SSL Certificate Differs When Accessed Externally and Internally.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
RafaelLSilva
Posts: 4
Joined: Wed Oct 05, 2022 1:08 am

SSL Certificate Differs When Accessed Externally and Internally.

Post by RafaelLSilva »

We had SSL certificates working properly until it expired. After that I installed the new Wildcard certificate, tested it and it seemed to be working fine.

To my surprise today when checking from outside the Network, I realized Zimbra is still using the old certificate.

I'm using Zimbra 8.8.15 and have already successfuly upgrade to latest patch P33, but the problem still persists even after redeploying the new certificates on the newly updated Zimbra.

I looked somewhat extensively for anybody else with these problems, I found 2 other threads but they were from 2010 and 2017 and OPs pretty much just upgraded their Zimbras to fix it.

Is there anything I can try? Thanks in advance!
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: SSL Certificate Differs When Accessed Externally and Internally.

Post by Klug »

How did you install the new certificate?
RafaelLSilva
Posts: 4
Joined: Wed Oct 05, 2022 1:08 am

Re: SSL Certificate Differs When Accessed Externally and Internally.

Post by RafaelLSilva »

Klug wrote:How did you install the new certificate?
Hi Klug, thank you for your response.

I installed it via command line, I copied the CSR (private key) to /opt/zimbra/ssl/zimbra/commercial/commercial.key and the new Wildcard certificate in /tmp/commercial.crt together with the certificate chain authority in /tmp/commercial_ca.crt.

After that I checked the certificates with:

Code: Select all

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt
And then deployed then with:

Code: Select all

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Everything went fine as expected, no problems or errors of any kind. But then problem persists, the new certs works fine in the internal network but when accessing from the internet, the old certificate still shows.

Here is the output of viewdeployedcrt.

Code: Select all

zmcertmgr viewdeployedcrt all
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
milauria
Advanced member
Advanced member
Posts: 96
Joined: Mon Aug 15, 2016 12:32 pm

Re: SSL Certificate Differs When Accessed Externally and Internally.

Post by milauria »

It might be that you need to reload the nginx proxy that runs in front of zimbra so that the new certificates gets “published”…
RafaelLSilva
Posts: 4
Joined: Wed Oct 05, 2022 1:08 am

Re: SSL Certificate Differs When Accessed Externally and Internally.

Post by RafaelLSilva »

milauria wrote:It might be that you need to reload the nginx proxy that runs in front of zimbra so that the new certificates gets “published”…
Hey milauria, thanks for your response.

This is a single node server. I have already restart the server itself and also zimbra services with zmcontrol restart.

Is there any specific command I should use to purge and restart Zimbra Nginx besides the one above?

Sorry I've been away from Zimbra for a very long time so I'm not very savy at it. Thanks again for the help.
Klug
Ambassador
Ambassador
Posts: 2747
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: SSL Certificate Differs When Accessed Externally and Internally.

Post by Klug »

So you replaced what I call the "internal" Zimbra certificate, used by all modules.
It's also the default one for accessing the web interface.

However, one can add additional certs for the web interface: domain related certs.
They depend on the domain and the FQDN used to access the web interface (zimbraVirtualHostName and zimbraVirtualIPAddress).
If the FQDN used to access the server is different inside and outside, it might be this.

If there's a certificate defined for a domain, you can see it in the webadmin UI.
The CLI commands are explained here: https://wiki.zimbra.com/wiki/Multiple_S ... _for_HTTPS
RafaelLSilva
Posts: 4
Joined: Wed Oct 05, 2022 1:08 am

Re: SSL Certificate Differs When Accessed Externally and Internally.

Post by RafaelLSilva »

Hey guys, I managed to fix the issue and it was not Zimbra related.

It turns out there was an IPS rule in our Fortigate Firewall with the old wildcard certificate still configured, once we updated it everything worked fine.

Really sorry to waste your time, and thank you very much for the answers!
Post Reply