SSL certificates per domain: Difference between revisions

No edit summary
No edit summary
(32 intermediate revisions by 9 users not shown)
Line 1: Line 1:
__TOC__
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=SSL Certificates per domain=
{{KB|{{ZC}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
{{WIP}}


'''This document explains how to add per domain cert on a ZCS running 7.x version.'''
'''This document explains how to add per domain cert on a ZCS server.'''


Until ZCS 6.x, per domain ssl certificate or multiple ssl certificates on a single ZCS was not supported. [http://bugzilla.zimbra.com/show_bug.cgi?id=8128 RFE #8128]. From ZCS 7.x, the feature is been added.
'''Note: This feature will not enable domain certificate for smtps connections. [http://bugzilla.zimbra.com/show_bug.cgi?id=50127 RFE #50127]'''


'''In this example, I am adding a new domain called example.com and deploying a new certificate for example.com.'''
Until ZCS 6.x, per domain ssl certificate or multiple ssl certificates on a single ZCS was not supported. [http://bugzilla.zimbra.com/show_bug.cgi?id=8128 RFE #8128]. This feature has been introduced in ZCS 7.x.
 
In this example, I am adding a new domain called example.com and deploying a new certificate for example.com.
 
Note: When ZCS-9.x is released, there's no need to configure zimbraVirtualIPAddress per domain anymore. [https://bugzilla.zimbra.com/show_bug.cgi?id=56178 RFE #56178]


==Prerequisites==
==Prerequisites==
Line 17: Line 26:
   2.2.2.2 => otherdomain.com
   2.2.2.2 => otherdomain.com
   3.3.3.3 => yetanotherdomain.com
   3.3.3.3 => yetanotherdomain.com
==Configure Zimbra Proxy Server==
1.  Make sure Zimbra proxy service is configured correctly and serving https. If not, configure proxy now, run following as zimbra. It will set "zimbraReverseProxyMailMode" to both.
  su - zimbra
  /opt/zimbra/libexec/zmproxyconfig -m -w -e -x both -H `zmhostname`
2.  Restart proxy service
  zmproxyctl stop;zmproxyctrl start
* ''' If its already configured - skip to next section.'''


==Configuring IP address and domain==
==Configuring IP address and domain==


1.  Add a new ipv4 address to the server which will pair to name example.com. You can do it using IP address aliasing. For example, the new address can be assigned to eth0:1 device. Lets consider the new ipv4 address is 1.2.3.4 which should be an A record for example.com. The IP address could be public (if server is on Internet) or internal (if the server is behind firewall/NAT'ed).
1.  Add a new ipv4 address to the server which will pair to name example.com (via the example virtual hostname mail.example.com). You can do it using IP address aliasing. For example, the new address can be assigned to eth0:1 device. Lets consider the new ipv4 address is 1.2.3.4 which should be an A record for mail.example.com. The IP address could be public (if server is on Internet) or internal (if the server is behind firewall/NAT'ed).


2.  Add the new domain example.com. Set zimbraVirtualHostName to example.com and zimbraVirtualIPAddress to 1.2.3.4. Make sure the zimbraVirtualHostName is set to the name which will be used to access the domain (URL) and the SSL certificate is signed for same name.
2.  Add the new domain example.com. Set zimbraVirtualHostName to mail.example.com and zimbraVirtualIPAddress to 1.2.3.4. Make sure the zimbraVirtualHostName is set to the name which will be used to access the domain (URL) and the SSL certificate is signed for same name.


   zmprov cd example.com zimbraVirtualHostName "example.com" zimbraVirtualIPAddress "1.2.3.4"
   zmprov cd example.com zimbraVirtualHostName "mail.example.com" zimbraVirtualIPAddress "1.2.3.4"


'''NOTE: If the server is behind firewall and NAT'ed with external address, make sure the external requests for "example.com" hits the aliased IP address and not the actual local IP of server.'''
'''NOTE: If the server is behind firewall and NAT'ed with external address, make sure the external requests for "mail.example.com" hits the aliased IP address and not the actual local IP of server.'''


==Verifying and Preparing the Certificates==
==Verifying and Preparing the Certificates==
Line 80: Line 77:
   /opt/zimbra/libexec/zmdomaincertmgr savecrt <domainname> <certificate with chain certs> <keyfile>
   /opt/zimbra/libexec/zmdomaincertmgr savecrt <domainname> <certificate with chain certs> <keyfile>


3.  Run following to deploy the domain certificate. This will save the certificate and key at /opt/zimbra/conf/domaincerts/example.com/ directory.
3.  Run following to deploy the domain certificate. This will save the certificate and key as /opt/zimbra/conf/domaincerts/example.com  


   /opt/zimbra/libexec/zmdomaincertmgr deploycrts
   /opt/zimbra/libexec/zmdomaincertmgr deploycrts


4.  Restart proxy service to take the changes in effect.
4. Make sure the example.com is resolving to its local IP address from Zimbra host. Or make an similar entry in /etc/hosts file.
 
  1.2.3.4      example.com
 
== Proxy Check ==
 
Run these commands on proxy hosts.
 
* zimbraReverseProxyGenConfigPerVirtualHostname should be set to TRUE in server and global config.
 
  zmprov gs `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname
  zmprov gacf zimbraReverseProxyGenConfigPerVirtualHostname
 
Use these command to set it to TRUE.
 
  zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE
  zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE
 
== Re-write and restart Proxy ==
 
* Restart the proxy to re-write the changes to proxy config


   zmproxyctl stop; zmproxyctl start
   zmproxyctl restart


5. Once the restart is successfull, try to access the domain using the URL which is set in "zimbraVirtualHostName" over https. And check the certificate loaded in the browser. In this case the URL will be https://example.com
* Once the restart is successfull, try to access the domain using the URL which is set in "zimbraVirtualHostName" over https. And check the certificate loaded in the browser. In this case the URL will be https://example.com


=Testing=
=Testing=
Line 106: Line 123:
   Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/example.com.key") failed (SSL: error:0B080074:x509 certificate  
   Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/example.com.key") failed (SSL: error:0B080074:x509 certificate  
   routines:X509_check_private_key:key values mismatch)
   routines:X509_check_private_key:key values mismatch)
* If you are using multiple proxy servers or adding new proxy servers, make sure you copy all the contents of /opt/zimbra/conf/domaincerts/ among all proxy servers. '''Otherwise proxy service will fail to start.'''
----------------------------------------------------------------------------------------------------------------------------
{{Article Footer|ZCS 7.0 |01/15/2014}}
[[Category:Certified]]
[[Category:Certificates]]

Revision as of 01:59, 11 July 2015

SSL Certificates per domain

   KB 15103        Last updated on 2015-07-11  




0.00
(0 votes)


This document explains how to add per domain cert on a ZCS server.

Note: This feature will not enable domain certificate for smtps connections. RFE #50127

Until ZCS 6.x, per domain ssl certificate or multiple ssl certificates on a single ZCS was not supported. RFE #8128. This feature has been introduced in ZCS 7.x.

In this example, I am adding a new domain called example.com and deploying a new certificate for example.com.

Note: When ZCS-9.x is released, there's no need to configure zimbraVirtualIPAddress per domain anymore. RFE #56178

Prerequisites

  • Zimbra proxy service must be installed and enabled on the server. In multi server environment, do these steps on the proxy node.
  • You should have a signed certificate + matching key pair and the trusted chain certs from your CA (Certificate Authority) .
  • You will need to add ipv4 addresses per domain which will pair to the respective domain name. For example:
 1.1.1.1 => example.com
 2.2.2.2 => otherdomain.com
 3.3.3.3 => yetanotherdomain.com

Configuring IP address and domain

1. Add a new ipv4 address to the server which will pair to name example.com (via the example virtual hostname mail.example.com). You can do it using IP address aliasing. For example, the new address can be assigned to eth0:1 device. Lets consider the new ipv4 address is 1.2.3.4 which should be an A record for mail.example.com. The IP address could be public (if server is on Internet) or internal (if the server is behind firewall/NAT'ed).

2. Add the new domain example.com. Set zimbraVirtualHostName to mail.example.com and zimbraVirtualIPAddress to 1.2.3.4. Make sure the zimbraVirtualHostName is set to the name which will be used to access the domain (URL) and the SSL certificate is signed for same name.

 zmprov cd example.com zimbraVirtualHostName "mail.example.com" zimbraVirtualIPAddress "1.2.3.4"

NOTE: If the server is behind firewall and NAT'ed with external address, make sure the external requests for "mail.example.com" hits the aliased IP address and not the actual local IP of server.

Verifying and Preparing the Certificates

We have three files received from the CA. The server (domain) certificate, two chain certs. And we have existing key file (which was used to generate the csr)

1. Save the example.com certificate, key and chain files to a directory /tmp/example.com. You can receive single or multiple chain certs from your CA. Here we have two chain certs from the CA. i.e. example.com.root.crt and example.com.intermediate.crt.

 ls /tmp/example.com
 example.com.key
 example.com.crt
 example.com.root.crt
 example.com.intermediate.crt

2. Add the chain certs to a single file called example.com_ca.crt

 cat example.com.root.crt example.com.intermediate.crt >> example.com_ca.crt

3. Confirm if the key and certificate matches and chain certs completes the trust.

 /opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/example.com/example.com.key /tmp/example.com/example.com.crt /tmp/example.com/example.com_ca.crt
  • Check the output, it should say something like this. If not, make sure you have correct key and chain cert files.
 ** Verifying example.com.crt against example.com.key
 Certificate (example.com.crt) and private key (example.com.key) match.
 Valid Certificate: example.com.crt: OK

Deploying the Certificate on domain

1. Add the domain certificate and chain files to a single file called example.com.bundle

 cat example.com.crt example.com_ca.crt >> example.com.bundle

2. Run following to save the certificates and key in ldap database.

 /opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key
  • The syntax is:
 /opt/zimbra/libexec/zmdomaincertmgr savecrt <domainname> <certificate with chain certs> <keyfile>

3. Run following to deploy the domain certificate. This will save the certificate and key as /opt/zimbra/conf/domaincerts/example.com

 /opt/zimbra/libexec/zmdomaincertmgr deploycrts

4. Make sure the example.com is resolving to its local IP address from Zimbra host. Or make an similar entry in /etc/hosts file.

 1.2.3.4      example.com

Proxy Check

Run these commands on proxy hosts.

  • zimbraReverseProxyGenConfigPerVirtualHostname should be set to TRUE in server and global config.
 zmprov gs `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname
 zmprov gacf zimbraReverseProxyGenConfigPerVirtualHostname

Use these command to set it to TRUE.

 zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE
 zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE

Re-write and restart Proxy

  • Restart the proxy to re-write the changes to proxy config
 zmproxyctl restart
  • Once the restart is successfull, try to access the domain using the URL which is set in "zimbraVirtualHostName" over https. And check the certificate loaded in the browser. In this case the URL will be https://example.com

Testing

Run this command locally on zimbra server to check if the correct domain cert is offered while accessing the domain with "zimbraVirtualHostName" or "zimbraVirtualIPAddress"

 openssl s_client -connect example.com:443
 openssl s_client -connect 1.2.3.4:443

Troubleshooting

  • If you do not see domain cert by accessing the domain with its zimbraVirtualHostName (example.com). Make sure the https connection from Internet/intranet is going to server's local IP address which is defined in zimbraVirtualIPAddress.
  • If the proxy startup gives following error, try to change the order of certificates in /opt/zimbra/conf/domaincerts/example.com.crt file and restart proxy.
 Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/example.com.key") failed (SSL: error:0B080074:x509 certificate 
 routines:X509_check_private_key:key values mismatch)
  • If you are using multiple proxy servers or adding new proxy servers, make sure you copy all the contents of /opt/zimbra/conf/domaincerts/ among all proxy servers. Otherwise proxy service will fail to start.



Verified Against: ZCS 7.0 Date Created: 01/15/2014
Article ID: https://wiki.zimbra.com/index.php?title=SSL_certificates_per_domain Date Modified: 2015-07-11



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search