Difference between revisions of "Multi Domain SSL Certs - HOWTO"

(Replaced content with "For configuring SSL certificates per domain with Zimbra, please follow this [http://wiki.zimbra.com/wiki/SSL_certificates_per_domain guide].")
Line 1: Line 1:
{{Article Infobox|{{admin}}||{{ZCS 7.0}}|}}
+
For configuring SSL certificates per domain with Zimbra, please follow this [http://wiki.zimbra.com/wiki/SSL_certificates_per_domain guide].
== Introduction ==
 
 
 
Now - in new ZCS 7.0 - you have the possibility to secure more than only one domain with separate SSL-certificates.
 
So in this document you will learn, howto install this feature in a split-DNS architecture.
 
Nevertheless be careful and test configs before going into production.
 
 
 
== Overview ==
 
 
 
For implementing this feature in the correct way, it is very important to understand the logic of this new technic:
 
 
 
[[File:multidomainSSLfeature-splitDNS.jpg|700px|thumb|left|alt text]]
 
 
 
== Prerequisites ==
 
 
 
* For each addondomain you will need a separate public IP !
 
* For each addondomain you must have valid SSL-certs.
 
 
 
 
 
== (A): Preparing Proxy ==
 
 
 
* In base-installation-script of ZCS you have to markup installation of proxy-services
 
 
 
* Then login as ''zimbra'' and activate proxy:
 
$ zmproxyconfig -m -w -e -x redirect -H `zmhostname`
 
$ zmproxyctl restart
 
* Set proxy-mode for base-domain on '''proxyserver''' :
 
$ zmprov ms server.basedomain.com zimbraReverseProxyMailMode redirect
 
* Set proxy-mode on '''mailboxserver''' for intern communications to proxy-server (must be http !)
 
$ zmtlsctl http  
 
* Test this:
 
$ zmprov gs `zmhostname` | grep -i mode
 
* Restart proxy:
 
$ zmproxyctl restart
 
 
 
 
 
== (B): Certinstallation ==
 
 
 
* Certs have to be installed from ''root''-console.
 
First check-for/create the following folder:
 
# mkdir /opt/zimbra/conf/domaincerts
 
# cd /opt/zimbra/conf/domaincerts
 
 
 
For ''each domain'' put your keys into this folder ...
 
# basedomain.com.key    (your private-key)
 
# basedomain.com.crt    (commercial.crt + intermediates + root_CA)  [the order of these files is very sensitive! and might prevent your proxy from starting up - be careful - see also bug 57271 http://bugzilla.zimbra.com/show_bug.cgi?id=57271 ]
 
# addondomain1.com.key
 
# addondomain2.com.key
 
# ..
 
 
 
... and do the following commands:
 
* Check the keys:
 
# /opt/zimbra/bin/zmcertmgr verifycrt comm ./basedomain.com.key ./basedomain.com.crt
 
*Deploy the certs:
 
#  /opt/zimbra/libexec/zmdomaincertmgr deploycrts
 
* Save the certs:
 
# /opt/zimbra/libexec/zmdomaincertmgr savecrt basedomain.com basedomain.com.crt basedomain.com.key
 
 
 
 
 
== (C): Virtual IP on proxy ==
 
 
 
* Config virtual hostname and virtual IP for every addondomain.
 
''Please consider: Virtual IPs of addondomains have to be real-IPs in your internal-net, so that DNS is able to resolv them!''
 
$ zmprov md basedomain.com +zimbraVirtualHostName server.basedomain.com +zimbraVirtualIPAddress 192.168.100.201
 
$ zmprov md addondomain1.com +zimbraVirtualHostName server.addondomain1.com +zimbraVirtualIPAddress 192.168.100.211
 
$ zmprov md addondomain2.com +zimbraVirtualHostName server.addondomain2.com +zimbraVirtualIPAddress 192.168.100.212
 
 
 
 
 
== (D): DNS-Records - Internal Net ==
 
 
 
* Config A-records in your ''local'' DNS-server
 
server.basedomain.com.    IN  A  192.168.100.201  (-> IP of your local ZCS should be already there)
 
server.addondomain1.com.  IN  A  192.168.100.211
 
server.addondomain2.com.  IN  A  192.168.100.212
 
 
 
 
 
== (E): Alias IPs on mailboxserver ==
 
 
 
* In ubuntu-systems you have to do:
 
# vi /etc/network/interfaces
 
* Append the following configurations - for example:
 
auto eth0:1
 
iface eth0:1 inet static
 
name Ethernet alias1 LAN card
 
address 192.168.100.211
 
netmask 255.255.255.0
 
broadcast 192.168.100.255
 
network 192.168.100.0
 
 
auto eth0:2
 
iface eth0:2 inet static
 
name Ethernet alias2 LAN card
 
address 192.168.100.212
 
netmask 255.255.255.0
 
broadcast 192.168.100.255
 
network 192.168.100.0
 
 
 
* Restart network:
 
# /etc/init.d/networking restart
 
 
 
 
== (F): DNS-Records - External Internet ==
 
 
 
* Config A-records in your ''public'' provider-DNS-server
 
server.basedomain.com.    IN  A  x.x.x.x  (-> IP of your ZCS)
 
server.addondomain1.com.  IN  A  y.y.y.y  (separate public IP !)
 
server.addondomain2.com.  IN  A  z.z.z.z
 
 
 
 
 
== (G): Firewalling ==
 
 
 
At this point you will need a separated NAT/Forwarding:
 
* server.basedomain.com  (x.x.x.x)  to  192.168.100.201
 
* server.addondomain1.com(y.y.y.y)  to  192.168.100.211
 
* server.addondomain1.com(z.z.z.z)  to  192.168.100.212
 
 
 
 
 
== To Think About... ==
 
 
 
Implementing this new multi-SSL feature is a non-trivial walk.
 
As you can see, with any new addon-domain to come, the system will get more and more complex in administration.
 
So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...
 
 
 
 
 
{{Article Footer|ZCS 7.1.0|11/18/2011}}
 
[[Category:Configuration]]
 

Revision as of 11:38, 17 October 2014

For configuring SSL certificates per domain with Zimbra, please follow this guide.

Jump to: navigation, search