https ???

[CatiaL]

Hi,
I have 4.5.5_GA_838.RHEL4_20070518071230 RHEL4 NETWORK edition running and I can access the web admin interface at port 7071 with https and the user web interface with http at port 7070 and at port 80 (using the Zimbra with Apache using mod jk - ZimbraWiki).

I would like to access the user web interface over https.
I did
su - zimbra
zmtlsctl https
tomcat restart

but then if I try to connect to the server (https://mailserver.domain.example) I get an error message, and nothing is loaded.

with
zmprov -l gs mailserver.domain.example
I saw that zimbraMailMode: https -> OK

the one thing that I have found strange is that in /opt/zimbra/tomcat/conf/server.xml
"user services connector, SSL" and "admin services connector; requires SSL"
are both on port 7071, is this normal?

I have tried to edit such file and change the ser services connector, SSL to 443 but as soon as I resstart tomcat the value is changed back to 7071.

with zmprov -l gs mailserver.domain.example
I see that:
zimbraAdminPort: 7071
zimbraMailPort: 7070
zimbraMailSSLPort: 7071

is this the reason for the "strange" setting in /opt/zimbra/tomcat/conf/server.xml?
should I change zimbraMailSSLPort to 443 to make it work properly over https?
how?

any ideas? please help I am pretty much in a hurry to get this work.

[mmorse]

Try this (alternate to zmtlsctl)

Quote:

su zimbra
zmprov ms myserver.domain.com zimbraMailPort (port#) zimbraMailSSLPort (SSL#)
tomcat stop
tomcat start

[djve]

If all you want is to redirect http so it uses https my solution is:

HTTP to redirect to HTTPS

I use 'mixed' for zmtlsctl.

[CatiaL]

Hi,

so I have managed to get zimbra work over https. As I have supposed I had a conflict of ports: both zimbraMailSSLPort and zimbraAdminPort were running on the same port.

%%%%% HTTPS ACCESS OVER PORT 7443 %%%%%%%%%
What I did:

zmprov ms my_server.domane.example zimbraMailSSLPort 7443
zmtlsctl https
tomcat restart

so now I have my zimbra user web under
https://my_server.domane.example:7443

I would like to have it running under the usual 443 https port. The problem is that on the zimbra server run also apache and jahia.

%%%%% HTTP ACCESS OVER PORT 80 %%%%%%%%%

To get the http Mode run on port 80 I have used mod_jk by following Zimbra with Apache using mod jk - ZimbraWiki

the only difference in my setup is that instead of creating an extra /etc/httpd/conf.d/tomcat.conf file

I have added the following settings into the /etc/httpd/conf/httpd.conf file:


# Load mod_jk module
# Update this path to match your modules location
LoadModule jk_module modules/mod_jk.so
# Declare the module for <IfModule directive> (remove this line on Apache 2.x)
# AddModule mod_jk.c

# Where to find workers.properties
# Update this path to match your conf directory location (put workers.properties next to httpd.conf)
JkWorkersFile /etc/httpd/conf/workers.properties

# Where to put jk logs
# Update this path to match your logs directory location (put mod_jk.log next to access_log)
JkLogFile /etc/httpd/logs/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "

# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"


<VirtualHost *>
ServerAdmin netmaster@domain.example
ServerName server.domain.example
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog logs/server_rewrite.log
RewriteLogLevel 0
RewriteRule ^/$ http://server.domain.example/zimbra
</IfModule>
# JkMount /*.* zimbraworker
JkMount /zimbra zimbraworker
JkMount /zimbra/ zimbraworker
JkMount /zimbra/* zimbraworker
JkMount /service zimbraworker
JkMount /service/ zimbraworker
JkMount /service/* zimbraworker
JkMount /zimbraAdmin zimbraworker
JkMount /zimbraAdmin/ zimbraworker
JkMount /zimbraAdmin/* zimbraworker
# JkMount /*.ico zimbraworker
JkMount //zimbra zimbraworker
ErrorLog logs/server.domain.example-error_log
CustomLog logs/server.domain.example-access_log common
</VirtualHost>


%%%%% HTTPS ACCESS OVER PORT 443 %%%%%%%%%

Now I want to access my mails with ssl on port 443.
And here I have problems.

First of all I switch the zimbraMailMode to https. At this point since zimbraMailSSLPort=7443

I can access zimbra on port 7443.

But how to access it on 443??????

I have though that the steps done for port 80 are enough for 443 but it does not work!

What should I do? The problem is that I am not sure weather on my apache ssl is enabled or not. I see that an httpd is listening on port 443 but I do not know where does it come from.

Could you tell me step by step what should I do, inclusive how do I understand who is using port 443 and what should I do to let apache use ssl to connect to zimbra?

[djve]

You'll want someone from Zimbra to confirm this but it looks like you have set zimbraMailSSLPort 7443. I think this means 443 will still have HTTPS running but it won't have anything to do as you are using 7443 for mail.

To me it seems that you are going to skip over 443 unless you configure the other Zimbra applets to use 443. And I don't think Zimbra will spend the time on this as I'd assume the things you are doing would be classified as an unsupported configuration. They may be able to give you some help but I wouldn't bet on it.

[CatiaL]

Hi,

I have solved my problem since a while but I had no time to post the solution.

As summary: I have Zimbra and Apache running on the same server.
Apache "occupies" the ports 80 for http and 443 https (I have ssl "running")

zimbraMailSSLPort 7443

My notation refer to A RedHat Enterprise OS.

%%%%% HTTPS ACCESS OVER PORT 443 %%%%%%%%%

Introduction
In Apache (RedHat version) the file

Code:

/etc/httpd/conf/httpd.conf

rules the http (no ssl) web access while the file

Code:

/etc/httpd/conf.d/ssl.conf

rules the https (with ssl) web access.

It is very important if you want to have some Virtual Hosts running under http AND other running under https that the settings are as follows:

• In httpd.conf the NameVirtualHost must be set as:
  
  NameVirtualHost *:80
  
  and all the Virtual Hosts must be defined as
  
  <VirtualHost *:80>
  ………..
  ………..
  </VirtualHost>

• In ssl.conf the NameVirtualHost must be set as:
  
  NameVirtualHost *:443
  
  and all the Virtual Hosts must be defined as
  
  <VirtualHost *:443>
  ………..
  ………..
  </VirtualHost>

Configuration with mod_jk

• Follow the same steps described in
  Zimbra with Apache using mod jk - ZimbraWiki
  for what concernes the workers and the tomcat configuration (watch out to add port 7443 to the allowed.ports list)

• Add into /etc/httpd/conf.d/ssl.conf the following text (if you did not already load mod_kj into httpd uncomment the first line)
  
  
  Code:

  # JK_MODULE
  #the module is already loaded in conf/httpd.conf
  #LoadModule jk_module modules/mod_jk.so
  JkWorkersFile conf/workers.properties
  JkLogFile logs/mod_jk.log
  JkLogLevel info
  JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
  JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
  JkRequestLogFormat "%w %V %T"
  
  NameVirtualHost *:443
  
  <VirtualHost *:443>
  
      ServerAdmin netmaster@domain.example
      ServerName server.domain.example
  
      <IfModule mod_rewrite.c>
          RewriteEngine On
          RewriteLog logs/server_rewrite.log
          RewriteLogLevel 0
          RewriteRule ^/$ https://server.domain.example/zimbra
      </IfModule>
  
      JkMount /zimbra         zimbraworker
      JkMount /zimbra/        zimbraworker
      JkMount /zimbra/*       zimbraworker
      JkMount /service        zimbraworker
      JkMount /service/       zimbraworker
      JkMount /service/*      zimbraworker
      JkMount /zimbraAdmin    zimbraworker
      JkMount /zimbraAdmin/   zimbraworker
      JkMount /zimbraAdmin/*  zimbraworker
      JkMount //zimbra        zimbraworker
  
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLCertificateKeyFile /opt/zimbra/ssl/ssl/server/server.key
    SSLCertificateFile /opt/zimbra/ssl/ssl/server/server.crt
  
  </VirtualHost>

  NOTE: This uses the automatically generated ssl certificate from Zimbra. If you want another certificate you can generate a self signed one or buy one.

• restart httpd
  
  Code:

  service httpd restart

• switch zimbra to https
  
  Code:

  zmtlsctl https
  tomcat restart

IMPORTANT NOTE: If you plan to use ZimbraMobile and you have such mixed configuration (Zimbra and Apache running on the same serevr) you can not use the mod_jk "trick" to let apace access zimbra under standard ports. You should use the proxy "trick" instead.

[djve]

Now that's a good summary. Thanks, I've learned a little bit about Apache configurations thanks to you.

[macada]

Check out this web:

MailZimbra - Wikiousli

Cheers


macada