SSL certificates per domain
|This article applies to the following ZCS versions.
This document explains how to add per domain cert on a ZCS running 7.x version.
Until ZCS 6.x, per domain ssl certificate or multiple ssl certificates on a single ZCS was not supported. RFE #8128. From ZCS 7.x, the feature is been added.
In this example, I am adding a new domain called example.com and deploying a new certificate for example.com.
220.127.116.11 => example.com 18.104.22.168 => otherdomain.com 22.214.171.124 => yetanotherdomain.com
Configure Zimbra Proxy Server
1. Make sure Zimbra proxy service is configured correctly and serving https. If not, configure proxy now, run following as zimbra. It will set "zimbraReverseProxyMailMode" to both.
su - zimbra /opt/zimbra/libexec/zmproxyconfig -m -w -e -x both -H `zmhostname`
2. Restart proxy service
zmproxyctl stop;zmproxyctrl start
Configuring IP address and domain
1. Add a new ipv4 address to the server which will pair to name example.com (via the example virtual hostname mail.example.com). You can do it using IP address aliasing. For example, the new address can be assigned to eth0:1 device. Lets consider the new ipv4 address is 126.96.36.199 which should be an A record for mail.example.com. The IP address could be public (if server is on Internet) or internal (if the server is behind firewall/NAT'ed).
2. Add the new domain example.com. Set zimbraVirtualHostName to mail.example.com and zimbraVirtualIPAddress to 188.8.131.52. Make sure the zimbraVirtualHostName is set to the name which will be used to access the domain (URL) and the SSL certificate is signed for same name.
zmprov cd example.com zimbraVirtualHostName "mail.example.com" zimbraVirtualIPAddress "184.108.40.206"
NOTE: If the server is behind firewall and NAT'ed with external address, make sure the external requests for "mail.example.com" hits the aliased IP address and not the actual local IP of server.
Verifying and Preparing the Certificates
We have three files received from the CA. The server (domain) certificate, two chain certs. And we have existing key file (which was used to generate the csr)
1. Save the example.com certificate, key and chain files to a directory /tmp/example.com. You can receive single or multiple chain certs from your CA. Here we have two chain certs from the CA. i.e. example.com.root.crt and example.com.intermediate.crt.
ls /tmp/example.com example.com.key example.com.crt example.com.root.crt example.com.intermediate.crt
2. Add the chain certs to a single file called example.com_ca.crt
cat example.com.root.crt example.com.intermediate.crt >> example.com_ca.crt
3. Confirm if the key and certificate matches and chain certs completes the trust.
/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/example.com/example.com.key /tmp/example.com/example.com.crt /tmp/example.com/example.com_ca.crt
** Verifying example.com.crt against example.com.key Certificate (example.com.crt) and private key (example.com.key) match. Valid Certificate: example.com.crt: OK
Deploying the Certificate on domain
1. Add the domain certificate and chain files to a single file called example.com.bundle
cat example.com.crt example.com_ca.crt >> example.com.bundle
2. Run following to save the certificates and key in ldap database.
/opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key
/opt/zimbra/libexec/zmdomaincertmgr savecrt <domainname> <certificate with chain certs> <keyfile>
3. Run following to deploy the domain certificate. This will save the certificate and key as /opt/zimbra/conf/domaincerts/example.com
4. Make sure the example.com is resolving to its local IP address from Zimbra host. Or make an similar entry in /etc/hosts file.
5. Restart proxy service to take the changes in effect.
zmproxyctl stop; zmproxyctl start
6. Once the restart is successfull, try to access the domain using the URL which is set in "zimbraVirtualHostName" over https. And check the certificate loaded in the browser. In this case the URL will be https://example.com
Run this command locally on zimbra server to check if the correct domain cert is offered while accessing the domain with "zimbraVirtualHostName" or "zimbraVirtualIPAddress"
openssl s_client -connect example.com:443
openssl s_client -connect 220.127.116.11:443
Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/example.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)