|
|
(3 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
| {{Article Infobox|{{admin}}||{{ZCS 7.0}}|}}
| | #REDIRECT [[SSL_certificates_per_domain]] |
| == Introduction ==
| |
| | |
| Now - in new ZCS 7.0 - you have the possibility to secure more than only one domain with separate SSL-certificates.
| |
| So in this document you will learn, howto install this feature in a split-DNS architecture.
| |
| Nevertheless be careful and test configs before going into production.
| |
| | |
| == Overview ==
| |
| | |
| For implementing this feature in the correct way, it is very important to understand the logic of this new technic:
| |
| | |
| [[File:multidomainSSLfeature-splitDNS.jpg|700px|thumb|left|alt text]]
| |
| | |
| == Prerequisites ==
| |
| | |
| * For each addondomain you will need a separate public IP !
| |
| * For each addondomain you must have valid SSL-certs.
| |
| | |
| | |
| == (A): Preparing Proxy ==
| |
| | |
| * In base-installation-script of ZCS you have to markup installation of proxy-services
| |
| | |
| * Then login as ''zimbra'' and activate proxy:
| |
| $ zmproxyconfig -m -w -e -x redirect -H `zmhostname`
| |
| $ zmproxyctl restart
| |
| * Set proxy-mode for base-domain on '''proxyserver''' :
| |
| $ zmprov ms server.basedomain.com zimbraReverseProxyMailMode redirect
| |
| * Set proxy-mode on '''mailboxserver''' for intern communications to proxy-server (must be http !)
| |
| $ zmtlsctl http
| |
| * Test this:
| |
| $ zmprov gs `zmhostname` | grep -i mode
| |
| * Restart proxy:
| |
| $ zmproxyctl restart
| |
| | |
| | |
| == (B): Certinstallation ==
| |
| | |
| * Certs have to be installed from ''root''-console.
| |
| First check-for/create the following folder:
| |
| # mkdir /opt/zimbra/conf/domaincerts
| |
| # cd /opt/zimbra/conf/domaincerts
| |
| | |
| For ''each domain'' put your keys into this folder ...
| |
| # basedomain.com.key (your private-key)
| |
| # basedomain.com.crt (commercial.crt + intermediates + root_CA) [the order of these files is very sensitive! and might prevent your proxy from starting up - be careful - see also bug 57271 http://bugzilla.zimbra.com/show_bug.cgi?id=57271 ]
| |
| # addondomain1.com.key
| |
| # addondomain2.com.key
| |
| # ..
| |
| | |
| ... and do the following commands:
| |
| * Check the keys:
| |
| # /opt/zimbra/bin/zmcertmgr verifycrt comm ./basedomain.com.key ./basedomain.com.crt
| |
| *Deploy the certs:
| |
| # /opt/zimbra/libexec/zmdomaincertmgr deploycrts
| |
| * Save the certs:
| |
| # /opt/zimbra/libexec/zmdomaincertmgr savecrt basedomain.com basedomain.com.crt basedomain.com.key
| |
| | |
| | |
| == (C): Virtual IP on proxy ==
| |
| | |
| * Config virtual hostname and virtual IP for every addondomain.
| |
| ''Please consider: Virtual IPs of addondomains have to be real-IPs in your internal-net, so that DNS is able to resolv them!''
| |
| $ zmprov md basedomain.com +zimbraVirtualHostName server.basedomain.com +zimbraVirtualIPAddress 192.168.100.201
| |
| $ zmprov md addondomain1.com +zimbraVirtualHostName server.addondomain1.com +zimbraVirtualIPAddress 192.168.100.211
| |
| $ zmprov md addondomain2.com +zimbraVirtualHostName server.addondomain2.com +zimbraVirtualIPAddress 192.168.100.212
| |
| | |
| | |
| == (D): DNS-Records - Internal Net ==
| |
| | |
| * Config A-records in your ''local'' DNS-server
| |
| server.basedomain.com. IN A 192.168.100.201 (-> IP of your local ZCS should be already there)
| |
| server.addondomain1.com. IN A 192.168.100.211
| |
| server.addondomain2.com. IN A 192.168.100.212
| |
| | |
| | |
| == (E): Alias IPs on mailboxserver ==
| |
| | |
| * In ubuntu-systems you have to do:
| |
| # vi /etc/network/interfaces
| |
| * Append the following configurations - for example:
| |
| auto eth0:1
| |
| iface eth0:1 inet static
| |
| name Ethernet alias1 LAN card
| |
| address 192.168.100.211
| |
| netmask 255.255.255.0
| |
| broadcast 192.168.100.255
| |
| network 192.168.100.0
| |
|
| |
| auto eth0:2
| |
| iface eth0:2 inet static
| |
| name Ethernet alias2 LAN card
| |
| address 192.168.100.212
| |
| netmask 255.255.255.0
| |
| broadcast 192.168.100.255
| |
| network 192.168.100.0
| |
| | |
| * Restart network:
| |
| # /etc/init.d/networking restart
| |
|
| |
| | |
| == (F): DNS-Records - External Internet ==
| |
| | |
| * Config A-records in your ''public'' provider-DNS-server
| |
| server.basedomain.com. IN A x.x.x.x (-> IP of your ZCS)
| |
| server.addondomain1.com. IN A y.y.y.y (separate public IP !)
| |
| server.addondomain2.com. IN A z.z.z.z
| |
| | |
| | |
| == (G): Firewalling ==
| |
| | |
| At this point you will need a separated NAT/Forwarding:
| |
| * server.basedomain.com (x.x.x.x) to 192.168.100.201
| |
| * server.addondomain1.com(y.y.y.y) to 192.168.100.211
| |
| * server.addondomain1.com(z.z.z.z) to 192.168.100.212
| |
| | |
| | |
| == To Think About... ==
| |
| | |
| Implementing this new multi-SSL feature is a non-trivial walk.
| |
| As you can see, with any new addon-domain to come, the system will get more and more complex in administration.
| |
| So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...
| |
| | |
| {{Article Footer|ZCS 7.1.0|11/18/2011}}
| |
| [[Category:Configuration]] | |