Zimbra 7.0 OS Domain SSL Problem

[HoLe]

I have installed Zimbra 7.0 Open Source edition for Ubuntu 10.4 LTS(64bit).

I created domain private key and certificate for my primary domain using StartSSL. I used this article to install the certification to my zimbra server (like mail.myprimarydomain.com).

It worked fine, and my primary domain is successfully using SSL.

Then I created another domain, and tried to install another StartSSL certificate to it using web gui, but without success. I have also created virtual host (like mail.mysecondarydomain.com) for my secondary domain.

I pasted my Domain Certificate + ca_bundle.crt (like commercial.crt in /opt/zimbra/ssl/zimbra/commercial/ , but with mysecondary domain certificate) and Domain Private Key to their textboxes.

No errors, but when I restart my zimbra using zmcontrol stop; zmcontrol start I get error from imapproxy:

Starting nginx...nginx: [emerg] SSL_CTX_use_certificate_chain_file("/opt/zimbra/conf/domaincerts/mysecondarydomain.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory error:20074002:BIO routines:FILE_CTRL:system lib error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib)
failed.

I created mysecondarydomain.com.crt using my certificate and ca_bundle.crt.

After that I restarted the server and got another error:

Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/mysecondarydomain.com.key") failed (SSL: error:02001002:system library:fopen:No such file or directory error:20074002:BIO routines:FILE_CTRL:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)
failed.

I created mysecondarydomain.com.key using my secondary domains private key.

After that the server restarted without errors, but when I go https://mail.mysecondarydomain.com I get certificate warning, saying my secondary domain is using my primary domains certificate. Login works without @mysecondarydomain.com, so virtual host is working.

If I have understood correctly, I should be able to use another SSL certificate for another domain. But I'm unable to get it working correctly.

[firemike]

In ZCS_7.0 AdminGuideOS.book (p72,73) you can read about multi SSL cert installation:

Quote:

Installing a SSL Certificate for a Domain

An SSL certificate can be installed for each domain on a ZCS server. Zimbra
Proxy must be installed on ZCS and correctly configured to support multiple
domains. For each domain, a virtual host name and Virtual IP address are
configured with the virtual domain name and IP address.

Each domain must be issued a signed commercial certificate that attests that
the public key contained in the certificate belongs to that domain.
To install the SSL Certificate for a Domain:

1. Configure the Zimbra Proxy Virtual Host Name and IP Address. Type
zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}

Note: The virtual domain name requires a valid DNS configuration with an
A record.

2. Go to the administration console and edit the domain. Copy the domain’s
issued signed commercial certificate’s and private key files to the
Domain>Certificate tab.

Ok -
a) certs are installed correctly into the adminConsole
b) DNS-config done
c) zimbraProxy is installed
c) $ zmprov md my-sec-domain.com +zimbraVirtualHostName zimbra.my-sec-domain.com +zimbraVirtualIPAddress 192.168.101.10

Result:
Same as HoLe above. When i go to https://zimbra.my-sec-domain.com i can login but i get cert-warning before.

If someone has got this very useful multi-SSL-tool working, please post here a small howto for us.

Thanks
mike

[HoLe]

Does anyone know, how to get multi SSL working?

[ZaphodBB]

Quote:

Originally Posted by HoLe

Does anyone know, how to get multi SSL working?

Ditto, and known fixes for this?

Thanks!

[cyboreal]

Same problem here: logging in to the secure "domain" (e.g. https://mail.domain.com) uses the "server" certificate (e.g. mail.server.com), though we have configured the system (Zimbra 7.1 OSE) with a valid domain cert (GoDaddy + bundle) and provisioned the system as intructed with

Code:

zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}

Any ideas how to get the server to send the domain's cert when we access the domain?

[firemike]

Here you get a small HOWTO for getting new multi-SSL-feature running on ZCS 7.0
We figured out these steps for our machine.
So be careful and test on your own machine before going in production.

http://wiki.zimbra.com/wiki/Multi_Do..._Certs_-_HOWTO

Hope that helps
Mike

[cyboreal]

This works! The browser now shows the correct cert with no warnings when logging in on server.addondomain1.com.

There is one glitch that I haven't been able to resolve yet: I am connecting to the SMTP server at server.addondomain1.com on port 465 SSL using Thunderbird to send email but it is still using the certificate for server.basedomain.com. Receiving mail uses the correct certificate. I can verify this using

Code:

openssl s_client -crlf -connect 1.2.3.4:465

How do I configured Zimbra to use the correct certificate on the server.addondomain1.com on port 465 for secure SMTP?

Thanks!

[xavierc]

Excellent work explaining how they works firemike!

Any one can do this for SMTP?

Thanks