This article is a short how-to on making your Zimbra reachable via
multiple HTTPS domains. This will allow your users to reach Zimbra using
different URL’s such as: https://mail.zimbra.com and https://mail.zimbra.org.
Set-up initial TLS certificate
Set-up Zimbra to work with the fist HTTPS domain. Install the
certificate obtained from your Certificate Authority by using one of
these guides:
This example sets up the first HTTPS domain barrydegraaff.nl on a Zimbra
server (zimbra-sni-blog.barrydegraaff.nl) using a Let’s Encrypt
Certificate:
cp /etc/letsencrypt/live/barrydegraaff.nl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.nl/chain.pem chown -R zimbra:zimbra /etc/letsencrypt sudo su zimbra - cd ~ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
The result should look like:
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK
Deploy the certificate as follows:
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
Set-up additional certificates
This example sets up an additional domain (zimbra.tech) on a Zimbra
server (zimbra-sni-blog.barrydegraaff.nl) using a Let’s Encrypt
Certificate:
wget -O /etc/letsencrypt/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt cat /etc/letsencrypt/ISRG-X1.pem /etc/letsencrypt/live/zimbra.tech/chain.pem > /etc/letsencrypt/live/zimbra.tech/chain-with.pem cat /etc/letsencrypt/live/zimbra.tech/cert.pem /etc/letsencrypt/live/zimbra.tech/chain-with.pem > /etc/letsencrypt/live/zimbra.tech/deployme.bundle chown -R zimbra:zimbra /etc/letsencrypt sudo su zimbra - cd ~ source /opt/zimbra/bin/zmshutil zmsetvars /opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/zimbra.tech/privkey.pem /etc/letsencrypt/live/zimbra.tech/cert.pem /etc/letsencrypt/live/zimbra.tech/deployme.bundle
The result should look like:
** Verifying '/etc/letsencrypt/live/zimbra.tech/cert.pem' against '/etc/letsencrypt/live/zimbra.tech/privkey.pem' Certificate '/etc/letsencrypt/live/zimbra.tech/cert.pem' and private key '/etc/letsencrypt/live/zimbra.tech/privkey.pem' match. ** Verifying '/etc/letsencrypt/live/zimbra.tech/cert.pem' against '/etc/letsencrypt/live/zimbra.tech/deployme.bundle' Valid certificate chain: /etc/letsencrypt/live/zimbra.tech/cert.pem: OK
Deploy the certificate as follows:
zmprov cd zimbra.tech zmprov md zimbra.tech zimbraVirtualHostName zimbra.tech /opt/zimbra/libexec/zmdomaincertmgr savecrt zimbra.tech /etc/letsencrypt/live/zimbra.tech/deployme.bundle /etc/letsencrypt/live/zimbra.tech/privkey.pem /opt/zimbra/libexec/zmdomaincertmgr deploycrts
The result should look like:
** Deploying cert for zimbra.tech...done.
To make the changes effective, enable zimbraReverseProxySNIEnabled and
restart Zimbra via:
zmprov mcf zimbraReverseProxySNIEnabled TRUE zmcontrol restart
You are now ready to start using Zimbra with multiple domains!
Troubleshooting
In some cases if there is something wrong with the certificates Zimbra
LDAP will not be able to restart, which will cause your Zimbra server to
refuse to start. In this case you can temporary install self-signed
certificates to start Zimbra and then re-install your real certificates.
For more information see:
Renewing certificates
In case of certificates renewal you have to re-do the steps above for
each certificate to renew. This means you will use different steps for
the initial domain and the additional domains.
The initial domain certificate is the one that is copied to
/opt/zimbra/ssl/zimbra/commercial/commercial.key and deployed (and
renewed) via zmcertmgr deploycrt comm.
Additional domains are deployed (and renewed) via zmdomaincertmgr.
Gotchas
SNI is currently only supported for the Web-UI (https) and not other protocols such as IMAP, SMTP etc.
Hi Barry,
Thanks for the write up.
I just need a little confirmation here,
I have a new server where the hostname is (example): mail.branch.net
I want my user to access the webmail using : webmail.group.org
So if I understood correctly I need to deploy the initial certificate on “mail.branch.net” and the additional one on “webmail.group.org” right ?
But I read somewhere that Zimbra SNI only cover port 80/443, so what is the configuration I should give to user for IMAP and SMTP as these uses 465 and 993 ports ?
I want to properly set imaps and smtps.
Regards
Hello, Zimbra currently does not support SNI for IMAP, I have added this to the blog.
Hi,
We are facing an issue on renewal of SSL certificate on zimbra foss edition servers. we are using multi domain ssl certificate which was renewed and deployed on server before the expiry of previously deployed SSL certificate. The renewed SSL certificate is working fine on web mail but on outlook and mobile clients using secure IMAP and POP services are getting old certificate which has expired. Due to which users are unable to receive emails on their clients. we are unable to find any solution for this issue and now customers are getting annoyed.
Please check https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS#Known_Issues