Multi Domain SSL Certs - HOWTO

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0


Introduction

Now - in new ZCS 7.0 - you have the possibility to secure more than only one domain with separate SSL-certificates. So in this document you will learn, howto install this feature in a split-DNS architecture. Nevertheless be careful and test configs before going into production.

Overview

For implementing this feature in the correct way, it is very important to understand the logic of this new technic:

alt text

Prerequisites

  • For each addondomain you will need a separate public IP !
  • For each addondomain you must have valid SSL-certs.


(A): Preparing Proxy

  • In base-installation-script of ZCS you have to markup installation of proxy-services
  • Then login as zimbra and activate proxy:
$ zmproxyconfig -m -w -e -x redirect -H `zmhostname`
$ zmproxyctl restart
  • Set proxy-mode for base-domain on proxyserver :
$ zmprov ms server.basedomain.com zimbraReverseProxyMailMode redirect
  • Set proxy-mode on mailboxserver for intern communications to proxy-server (must be http !)
$ zmtlsctl http 
  • Test this:
$ zmprov gs `zmhostname` | grep -i mode
  • Restart proxy:
$ zmproxyctl restart


(B): Certinstallation

  • Certs have to be installed from root-console.

First check-for/create the following folder:

# mkdir /opt/zimbra/conf/domaincerts
# cd /opt/zimbra/conf/domaincerts

For each domain put your keys into this folder ...

  1. basedomain.com.key (your private-key)
  2. basedomain.com.crt (commercial.crt + intermediates + root_CA) [the order of these files is very sensitive! and might prevent your proxy from starting up - be careful - see also bug 57271 http://bugzilla.zimbra.com/show_bug.cgi?id=57271 ]
  3. addondomain1.com.key
  4. addondomain2.com.key
  5. ..

... and do the following commands:

  • Check the keys:
# /opt/zimbra/bin/zmcertmgr verifycrt comm ./basedomain.com.key ./basedomain.com.crt
  • Deploy the certs:
#  /opt/zimbra/libexec/zmdomaincertmgr deploycrts
  • Save the certs:
# /opt/zimbra/libexec/zmdomaincertmgr savecrt basedomain.com basedomain.com.crt basedomain.com.key

(C): Virtual IP on proxy

  • Config virtual hostname and virtual IP for every addondomain.

Please consider: Virtual IPs of addondomains have to be real-IPs in your internal-net, so that DNS is able to resolv them!

$ zmprov md basedomain.com +zimbraVirtualHostName server.basedomain.com +zimbraVirtualIPAddress 192.168.100.201
$ zmprov md addondomain1.com +zimbraVirtualHostName server.addondomain1.com +zimbraVirtualIPAddress 192.168.100.211
$ zmprov md addondomain2.com +zimbraVirtualHostName server.addondomain2.com +zimbraVirtualIPAddress 192.168.100.212


(D): DNS-Records - Internal Net

  • Config A-records in your local DNS-server
server.basedomain.com.    IN  A  192.168.100.201   (-> IP of your local ZCS should be already there)
server.addondomain1.com.  IN  A  192.168.100.211
server.addondomain2.com.  IN  A  192.168.100.212

(E): Alias IPs on mailboxserver

  • In ubuntu-systems you have to do:
# vi /etc/network/interfaces
  • Append the following configurations - for example:
auto eth0:1
iface eth0:1 inet static
name Ethernet alias1 LAN card
address 192.168.100.211
netmask 255.255.255.0
broadcast 192.168.100.255
network 192.168.100.0

auto eth0:2
iface eth0:2 inet static
name Ethernet alias2 LAN card
address 192.168.100.212
netmask 255.255.255.0
broadcast 192.168.100.255
network 192.168.100.0
  • Restart network:
# /etc/init.d/networking restart

(F): DNS-Records - External Internet

  • Config A-records in your public provider-DNS-server
server.basedomain.com.    IN  A  x.x.x.x   (-> IP of your ZCS)
server.addondomain1.com.  IN  A  y.y.y.y   (separate public IP !)
server.addondomain2.com.  IN  A  z.z.z.z

(G): Firewalling

At this point you will need a separated NAT/Forwarding:

  • server.basedomain.com (x.x.x.x) to 192.168.100.201
  • server.addondomain1.com(y.y.y.y) to 192.168.100.211
  • server.addondomain1.com(z.z.z.z) to 192.168.100.212

To Think About...

Implementing this new multi-SSL feature is a non-trivial walk. As you can see, with any new addon-domain to come, the system will get more and more complex in administration. So alternatively to this HOWTO you might switch to these single "Multi-Domain-Certs" - provided by GoDaddy for example ...

Jump to: navigation, search