We had SSL certificates working properly until it expired. After that I installed the new Wildcard certificate, tested it and it seemed to be working fine.
To my surprise today when checking from outside the Network, I realized Zimbra is still using the old certificate.
I'm using Zimbra 8.8.15 and have already successfuly upgrade to latest patch P33, but the problem still persists even after redeploying the new certificates on the newly updated Zimbra.
I looked somewhat extensively for anybody else with these problems, I found 2 other threads but they were from 2010 and 2017 and OPs pretty much just upgraded their Zimbras to fix it.
Is there anything I can try? Thanks in advance!
SSL Certificate Differs When Accessed Externally and Internally.
-
- Posts: 4
- Joined: Wed Oct 05, 2022 1:08 am
-
- Ambassador
- Posts: 2761
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: SSL Certificate Differs When Accessed Externally and Internally.
How did you install the new certificate?
-
- Posts: 4
- Joined: Wed Oct 05, 2022 1:08 am
Re: SSL Certificate Differs When Accessed Externally and Internally.
Hi Klug, thank you for your response.Klug wrote:How did you install the new certificate?
I installed it via command line, I copied the CSR (private key) to /opt/zimbra/ssl/zimbra/commercial/commercial.key and the new Wildcard certificate in /tmp/commercial.crt together with the certificate chain authority in /tmp/commercial_ca.crt.
After that I checked the certificates with:
Code: Select all
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt
Code: Select all
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Here is the output of viewdeployedcrt.
Code: Select all
zmcertmgr viewdeployedcrt all
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=Sep 27 16:53:13 2022 GMT
notAfter=Oct 29 16:53:12 2023 GMT
subject=CN = *.domain.com.br
issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
SubjectAltName=*.domain.com.br, domain.com.br
Re: SSL Certificate Differs When Accessed Externally and Internally.
It might be that you need to reload the nginx proxy that runs in front of zimbra so that the new certificates gets “published”…
-
- Posts: 4
- Joined: Wed Oct 05, 2022 1:08 am
Re: SSL Certificate Differs When Accessed Externally and Internally.
Hey milauria, thanks for your response.milauria wrote:It might be that you need to reload the nginx proxy that runs in front of zimbra so that the new certificates gets “published”…
This is a single node server. I have already restart the server itself and also zimbra services with zmcontrol restart.
Is there any specific command I should use to purge and restart Zimbra Nginx besides the one above?
Sorry I've been away from Zimbra for a very long time so I'm not very savy at it. Thanks again for the help.
-
- Ambassador
- Posts: 2761
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: SSL Certificate Differs When Accessed Externally and Internally.
So you replaced what I call the "internal" Zimbra certificate, used by all modules.
It's also the default one for accessing the web interface.
However, one can add additional certs for the web interface: domain related certs.
They depend on the domain and the FQDN used to access the web interface (zimbraVirtualHostName and zimbraVirtualIPAddress).
If the FQDN used to access the server is different inside and outside, it might be this.
If there's a certificate defined for a domain, you can see it in the webadmin UI.
The CLI commands are explained here: https://wiki.zimbra.com/wiki/Multiple_S ... _for_HTTPS
It's also the default one for accessing the web interface.
However, one can add additional certs for the web interface: domain related certs.
They depend on the domain and the FQDN used to access the web interface (zimbraVirtualHostName and zimbraVirtualIPAddress).
If the FQDN used to access the server is different inside and outside, it might be this.
If there's a certificate defined for a domain, you can see it in the webadmin UI.
The CLI commands are explained here: https://wiki.zimbra.com/wiki/Multiple_S ... _for_HTTPS
-
- Posts: 4
- Joined: Wed Oct 05, 2022 1:08 am
Re: SSL Certificate Differs When Accessed Externally and Internally.
Hey guys, I managed to fix the issue and it was not Zimbra related.
It turns out there was an IPS rule in our Fortigate Firewall with the old wildcard certificate still configured, once we updated it everything worked fine.
Really sorry to waste your time, and thank you very much for the answers!
It turns out there was an IPS rule in our Fortigate Firewall with the old wildcard certificate still configured, once we updated it everything worked fine.
Really sorry to waste your time, and thank you very much for the answers!