Multiple SSL Certificates, Server Name Indication (SNI) for HTTPS
- 1 Multiple SSL Certificates, Server Name Indication (SNI) for HTTPS
- 2 Testing
- 3 Troubleshooting
- 4 Known Issues
Multiple SSL Certificates, Server Name Indication (SNI) for HTTPS
Note: This feature will not enable SSL Certificate for IMAP/POP or smtps connections. RFE #103362
Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.
To make SNI useful, as with any protocol, the vast majority of visitors must use web browsers that implement it. Users whose browsers do not implement SNI are presented with a default certificate and hence are likely to receive certificate warnings. Source:Wikipedia
- Zimbra proxy service must be installed and enabled on the server. In a multi server environment, these steps should be performed on the proxy node
- You should have a signed certificate + matching key pair and the trusted chain certs from your CA (Certificate Authority) (This is a common issue, so please, make sure you check your files before deploying them)
- You will need to add ipv4 addresses per domain which will pair to the respective domain name. For example:
184.108.40.206 => example.com 220.127.116.11 => otherdomain.com 18.104.22.168 => yetanotherdomain.com
and you could even have another IPv4 address, for Customer reasons with other group of SSL Certificates, even different type of SSL Certificates:
22.214.171.124 => yetanotherdomain.com (A Comodo Wildcard SSL Certificate) 126.96.36.199 => thisisanotherdomain.com (A free Let's Encrypt SSL Certificate) 188.8.131.52 => customer001.net (A RapidSSL Certificate) etc.
Browser support for SNI
The following browsers do offer support for SNI, however Zimbra hasn't tested all of them, it is the responsibility of the web-browser, to support the application part of SNI :
|Internet Explorer||Web browser||Since version 7 on Vista (not supported on XP)||2006|
|Mozilla Firefox||Web browser||Since version 2.0 Reference 116169||2006|
|curl||Command-line tool and library||Since version 7.18.1||2008|
|Safari||Web browser||Not supported on XP|
|Google Chrome||Web browser||Since 6.0||2010|
|BlackBerry OS||Web browser||7.2 or later|
|Windows Mobile||Web browser||Some time after 6.5<ref>Template:Cite web</ref>|
|Android default browser||Web browser||Honeycomb (3.x) for tablets and Ice Cream Sandwich (4.x) for phones<ref>Template:Cite web</ref>||2011|
|wget||Command-line tool||Since version 1.14||2012|
|Nokia Browser for Symbian||Web browser|
|Opera Mobile||Web browser||Not supported on Series60|
Configuring the IP address per domain
1. Add a new ipv4 address to the server which will pair to name example.com (via the example virtual hostname mail.example.com). You can do it using IP address aliasing. For example, the new address can be assigned to eth0:1 device. Lets consider the new ipv4 address is 184.108.40.206 which should be an A record for mail.example.com. The IP address could be public (if server is on Internet) or internal (if the server is behind firewall/NAT'ed).
2. Add the new domain example.com. Set zimbraVirtualHostName to mail.example.com and zimbraVirtualIPAddress to 220.127.116.11. Make sure the zimbraVirtualHostName is set to the name which will be used to access the domain (URL) and the SSL certificate is signed for same name.
zmprov cd example.com zimbraVirtualHostName "mail.example.com" zimbraVirtualIPAddress "18.104.22.168"
NOTE: If the server is behind a firewall and NAT'ed with an external address, make sure external requests for "mail.example.com" hit the aliased IP address and not the actual local IP address of server.
Verifying and Preparing the Certificates
We should have three files received from the CA (might vary depending on the Certificate Authority). The server (domain) certificate, and two chain certs. Also, you should have an existing key file (which was used to generate the csr)
- 1. Save the example.com certificate, key and chain files to a directory /tmp/example.com. You can receive single or multiple chain certs from your CA. Here we have two chain certs from the CA. i.e. example.com.root.crt and example.com.intermediate.crt.
ls /tmp/example.com example.com.key example.com.crt example.com.root.crt example.com.intermediate.crt
- 2. Add the chain certs to a single file called example.com_ca.crt
cat example.com.root.crt example.com.intermediate.crt >> example.com_ca.crt
- 3. Confirm if the key and certificate matches and chain certs completes the trust. As zimbra user:
/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/example.com/example.com.key /tmp/example.com/example.com.crt /tmp/example.com/example.com_ca.crt
- Check the output, it should say something like this. If not, make sure you have the correct key and chain cert files.
** Verifying '/tmp/example.com.crt' against '/tmp/example.com.key' Certificate '/tmp/example.com.crt' and private key '/tmp/example.com.key' match. ** Verifying '/tmp/example.com.crt' against '/tmp/example.com_ca.crt' Valid certificate chain: /tmp/example.com.crt: OK
Deploying the Certificate or Certificates on the domain
- 1. Add the domain certificate and chain files to a single file called example.com.bundle
cat example.com.crt example.com_ca.crt >> example.com.bundle
- 2. Run the following command as the zimbra user to save the certificates and key in LDAP:
/opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key ** Saving domain config key zimbraSSLCertificate...done. ** Saving domain config key zimbraSSLPrivateKey...done.
- The syntax is:
/opt/zimbra/libexec/zmdomaincertmgr savecrt <domainname> <certificate with chain certs> <keyfile>
- 3. Run the following command as the zimbra user to deploy the domain certificate. This will save the certificate and key as /opt/zimbra/conf/domaincerts/example.com:
/opt/zimbra/libexec/zmdomaincertmgr deploycrts ** Deploying cert for example.com...done.
- 4. Make sure the example.com is resolving to its local IP address from Zimbra host. Or make an similar entry in /etc/hosts file.
Run these commands on proxy hosts, or on the server if it's Single Server:
- zimbraReverseProxySNIEnabled should be set to TRUE in server and global config.
zmprov mcf zimbraReverseProxySNIEnabled TRUE
Re-write and restart Proxy
- Restart the proxy to re-write the changes to proxy config
- Once the restart is successfull, try to access the domain using the URL which is set in "zimbraVirtualHostName" over https. And check the certificate loaded in the browser. In this case the URL will be https://example.com
Run this command locally on zimbra server to check if the correct domain cert is offered while accessing the domain with "zimbraVirtualHostName" or "zimbraVirtualIPAddress"
openssl s_client -connect example.com:443
openssl s_client -connect 22.214.171.124:443
You can go now to a Web browser and check that for each different zimbraVirtualHostName, you see a different SSL certificate and that its details are correct for that virtualhostname.
- If you do not see the correct domain cert by accessing the domain with its zimbraVirtualHostName (example.com). Make sure that the https connection from the Internet/intranet is going to the server's local IP address which is defined in zimbraVirtualIPAddress, and make sure you have activated zimbraReverseProxySNIEnabled to TRUE
- If you are using multiple proxy servers or adding new proxy servers, make sure you copy all the contents of /opt/zimbra/conf/domaincerts/ to all the proxy servers. Otherwise the proxy service will fail to start.
- Bug 102913 - Multiple SSL domains on single server (SNI) for HTTPS connections
- Bug 103362 - Multiple SSL domains on single server (SNI) for IMAPS/POP3S connections