Results 1 to 4 of 4

Thread: SSL Certs per Domain

  1. #1
    rbreck is offline Active Member
    Join Date
    May 2010
    Posts
    34
    Rep Power
    4

    Default SSL Certs per Domain

    Hi,

    I have a question about adding a second SSL certificate to our stand-alone ZCS NE 7.1.4.

    In the how-to here : SSL certificates per domain - Zimbra :: Wiki, it looks pretty straight forward.

    However, it mentions needing the proxy server -- everything I've read in the forums says not to use the proxy server if you have a one-server install. Can anyone with experience with such things comment on this catch-22?

    Also wondering if there is a document out there regarding adding the 2nd IP that would be required for the 2nd cert. Is it just as easy as adding it to the underlying OS (Centos 6.2) and /etc/hosts or do I need to add it in Zimbra somewhere else too?

    Thanks so much!!

  2. #2
    jakekatz is offline Intermediate Member
    Join Date
    Feb 2009
    Location
    Ottawa, Ontario, Canada
    Posts
    20
    Rep Power
    6

    Default

    From my understanding, serving up different SSL's on the same IP/port number is not supported, but it does work with untrusted warnings.

    When Zimbra proxy is enabled, I 'think' Zimbra runs other instances (under different domain-names) of the web serving software on different ports to get around this, then Zimbra Proxy does redirection (I imagine name based or IP based) to that different port to serve up the SSL cert.

    I'm still very novice at SSL's named base certificates, so PLEASE, don't take this as fact, but it's my understanding of it all...

    I plan to enable Proxy and try this in the coming weeks. I have two domain names pointing to the one server. Right now I have Apache running on a separate container for the namebased SSL & redirection (I've been doing it this way since Zimbra 5.x just lazy and not changed anything since LOL)

    But I want to try this new Zimbra 7.x feature for this to try and avoid the 'untrusted' warnings in browsers.

    EDIT: Late versions of Apache support SNI I wonder if this was compiled into zimbra?

  3. #3
    rbreck is offline Active Member
    Join Date
    May 2010
    Posts
    34
    Rep Power
    4

    Default

    Quote Originally Posted by jakekatz View Post
    From my understanding, serving up different SSL's on the same IP/port number is not supported, but it does work with untrusted warnings.

    When Zimbra proxy is enabled, I 'think' Zimbra runs other instances (under different domain-names) of the web serving software on different ports to get around this, then Zimbra Proxy does redirection (I imagine name based or IP based) to that different port to serve up the SSL cert.
    Yes, this is my understanding too - pretty standard rule as far as web serving goes. My concern/question is that everything I've read says not to use the proxy server component if it's a single-server setup. Does this mean we ought to setup a multi-server environment in order to use the proxy server, in order to have multiple SSL certs/IPs?

    R

  4. #4
    jakekatz is offline Intermediate Member
    Join Date
    Feb 2009
    Location
    Ottawa, Ontario, Canada
    Posts
    20
    Rep Power
    6

    Default

    I have one Zimbra instance running as a proxy. And it works just fine. I tested, sent/received etc from that instance, zero issues. I then installed another instance on another box/HW. Then did the required config on the mail box server, and the proxy to forward email destined for it on the proxy. Again, zero issues.

    So, I would think running the proxy option to gain the benefit of name based SSL certificates would work.

    I'm hoping to have time this weekend to try this out (SSL Certs per hostname).

    Quote Originally Posted by rbreck View Post
    Yes, this is my understanding too - pretty standard rule as far as web serving goes. My concern/question is that everything I've read says not to use the proxy server component if it's a single-server setup. Does this mean we ought to setup a multi-server environment in order to use the proxy server, in order to have multiple SSL certs/IPs?

    R

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How many SSL Certs do I need?
    By GiZiM in forum Administrators
    Replies: 1
    Last Post: 01-05-2012, 09:24 AM
  2. [SOLVED] Network Solutions Certs - certs do not verify
    By tribear in forum Administrators
    Replies: 13
    Last Post: 07-08-2010, 09:17 PM
  3. SSL Certs
    By ekmeek in forum Administrators
    Replies: 1
    Last Post: 07-08-2010, 03:29 PM
  4. SSL Certs
    By ekmeek in forum Installation
    Replies: 0
    Last Post: 06-22-2010, 05:21 PM
  5. UCC SSL Certs
    By vclawson in forum Administrators
    Replies: 4
    Last Post: 05-30-2010, 05:09 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •