Difference between revisions of "SSL certificates per domain"

(Created page with "__TOC__ '''This document explains how to add per domain cert on a ZCS running 7.x version.''' Until ZCS 6.x, per domain ssl certificate or multiple ssl certificates on a single...")
 
Line 90: Line 90:
 
=Troubleshooting=
 
=Troubleshooting=
  
* If the proxy startup gives following error, try to change the order of certificates in /opt/zimbra/conf/domaincerts/example.com/example.com.bundle file and restart proxy.
+
* If the proxy startup gives following error, try to change the order of certificates in /opt/zimbra/conf/domaincerts/example.com.crt file and restart proxy.
  
 
   Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/example.com.key") failed (SSL: error:0B080074:x509 certificate  
 
   Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/example.com.key") failed (SSL: error:0B080074:x509 certificate  
 
   routines:X509_check_private_key:key values mismatch)
 
   routines:X509_check_private_key:key values mismatch)

Revision as of 16:09, 22 June 2011

This document explains how to add per domain cert on a ZCS running 7.x version.

Until ZCS 6.x, per domain ssl certificate or multiple ssl certificates on a single ZCS was not supported. RFE #8128. From ZCS 7.x, the feature is been added.

In this example, I am adding a new domain called example.com and deploying a new certificate for example.com.

Prerequisites

  • Zimbra proxy service must be installed and enabled on the server. In multi server environment, do these steps on the proxy node.
  • You should have a signed certificate + matching key pair and the trusted chain certs from your CA (Certificate Authority) .
  • You will need to add ipv4 addresses per domain which will pair to the respective domain name. For example:
 1.1.1.1 => example.com
 2.2.2.2 => otherdomain.com
 3.3.3.3 => yetanotherdomain.com

Configure Zimbra Proxy Server

1. Make sure Zimbra proxy service is configured correctly and serving https. If not, configure proxy now, run following as zimbra. It will set "zimbraReverseProxyMailMode" to both.

 su - zimbra
 /opt/zimbra/libexec/zmproxyconfig -m -w -e -x both -H `zmhostname`

2. Restart proxy service

 zmproxyctl stop;zmproxyctrl start
  • If its already configured - skip to next section.

Configuring IP address and domain

1. Add a new ipv4 address to the server which will pair to name example.com. You can do it using IP address aliasing. For example, the new address can be assigned to eth0:1 device. Lets consider the new ipv4 address is 10.1.1.1.

2. Add the new domain example.com. Set zimbraVirtualHostName to example.com and zimbraVirtualIPAddress to 10.1.1.1. Make sure the zimbraVirtualHostName is set to the name which will be used by users to access the domain URL and the SSL certificate is signed for same name.

 zmprov cd exmaple.com +zimbraVirtualHostName example.com +zimbraVirtualIPAddress 10.1.1.1

Verifying and Preparing the Certificates

We have three files received from the CA. The server (domain) certificate, two chain certs. And we have existing key file (which was used to generate the csr)

1. Save the example.com certificate, key and chain files to a directory /tmp/example.com. You can receive single or multiple chain certs from your CA. Here we have two chain certs from the CA. i.e. example.com.root.crt and example.com.intermediate.crt.

 ls /tmp/example.com
 example.com.key
 example.com.crt
 example.com.root.crt
 example.com.intermediate.crt

2. Add the chain certs to a single file called example.com_ca.crt

 cat example.com.root.crt example.com.intermediate.crt >> example.com_ca.crt

3. Confirm if the key and certificate matches and chain certs completes the trust.

 /opt/zimbra/bin/zmcertmgr /tmp/exmaple.com/example.com.key /tmp/exmaple.com/example.com.crt /tmp/exmaple.com/example.com_ca.crt
  • Check the output, it should say something like this. If not, make sure you have correct key and chain cert files.
 ** Verifying example.com.crt against example.com.key
 Certificate (example.com.crt) and private key (example.com.key) match.
 Valid Certificate: example.com.crt: OK

Deploying the Certificate on domain

1. Now add the domain certificate and chain files to a single file called example.com.bundle

 cat example.com.crt example.com_ca.crt >> example.com.bundle

2. Run following to save the certificates and key in ldap database.

 /opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key
  • The syntax is:
 /opt/zimbra/libexec/zmdomaincertmgr savecrt <domainname> <certificate with chain certs> <keyfile>

3. Run following to deploy the domain certificate. This will save the certificate and key at /opt/zimbra/conf/domaincerts/example.com/ directory.

 /opt/zimbra/libexec/zmdomaincertmgr deploycrts

4. Restart proxy service to take the changes in effect.

 zmproxyctl stop;zmproxyctrl start

5. Once the restart is successfull, try to access the domain using the URL which is set in "zimbraVirtualHostName" over https. And check the certificate loaded in the browser.

Troubleshooting

  • If the proxy startup gives following error, try to change the order of certificates in /opt/zimbra/conf/domaincerts/example.com.crt file and restart proxy.
 Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/example.com.key") failed (SSL: error:0B080074:x509 certificate 
 routines:X509_check_private_key:key values mismatch)
Jump to: navigation, search