I have been working with Comodo (the commercial supplier of my SSL cert to resolve this and I have gotten to the point where the cert installs). Now that the cert is installed, it "does not work" and thus I am here asking for help, if possible. I am running:
[zimbra@zim commercial]$ zmcontrol version
Release 8.0.6_GA_5922.RHEL6_64_20131203103705 RHEL6_64 FOSS edition.
First, I verify my commercial cert:
[root@zim commercial]# /opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt commercial.crt: OK
OpenSSL is happy, now how about Zimbra:
[root@zim commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK
Great! Now that I know that both my cert and my CA bundle work and mesh with .key, I go on to deploy:
[root@zim commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
So I know the cert installs correctly... and now I must restart Mailbox to apply the cert...
[root@zim commercial]# su zimbra
[zimbra@zim commercial]$ zmcontrol stop
Host zim.REDACTED.com
Stopping vmware-ha...Done.
Stopping zmconfigd...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
[zimbra@zim commercial]$ zmcontrol start
Host zim.REDACTED.com
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting proxy...Done.
Starting antivirus...Done.
Starting opendkim...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Now to make sure the certs are in place:
[root@zim commercial]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
notBefore=Feb 26 00:00:00 2014 GMT
notAfter=Feb 26 23:59:59 2015 GMT
subject= /OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.REDACTED.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA
SubjectAltName= *.REDACTED.com, REDACTED.com
::service proxy::
notBefore=Feb 26 00:00:00 2014 GMT
notAfter=Feb 26 23:59:59 2015 GMT
subject= /OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.REDACTED.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA
SubjectAltName= *.REDACTED.com, REDACTED.com
::service mailboxd::
notBefore=Feb 26 00:00:00 2014 GMT
notAfter=Feb 26 23:59:59 2015 GMT
subject= /OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.REDACTED.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA
SubjectAltName= *.REDACTED.com, REDACTED.com
::service ldap::
notBefore=Feb 26 00:00:00 2014 GMT
notAfter=Feb 26 23:59:59 2015 GMT
subject= /OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.REDACTED.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA
SubjectAltName= *.REDACTED.com, REDACTED.com
Now to doublecheck my firewall rules:
[root@zim commercial]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- REDACTEDDNS anywhere
DROP tcp -- REDACTEDIP/24 anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- REDACTEDIP/24 anywhere tcp dpt:smtp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imap state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:7071 state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- REDACTED/24 anywhere tcp dpt:ndmp state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ldap state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ldaps state NEW,RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So, I am certain the SSL (443) is open and accepting connections--yet, when I try to use https://zim.REDACTED.com to connect, I get the typical web browser rejection: "Unable to connect. Firefox can't establish a connection to the server at zim.REDACTED.com."
Perhaps I am missing something basic? Any help will be greatly appreciated! Thank you!
SSL Cert Installs--but does not work. :-(
SSL Cert Installs--but does not work. :-(
Ok, so it WAS something simple... like needing to turn on SSL...
[zimbra@zim log]$ zmtlsctl redirect
Setting ldap config zimbraMailMode redirect for zim.REDACTED.com...done.
Rewriting config files for cyrus-sasl, webxml and mailboxd...done.
After that, simply "zmcontrol stop" and "zmcontrol start" to activate the settings and you're all good. If you prefer http:// OR https://" as a user choice use "zmtlsctl both" instead of "redirect"
[zimbra@zim log]$ zmtlsctl redirect
Setting ldap config zimbraMailMode redirect for zim.REDACTED.com...done.
Rewriting config files for cyrus-sasl, webxml and mailboxd...done.
After that, simply "zmcontrol stop" and "zmcontrol start" to activate the settings and you're all good. If you prefer http:// OR https://" as a user choice use "zmtlsctl both" instead of "redirect"