SSL Certs per Domain
I have a question about adding a second SSL certificate to our stand-alone ZCS NE 7.1.4.
In the how-to here : SSL certificates per domain - Zimbra :: Wiki, it looks pretty straight forward.
However, it mentions needing the proxy server -- everything I've read in the forums says not to use the proxy server if you have a one-server install. Can anyone with experience with such things comment on this catch-22?
Also wondering if there is a document out there regarding adding the 2nd IP that would be required for the 2nd cert. Is it just as easy as adding it to the underlying OS (Centos 6.2) and /etc/hosts or do I need to add it in Zimbra somewhere else too?
Thanks so much!!
From my understanding, serving up different SSL's on the same IP/port number is not supported, but it does work with untrusted warnings.
When Zimbra proxy is enabled, I 'think' Zimbra runs other instances (under different domain-names) of the web serving software on different ports to get around this, then Zimbra Proxy does redirection (I imagine name based or IP based) to that different port to serve up the SSL cert.
I'm still very novice at SSL's named base certificates, so PLEASE, don't take this as fact, but it's my understanding of it all...
I plan to enable Proxy and try this in the coming weeks. I have two domain names pointing to the one server. Right now I have Apache running on a separate container for the namebased SSL & redirection (I've been doing it this way since Zimbra 5.x just lazy and not changed anything since LOL)
But I want to try this new Zimbra 7.x feature for this to try and avoid the 'untrusted' warnings in browsers.
EDIT: Late versions of Apache support SNI I wonder if this was compiled into zimbra?
Yes, this is my understanding too - pretty standard rule as far as web serving goes. My concern/question is that everything I've read says not to use the proxy server component if it's a single-server setup. Does this mean we ought to setup a multi-server environment in order to use the proxy server, in order to have multiple SSL certs/IPs?
Originally Posted by jakekatz
I have one Zimbra instance running as a proxy. And it works just fine. I tested, sent/received etc from that instance, zero issues. I then installed another instance on another box/HW. Then did the required config on the mail box server, and the proxy to forward email destined for it on the proxy. Again, zero issues.
So, I would think running the proxy option to gain the benefit of name based SSL certificates would work.
I'm hoping to have time this weekend to try this out (SSL Certs per hostname).
Originally Posted by rbreck