Multi Domain SSL Certs - HOWTO: Difference between revisions

(Redirected page to SSL certificates per domain)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}||{{ZCS 7.0}}|}}
#REDIRECT [[SSL_certificates_per_domain]]
== Introduction ==
 
Now - in new ZCS 7.0 - you have the possibility to secure more than only one domain with separate SSL-certificates.
So in this document you will learn, howto install this feature in a split-DNS architecture.
Nevertheless be careful and test configs before going into production.
 
== Overview ==
 
For implementing this feature in the correct way, it is very important to understand the logic of this new technic:
 
[[File:multidomainSSLfeature-splitDNS.jpg|700px|thumb|left|alt text]]
 
== Prerequisites ==
 
* For each addondomain you will need a separate public IP !
* For each addondomain you must have valid SSL-certs.
 
 
== (A): Preparing Proxy ==
 
* In base-installation-script of ZCS you have to markup installation of proxy-services
 
* Then login as ''zimbra'' and activate proxy:
$ zmproxyconfig -m -w -e -x redirect -H `zmhostname`
$ zmproxyctl restart
* Set proxy-mode for base-domain on '''proxyserver''' :
$ zmprov ms server.basedomain.com zimbraReverseProxyMailMode redirect
* Set proxy-mode on '''mailboxserver''' for intern communications to proxy-server (must be http !)
$ zmtlsctl http
* Test this:
$ zmprov gs `zmhostname` | grep -i mode
* Restart proxy:
$ zmproxyctl restart
 
 
== (B): Certinstallation ==
 
* Certs have to be installed from ''root''-console.
First check-for/create the following folder:
# mkdir /opt/zimbra/conf/domaincerts
# cd /opt/zimbra/conf/domaincerts
 
For ''each domain'' put your keys into this folder ...
# basedomain.com.key    (your private-key)
# basedomain.com.crt    (commercial.crt + intermediates + root_CA)  [the order of these files is very sensitive! and might prevent your proxy from starting up - be careful - see also bug 57271 http://bugzilla.zimbra.com/show_bug.cgi?id=57271 ]
# addondomain1.com.key
# addondomain2.com.key
# ..
 
... and do the following commands:
* Check the keys:
# /opt/zimbra/bin/zmcertmgr verifycrt comm ./basedomain.com.key ./basedomain.com.crt
*Deploy the certs:
#  /opt/zimbra/libexec/zmdomaincertmgr deploycrts
* Save the certs:
# /opt/zimbra/libexec/zmdomaincertmgr savecrt basedomain.com basedomain.com.crt basedomain.com.key
 
== (C): Virtual IP on proxy ==
 
* Config virtual hostname and virtual IP for every addondomain.
''Please consider: Virtual IPs of addondomains have to be real-IPs in your internal-net, so that DNS is able to resolv them!''
$ zmprov md basedomain.com +zimbraVirtualHostName server.basedomain.com +zimbraVirtualIPAddress 192.168.100.201
$ zmprov md addondomain1.com +zimbraVirtualHostName server.addondomain1.com +zimbraVirtualIPAddress 192.168.100.211
$ zmprov md addondomain2.com +zimbraVirtualHostName server.addondomain2.com +zimbraVirtualIPAddress 192.168.100.212
 
 
== (D): DNS-Records - Internal Net ==
 
* Config A-records in your ''local'' DNS-server
server.basedomain.com.    IN  A  192.168.100.201  (-> IP of your local ZCS should be already there)
server.addondomain1.com.  IN  A  192.168.100.211
server.addondomain2.com.  IN  A  192.168.100.212
 
== (E): Alias IPs on mailboxserver ==
 
* In ubuntu-systems you have to do:
# vi /etc/network/interfaces
* Append the following configurations - for example:
auto eth0:1
iface eth0:1 inet static
name Ethernet alias1 LAN card
address 192.168.100.211
netmask 255.255.255.0
broadcast 192.168.100.255
network 192.168.100.0
auto eth0:2
iface eth0:2 inet static
name Ethernet alias2 LAN card
address 192.168.100.212
netmask 255.255.255.0
broadcast 192.168.100.255
network 192.168.100.0
 
* Restart network:
# /etc/init.d/networking restart
== (F): DNS-Records - External Internet ==
 
* Config A-records in your ''public'' provider-DNS-server
server.basedomain.com.    IN  A  x.x.x.x  (-> IP of your ZCS)
server.addondomain1.com.  IN  A  y.y.y.y  (separate public IP !)
server.addondomain2.com.  IN  A  z.z.z.z
 
== (G): Firewalling ==
 
At this point you will need a separated NAT/Forwarding:
* server.basedomain.com  (x.x.x.x)  to  192.168.100.201
* server.addondomain1.com(y.y.y.y)  to  192.168.100.211
* server.addondomain1.com(z.z.z.z)  to  192.168.100.212
 
== To Think About... ==
 
Implementing this new multi-SSL feature is a non-trivial walk.
As you can see, with any new addon-domain to come, the system will get more and more complex in administration.
So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...
 
{{Article Footer|ZCS 7.1.0|11/18/2011}}
[[Category:Configuration]]

Latest revision as of 16:26, 1 April 2015

Jump to: navigation, search