I am testing ZCS 7.2.1 (64bit on ubuntu 10.04) with multiple virtual domain support, let's say domainA.com and domainB.com. I've been able to install certs for the default domain (domainA.com) via the WebGUI / certificates tab.
However, when I try to do the same for the second domain, (domainB.com; these are with commercial certificates, BTW), I always get an error about CA/Private key not being correct in the webgui.
Through the CLI, I can verify and indeed overwrite my default domain's certs with the 2nd set of CA/Key/Cert files, so I know these files are correct.
1) concatentate the CAs into /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
2) temporarily copy the key file into /opt/zimbra/ssl/zimbra/commercial/commercial.key
3) as root, /opt/zimbra/bin/zmcertmgr deploycrt comm ServerCertificate.cer /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
** Verifying ServerCertificate.cer against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (ServerCertificate.cer) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ServerCertificate.cer: OK
** Copying ServerCertificate.cer to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
4) as zimbra, zmcontrol restart
so after restart, when I go to the webmin or to any of the mailstores, I now get the certificate for domainB.com.
However, this just overwrites the default domain certs. I obviously want to get domainA.com certs when I go to e.g. mail.domainA.com or smtp.domainB.com, and domainB.com's certs, when I go to e.g. mail.domainB.com or smtp.domainB.com.
Anybody got any ideas, either why:
1) the WebGUI rejects certs when at CLI they are accepted? I did the same with the second domain as I did with the first, i.e. added the server cert, appended the CA cert to the server cert entry (making sure the ===end=== and ===begin=== were on separate lines) and adding the private key to the key entry.
2) how to install via CLI to a second virtual domain, rather than the default?
Thanks in advance!
SSL certificate for a specific (virtual) domain?
SSL certificate for a specific (virtual) domain?
zmcertmgr is only used to install the server specific certificates. These are used for SSL communication between ZCS processes as well as public services if other certs are not supplied. Only one set of certificates are allowed per server/global.
Domain based certificates are deployed with /opt/zimbra/libexec/zmdomaincertmgr or via the Admin Console Domain->certficate tab. You must have a zimbra reverse proxy deployed and zimbraVirtualHostname defined on each domain you want to use specific certificates for.
See Bug 8128 for more details.
Domain based certificates are deployed with /opt/zimbra/libexec/zmdomaincertmgr or via the Admin Console Domain->certficate tab. You must have a zimbra reverse proxy deployed and zimbraVirtualHostname defined on each domain you want to use specific certificates for.
See Bug 8128 for more details.
SSL certificate for a specific (virtual) domain?
Thanks Brian.
Yes, I do have proxy installed (my architecture is currently two proxy+ldap+mta, and two mailstores)
Apart from the default domain, I've created two other virtual domains, tied to two different LDAP backends, for testing the virtual domain logins
I've also configured some virtual hosts for each domain, e.g. domainA.com have virtual hosts smtp.domainA.com and mail.domainA.com, so that if a user logs in to webmail at mail.domainA.com, that user doesn't need to add user@domainA.com in their login name
I was reading up on Multiple SSL Virtual Hosts 6.0 - Zimbra :: Wiki before you replied, and noted that it seems I will need to run the proxies on different IP addresses in order to cater for different SSL certs for the different domains. And in reading bug 8128, seems that also confirms this?
I don't have an issue in having to hack the nginx files, but I just want to confirm that this is the case before I proceed; I know that in virtual webhosting, SSL connections can be tricky, but my web team tells me that Apache's modssl now can handle multiple SSL enabled virtual hosts on the same IP, and one of the guys seems to think that nginx should also be able to do this.
Yes, I do have proxy installed (my architecture is currently two proxy+ldap+mta, and two mailstores)
Apart from the default domain, I've created two other virtual domains, tied to two different LDAP backends, for testing the virtual domain logins
I've also configured some virtual hosts for each domain, e.g. domainA.com have virtual hosts smtp.domainA.com and mail.domainA.com, so that if a user logs in to webmail at mail.domainA.com, that user doesn't need to add user@domainA.com in their login name
I was reading up on Multiple SSL Virtual Hosts 6.0 - Zimbra :: Wiki before you replied, and noted that it seems I will need to run the proxies on different IP addresses in order to cater for different SSL certs for the different domains. And in reading bug 8128, seems that also confirms this?
I don't have an issue in having to hack the nginx files, but I just want to confirm that this is the case before I proceed; I know that in virtual webhosting, SSL connections can be tricky, but my web team tells me that Apache's modssl now can handle multiple SSL enabled virtual hosts on the same IP, and one of the guys seems to think that nginx should also be able to do this.
SSL certificate for a specific (virtual) domain?
Wait one... I have actually tried using the Admin Console Domain->certificate tab;
i) in Domain Certificate field: cut-n-paste server cert, append domain cert
ii) in Domain Private key field: cut-n-paste server key
iii) Save
But have always got the Error: Verify Domain Certificate and Private key error
(1) make sure CA certificate is appended to the bottom of certificates
(2) make sure private key is password-less
So, since I had successfully used the commercial_ca.crt file in my first post, I decided to try:
i) in Domain Certificate field: cut-n-paste server cert, append the entire commercial_ca.crt file that I had used successfully before (includes all the CAs for all virtual domains, not just the one for this domain)
ii) in Domain Private key field: cut-n-paste server key
iii) Save
And this actually didn't give me an error message.
Not sure what will happen, let me restart all the servers to find out...
i) in Domain Certificate field: cut-n-paste server cert, append domain cert
ii) in Domain Private key field: cut-n-paste server key
iii) Save
But have always got the Error: Verify Domain Certificate and Private key error
(1) make sure CA certificate is appended to the bottom of certificates
(2) make sure private key is password-less
So, since I had successfully used the commercial_ca.crt file in my first post, I decided to try:
i) in Domain Certificate field: cut-n-paste server cert, append the entire commercial_ca.crt file that I had used successfully before (includes all the CAs for all virtual domains, not just the one for this domain)
ii) in Domain Private key field: cut-n-paste server key
iii) Save
And this actually didn't give me an error message.
Not sure what will happen, let me restart all the servers to find out...
SSL certificate for a specific (virtual) domain?
oops, now I get the error:
...
Starting imapproxy...Failed.
Starting nginx...nginx: [emerg] SSL_CTX_use_certificate_chain_file("/opt/zimbra/conf/domaincerts/sca-design.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory error:20074002:BIO routines:FILE_CTRL:system lib error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib)
failed.
...
And I found the following hits when googling on "/opt/zimra/conf/domaincerts":
1) SSL certificates per domain - Zimbra :: Wiki
2) How to apply SSL certificate to Zimbra-nginx multi-server v.7.1.1 - Powered by Kayako Fusion Help Desk Software
3) OSHIM's Blog: How to apply SSL certificate to Zimbra-nginx multi-server v.7.1.1
4)
Which">http://www.zimbra.com/docs/os/latest/ad ... ingle=true
Which all seem to basically say the same thing, multiple IPs required. So I guess I will need to use multiple IPs.
...
Starting imapproxy...Failed.
Starting nginx...nginx: [emerg] SSL_CTX_use_certificate_chain_file("/opt/zimbra/conf/domaincerts/sca-design.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory error:20074002:BIO routines:FILE_CTRL:system lib error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib)
failed.
...
And I found the following hits when googling on "/opt/zimra/conf/domaincerts":
1) SSL certificates per domain - Zimbra :: Wiki
2) How to apply SSL certificate to Zimbra-nginx multi-server v.7.1.1 - Powered by Kayako Fusion Help Desk Software
3) OSHIM's Blog: How to apply SSL certificate to Zimbra-nginx multi-server v.7.1.1
4)
Which">http://www.zimbra.com/docs/os/latest/ad ... ingle=true
Which all seem to basically say the same thing, multiple IPs required. So I guess I will need to use multiple IPs.