*)$ http://zimbra.domain1.com:81$1 [P,L]

</VirtualHost>

Vhost for original domain:

<VirtualHost *:80>

ServerName zimbra.domain2.com

Redirect / https://zimbra.domain2.com/

</VirtualHost>

<VirtualHost *:443>

ServerName zimbra.domain2.com

ProxyRequests On

ProxyVia On

<Proxy *>

Order deny,allow

Allow from any

</Proxy>

SSLProxyEngine ON

SSLEngine On

SSLCertificateFile /opt/zimbra/ssl/zimbra/commercial/commercial.crt

SSLCertificateKeyFile /opt/zimbra/ssl/zimbra/commercial/backup/commercial.key

RewriteEngine On

RewriteCond %{HTTP_HOST} ^zimbra.domain2.com$

RewriteRule (.*)$ http://zimbra.domain2.com:81$1 [P,L]

</VirtualHost>

Added the host to apache.

Command:

a2ensite domain1.com

a2ensite domain2.com

service apache2 restart

Now it works for both domains.

Best Regards,

Daniel

Vortok · Post by **Vortok** » Fri Aug 14, 2015 2:07 am

I'll try that next week

thanks for sharing !

jorgedlcruz · Post by **jorgedlcruz** » Fri Aug 14, 2015 7:03 am

Hi, install apache in the same machine as Zimbra, to have Multiple SSL is not supported and the wrong steps.
The Wiki is telling you that you need different Public IPs per each domain, as zimbra doesn't Support SNI yet. So, please, follow the Wiki article:
We also wrote something in spanish time ago, maybe can help as well:

https://www.jorgedelacruz.es/2013/11/21 ... -servidor/

L. Mark Stone · Post by **L. Mark Stone** » Mon Aug 17, 2015 3:43 pm

Jorge,
You say you need to configure Public IPs for each domain, but all of our Zimbra servers are NAT'd to RFC1918 addresses; wouldn't this work OK with Private IPs, so long as they resolved in the DNS (Split DNS) used by ZImbra for resolution?
Thanks,
Mark