ssl and virtual hosts

[christ]

I'm trialling 7.1.3 NE to determine if it will meet my needs.

My intention is to implement a server for hosting multiple customer domains. Each customer domain will have it's own ssl certificate covering multiple virtual hostnames (public, webmail, mobile etc.). For security reasons, all http must be redirected to https. Similarly imap to imaps, pop3 to pop3s.

Following various forum & wiki posts I've managed to get a commercial domain certificate installed using the cli commands. The certificate is for multiple hostnames on the same domain using subject alt names, with the intention of validating the public service hostname and a few virtual domains. FWIW, the server and the domain of the commercial certificate do not share the same ip address.

As it currently stands, the commercial certificate is correctly presented when connecting on one of the virtual domains and the public service hostname, but when connecting on a second virtual domain, the server's self signed cert is presented.

Zimbra-proxy is installed and both web server mode and proxy server mode were configured to redirect.

Further clarification through the use of named examples:
server hostname: server.domain.com (self signed cert, fine for mta, ldap etc.)
server ip: 1.2.3.4

domain: customerdomain.com
public service hostname: public.customerdomain.com (commercial cert is presented - ok)
virtual host: webmail.customerdomain.com (commercial cert is presented - ok)
virtual host: mobile.customerdomain.com (self signed server.domain.com cert presented - not ok)
public.customerdomain.com ip 1.2.3.5
webmail.customerdomain.com ip 1.2.3.5
mobile.customerdomain.com ip 1.2.3.5

Both virtual domains were configured as per the admin guide instructions:
zmprov md customerdomain.com +zimbraVirtualHostName "webmail.customerdomain.com" +zimbraVirtualIPAddress "1.2.3.5"
zmprov md customerdomain.com +zimbraVirtualHostName "mobile.customerdomain.com" +zimbraVirtualIPAddress "1.2.3.5"

I didn't do this for public.customerdomain.com but that doesn't seem to matter as it works anyway.

The certificate's subject CN is webmail.customerdomain.com
The certificate's subject alt names are: webmail.customerdomain.com www.webmail.customerdomain.com mobile.customerdomain.com public.customerdomain.com in that order.

Anyone have any ideas what's going on here?

If it only worked for the webmail virtual hostname, I'd suspect that each virtual hostname should be on its own IP, but because it works for both the webmail and public names on the same IP it's confusing.

I'm not sure if it's partly working by pure chance, or if I've configured something incorrectly. Searching the NE admin guide, these forums and the wiki, I'm not finding a solution.

I need to get this ssl configuration aspect clearly understood and working before I can commit to purchasing the product. Which raises another point. Is there more detailed documentation available for this product once you buy into it, or is the NE admin guide the extent of the documentation available?

Thanks for your time.

[christ]

An update for anyone that finds themselves in the same predicament.

1.) Don't follow the wiki article http://wiki.zimbra.com/wiki/Multiple_SSL_Virtual_Hosts_6.0 as it's not applicable to v7.1.3 which seems to implement everything described there natively.

2.) Put each virtual host on its own IP address.
i.e.
zmprov md customerdomain.com +zimbraVirtualHostName "webmail.customerdomain.com" +zimbraVirtualIPAddress "1.2.3.5"
zmprov md customerdomain.com +zimbraVirtualHostName "mobile.customerdomain.com" +zimbraVirtualIPAddress "1.2.3.6"

3.) I still have no idea why the public service hostname which is on the same ip as the first virtual host presents the correct certificate.

4.) During the trial period access is permitted to the Zimbra Support Portal, but there's no additional documentation available there that isn't already available to the general public. If required, you can submit support cases there though.

5.) The straightforward procedure to implement a domain ssl cert outlined in the ne admin guide 7.1.2 doesn't appear to work. /opt/zimbra/conf/domaincerts does not exist, nor is it created when following the documented procedure. This is surely a bug, but beyond my current skills or time constraints to track down. Follow the forum post here testing each step as you progress, or the wiki article here. Just remember to use a unique IP for each virtual host. SNI doesn't appear to be implemented yet (7.1.3_P1).