Results 1 to 8 of 8

Thread: Zimbra 7.0 OS Domain SSL Problem

  1. #1
    HoLe is offline Starter Member
    Join Date
    Feb 2011
    Posts
    2
    Rep Power
    4

    Default Zimbra 7.0 OS Domain SSL Problem

    I have installed Zimbra 7.0 Open Source edition for Ubuntu 10.4 LTS(64bit).

    I created domain private key and certificate for my primary domain using StartSSL. I used this article to install the certification to my zimbra server (like mail.myprimarydomain.com).

    It worked fine, and my primary domain is successfully using SSL.

    Then I created another domain, and tried to install another StartSSL certificate to it using web gui, but without success. I have also created virtual host (like mail.mysecondarydomain.com) for my secondary domain.

    I pasted my Domain Certificate + ca_bundle.crt (like commercial.crt in /opt/zimbra/ssl/zimbra/commercial/ , but with mysecondary domain certificate) and Domain Private Key to their textboxes.

    No errors, but when I restart my zimbra using zmcontrol stop; zmcontrol start I get error from imapproxy:

    Starting nginx...nginx: [emerg] SSL_CTX_use_certificate_chain_file("/opt/zimbra/conf/domaincerts/mysecondarydomain.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory error:20074002:BIO routines:FILE_CTRL:system lib error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib)
    failed.

    I created mysecondarydomain.com.crt using my certificate and ca_bundle.crt.

    After that I restarted the server and got another error:

    Starting nginx...nginx: [emerg] SSL_CTX_use_PrivateKey_file("/opt/zimbra/conf/domaincerts/mysecondarydomain.com.key") failed (SSL: error:02001002:system library:fopen:No such file or directory error:20074002:BIO routines:FILE_CTRL:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)
    failed.

    I created mysecondarydomain.com.key using my secondary domains private key.

    After that the server restarted without errors, but when I go https://mail.mysecondarydomain.com I get certificate warning, saying my secondary domain is using my primary domains certificate. Login works without @mysecondarydomain.com, so virtual host is working.

    If I have understood correctly, I should be able to use another SSL certificate for another domain. But I'm unable to get it working correctly.

  2. #2
    firemike is offline Active Member
    Join Date
    Apr 2010
    Location
    Germany
    Posts
    28
    Rep Power
    5

    Default

    In ZCS_7.0 AdminGuideOS.book (p72,73) you can read about multi SSL cert installation:
    Installing a SSL Certificate for a Domain

    An SSL certificate can be installed for each domain on a ZCS server. Zimbra
    Proxy must be installed on ZCS and correctly configured to support multiple
    domains. For each domain, a virtual host name and Virtual IP address are
    configured with the virtual domain name and IP address.

    Each domain must be issued a signed commercial certificate that attests that
    the public key contained in the certificate belongs to that domain.
    To install the SSL Certificate for a Domain:

    1. Configure the Zimbra Proxy Virtual Host Name and IP Address. Type
    zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}

    Note: The virtual domain name requires a valid DNS configuration with an
    A record.

    2. Go to the administration console and edit the domain. Copy the domainís
    issued signed commercial certificateís and private key files to the
    Domain>Certificate tab.
    Ok -
    a) certs are installed correctly into the adminConsole
    b) DNS-config done
    c) zimbraProxy is installed
    c) $ zmprov md my-sec-domain.com +zimbraVirtualHostName zimbra.my-sec-domain.com +zimbraVirtualIPAddress 192.168.101.10

    Result:
    Same as HoLe above. When i go to https://zimbra.my-sec-domain.com i can login but i get cert-warning before.

    If someone has got this very useful multi-SSL-tool working, please post here a small howto for us.

    Thanks
    mike

  3. #3
    HoLe is offline Starter Member
    Join Date
    Feb 2011
    Posts
    2
    Rep Power
    4

    Default

    Does anyone know, how to get multi SSL working?

  4. #4
    ZaphodBB is offline New Member
    Join Date
    Apr 2011
    Posts
    3
    Rep Power
    4

    Default Bump for posterity

    Quote Originally Posted by HoLe View Post
    Does anyone know, how to get multi SSL working?
    Ditto, and known fixes for this?

    Thanks!

  5. #5
    cyboreal is offline New Member
    Join Date
    Apr 2011
    Posts
    4
    Rep Power
    4

    Default Can someone post the solution to this problem?

    Same problem here: logging in to the secure "domain" (e.g. https://mail.domain.com) uses the "server" certificate (e.g. mail.server.com), though we have configured the system (Zimbra 7.1 OSE) with a valid domain cert (GoDaddy + bundle) and provisioned the system as intructed with

    Code:
    zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}
    Any ideas how to get the server to send the domain's cert when we access the domain?

  6. #6
    firemike is offline Active Member
    Join Date
    Apr 2010
    Location
    Germany
    Posts
    28
    Rep Power
    5

    Default

    Here you get a small HOWTO for getting new multi-SSL-feature running on ZCS 7.0
    We figured out these steps for our machine.
    So be careful and test on your own machine before going in production.

    http://wiki.zimbra.com/wiki/Multi_Do..._Certs_-_HOWTO

    Hope that helps
    Mike
    Last edited by firemike; 11-20-2011 at 11:49 AM. Reason: HOWTO now in zimbraWiki

  7. #7
    cyboreal is offline New Member
    Join Date
    Apr 2011
    Posts
    4
    Rep Power
    4

    Default Thank you!

    This works! The browser now shows the correct cert with no warnings when logging in on server.addondomain1.com.

    There is one glitch that I haven't been able to resolve yet: I am connecting to the SMTP server at server.addondomain1.com on port 465 SSL using Thunderbird to send email but it is still using the certificate for server.basedomain.com. Receiving mail uses the correct certificate. I can verify this using

    Code:
    openssl s_client -crlf -connect 1.2.3.4:465
    How do I configured Zimbra to use the correct certificate on the server.addondomain1.com on port 465 for secure SMTP?

    Thanks!

  8. #8
    xavierc is offline Starter Member
    Join Date
    Jul 2011
    Posts
    2
    Rep Power
    3

    Default

    Excellent work explaining how they works firemike!

    Any one can do this for SMTP?

    Thanks

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. fatal: parameter "smtpd_recipient_restrictions"
    By Robin in forum Administrators
    Replies: 8
    Last Post: 12-22-2010, 05:48 AM
  2. Did I miss something? (Zimbra GA 6.0.8 on Ubuntu 10.04)
    By vpetersson in forum Installation
    Replies: 2
    Last Post: 10-26-2010, 06:29 AM
  3. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 02:00 AM
  4. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  5. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •