HOWTO: Install a Gandi Wildcard SSL Certificate on Zimbra 8.8.8

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2802
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.7 Network Edition
Contact:
Contact L. Mark Stone

HOWTO: Install a Gandi Wildcard SSL Certificate on Zimbra 8.8.8

Post by L. Mark Stone »

I've been using LetsEncrypt successfully but as the number of my Zimbra (and other) servers have been multiplying, it was time for a commercial SSL certificate. I bought a wildcard SSL certificate for the missioncriticalemail.com domain from Gandi.net.

All I could find about Gandi SSL certificates and Zimbra was an archived wiki article from Zimbra 5/6, so I thought I'd post the process here for others who want to use Gandi.net.

Gandi uses Comodo upstream, so you need to go through the process of building your own certificate chain. I also wanted to be able to rollback in case it didn't work, so that impacted how I generated the CSR. At the end of the day, it all worked, so I thought I'd document the abbreviated process here.

Two common "gotchas" in my experience are first that many system admins don't realize that creating a CSR alters the private key file, and second, that the order in which all the other root and intermediate certs are bundled is very important, and perhaps not so intuitive. So I tried to highlight these in the steps below.

Hope that helps,
Mark

Gandi.net Zimbra SSL Certificate Installation Notes

CREATE THE CSR:
1. As the Zimbra user:

Code: Select all

cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp
cd /tmp
openssl req -new -newkey rsa:2048 -nodes -keyout commercial.key -out yourserver.csr
    (Follow the prompts; hit "Enter" when asked for a password)
2. Paste the CSR in the Gandi SSL Certificate Wizard
3. Copy the /tmp/commercial.key file someplace safe (it's different now than the original!)

GET READY FOR THE INSTALLATION:
1. Download the issued SSL certificate and Gandi's intermediate bundle from Gandi
2. Download the Comodo Root and Intermediary bundle from:
https://support.comodo.com/index.php?/c ... tion-sha-2

FILES INVENTORY:
commercial.key - Private key file from /tmp/commercial.key - after the CSR creation -
>>>> must be copied to /opt/zimbra/ssl/zimbra/commercial/commercial.key after moving aside the existing commercial.key file.
_.missioncriticalemail.com.crt - The SSL Wildcard certificate
GandiStandardSSLCA2.pem - Gandi's Intermediate CA
comodo-rsa-domain-validation-sha-2-w-root.ca-bundle - Comodo's Root and Intermediates

INSTALLATION:
1. Copy commercial.key as above, ensuring ownership and permissions match the old commercial.key file you set aside to make room for this one.
2. As the Zimbra user, create the files:

Code: Select all

touch /tmp/commercial.crt
touch /tmp/commercial_ca.crt
3. As the Zimbra user, copy the contents of _.missioncriticalemail.com.crt to the /tmp/commercial.crt file on each Zimbra server.

4. As the Zimbra user, populate the /tmp/commercial_ca.crt file:

Code: Select all

-----BEGIN CERTIFICATE-----
Insert Contents of GandiStandardSLLCA2.pem (contains two certificates)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Insert Contents of comodo-rsa-domain-validation-sha-2-w-root.ca-bundle (contains three certificates)
-----END CERTIFICATE-----
5. As the Zimbra user, verify:

Code: Select all

~/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt

6. If all is good, As the Zimbra user, install:

Code: Select all

~/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
7. And then restart:

Code: Select all

zmcontrol restart
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Top
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 899
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: HOWTO: Install a Gandi Wildcard SSL Certificate on Zimbra 8.8.8

Post by JDunphy »

letsencrypt now supports wildcard with acme v2 clients.

https://community.letsencrypt.org/t/acm ... live/55579

Code: Select all

acme.sh  --issue -d example.com  -d '*.example.com'  --dns dns_cf
The above example uses the automatic DNS method from cloudflare as a DNS provider.

As an aside: I am especially liking the automatic DNS alias mode these days which further mitigates access to only the _acme-challenge.example.com RR. This allows for a centralized opportunity to renew certs and push to the appropriate hosts after verification/validation. That is progress ... Now if we could get reloads vs restarts for certs, I would be much happier with Zimbra. :-)
Top
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2802
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.7 Network Edition
Contact:
Contact L. Mark Stone

Re: HOWTO: Install a Gandi Wildcard SSL Certificate on Zimbra 8.8.8

Post by L. Mark Stone »

That's great news about the LetsEncrypt wildcard certificates, but the need to restart Zimbra every <90 days also factored into my decision to go with a 2-year commercial SSL certificate.

I'm also spoiled by how easy LetsEncrypt can be when the application stack supports it; my website is on a Bitnami Wordpress instance at Amazon Lightsail. It's a simple cron job to renew and deploy the SSL certificates and reload Apache without any intervention from me. Hopefully Zimbra can get there as well -- they've got two years before I have to renew my cert! :-)

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Top
Post Reply

Return to “Administrators”