Difference between revisions of "Multi Domain SSL Certs - HOWTO"

(HOWTO - Multi domain SSL in split-DNS)
(Redirected page to SSL certificates per domain)
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}||{{ZCS 7.0}}|}}
#REDIRECT [[SSL_certificates_per_domain]]
== Introduction ==
Now - in new ZCS 7.0 - you have the possibility to secure more than only one domain with separate SSL-certificates.
So in this document you will learn, howto install this feature in a split-DNS architecture.
Nevertheless be careful and test configs before going into production.
== Overview ==
For implementing this feature in the correct way, it is very important to understand the logic of this new technic:
[[File:multidomainSSLfeature-splitDNS.jpg|700px|thumb|left|alt text]]
== Prerequisites ==
* For each addondomain you will need a separate public IP !
* For each addondomain you must have valid SSL-certs.
== (A): Preparing Proxy ==
* In base-installation-script of ZCS you have to markup installation of proxy-services
* Then login as ''zimbra'' and activate proxy:
$ zmproxyconfig -m -w -e -x redirect -H `zmhostname`
$ zmproxyctl restart
* Set proxy-mode for base-domain on '''proxyserver''' :
$ zmprov ms server.basedomain.com zimbraReverseProxyMailMode redirect
* Set proxy-mode on '''mailboxserver''' for intern communications to proxy-server (must be http !)
$ zmtlsctl http
* Test this:
$ zmprov gs `zmhostname` | grep -i mode
* Restart proxy:
$ zmproxyctl restart
== (B): Certinstallation ==
* Certs have to be installed from ''root''-console.
First check-for/create the following folder:
# mkdir /opt/zimbra/conf/domaincerts
# cd /opt/zimbra/conf/domaincerts
For ''each domain'' put your keys into this folder ...
# basedomain.com.key    (your private-key)
# basedomain.com.crt    (commercial.crt + intermediates + root_CA)  [the order of these files is very sensitive! and might prevent your proxy from starting up - be careful - see also bug 57271 http://bugzilla.zimbra.com/show_bug.cgi?id=57271 ]
# addondomain1.com.key
# addondomain2.com.key
# ..
... and do the following commands:
* Check the keys:
# /opt/zimbra/bin/zmcertmgr verifycrt comm ./basedomain.com.key ./basedomain.com.crt
*Deploy the certs:
#  /opt/zimbra/libexec/zmdomaincertmgr deploycrts
* Save the certs:
# /opt/zimbra/libexec/zmdomaincertmgr savecrt basedomain.com basedomain.com.crt basedomain.com.key
== (C): Virtual IP on proxy ==
* Config virtual hostname and virtual IP for every addondomain.
''Please consider: Virtual IPs of addondomains have to be real-IPs in your internal-net, so that DNS is able to resolv them!''
$ zmprov md basedomain.com +zimbraVirtualHostName server.basedomain.com +zimbraVirtualIPAddress
$ zmprov md addondomain1.com +zimbraVirtualHostName server.addondomain1.com +zimbraVirtualIPAddress
$ zmprov md addondomain2.com +zimbraVirtualHostName server.addondomain2.com +zimbraVirtualIPAddress
== (D): DNS-Records - Internal Net ==
* Config A-records in your ''local'' DNS-server
server.basedomain.com.    IN  A  (-> IP of your local ZCS should be already there)
server.addondomain1.com.  IN  A
server.addondomain2.com.  IN  A
== (E): Alias IPs on mailboxserver ==
* In ubuntu-systems you have to do:
# vi /etc/network/interfaces
* Append the following configurations - for example:
auto eth0:1
iface eth0:1 inet static
name Ethernet alias1 LAN card
auto eth0:2
iface eth0:2 inet static
name Ethernet alias2 LAN card
* Restart network:
# /etc/init.d/networking restart
== (F): DNS-Records - External Internet ==
* Config A-records in your ''public'' provider-DNS-server
server.basedomain.com.    IN  A  x.x.x.x  (-> IP of your ZCS)
server.addondomain1.com.  IN  A  y.y.y.y  (separate public IP !)
server.addondomain2.com.  IN  A  z.z.z.z
== (G): Firewalling ==
At this point you will need a separated NAT/Forwarding:
* server.basedomain.com  (x.x.x.x)  to
* server.addondomain1.com(y.y.y.y)  to
* server.addondomain1.com(z.z.z.z)  to
== To Think About... ==
Implementing this new multi-SSL feature is a non-trivial walk.
As you can see, with any new addon-domain to come, the system will get more and more complex in administration.
So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...

Latest revision as of 16:26, 1 April 2015

Jump to: navigation, search