Zimbra SkillZ: How to use Zimbra with multiple HTTPS domains (Server Name Indication)

This article is a short how-to on making your Zimbra reachable via
multiple HTTPS domains. This will allow your users to reach Zimbra using
different URL’s such as: https://mail.zimbra.com and https://mail.zimbra.org.

Set-up initial TLS certificate

Set-up Zimbra to work with the fist HTTPS domain. Install the
certificate obtained from your Certificate Authority by using one of
these guides:

This example sets up the first HTTPS domain barrydegraaff.nl on a Zimbra
server (zimbra-sni-blog.barrydegraaff.nl) using a Let’s Encrypt
Certificate:

cp /etc/letsencrypt/live/barrydegraaff.nl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
chown -R zimbra:zimbra /etc/letsencrypt
sudo su zimbra -
cd ~
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem

The result should look like:

** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK

Deploy the certificate as follows:

/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem

Set-up additional certificates

This example sets up an additional domain (zimbra.tech) on a Zimbra
server (zimbra-sni-blog.barrydegraaff.nl) using a Let’s Encrypt
Certificate:

wget -O /etc/letsencrypt/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /etc/letsencrypt/ISRG-X1.pem /etc/letsencrypt/live/zimbra.tech/chain.pem > /etc/letsencrypt/live/zimbra.tech/chain-with.pem
cat /etc/letsencrypt/live/zimbra.tech/cert.pem /etc/letsencrypt/live/zimbra.tech/chain-with.pem > /etc/letsencrypt/live/zimbra.tech/deployme.bundle
chown -R zimbra:zimbra /etc/letsencrypt
sudo su zimbra -
cd ~
source /opt/zimbra/bin/zmshutil
zmsetvars
/opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/zimbra.tech/privkey.pem /etc/letsencrypt/live/zimbra.tech/cert.pem /etc/letsencrypt/live/zimbra.tech/deployme.bundle

The result should look like:

** Verifying '/etc/letsencrypt/live/zimbra.tech/cert.pem' against '/etc/letsencrypt/live/zimbra.tech/privkey.pem'
Certificate '/etc/letsencrypt/live/zimbra.tech/cert.pem' and private key '/etc/letsencrypt/live/zimbra.tech/privkey.pem' match.
** Verifying '/etc/letsencrypt/live/zimbra.tech/cert.pem' against '/etc/letsencrypt/live/zimbra.tech/deployme.bundle'
Valid certificate chain: /etc/letsencrypt/live/zimbra.tech/cert.pem: OK

Deploy the certificate as follows:

zmprov cd zimbra.tech
zmprov md zimbra.tech zimbraVirtualHostName zimbra.tech
/opt/zimbra/libexec/zmdomaincertmgr savecrt zimbra.tech /etc/letsencrypt/live/zimbra.tech/deployme.bundle /etc/letsencrypt/live/zimbra.tech/privkey.pem
/opt/zimbra/libexec/zmdomaincertmgr deploycrts

The result should look like:

** Deploying cert for zimbra.tech...done.

To make the changes effective, enable zimbraReverseProxySNIEnabled and
restart Zimbra via:

zmprov mcf zimbraReverseProxySNIEnabled TRUE
zmcontrol restart

You are now ready to start using Zimbra with multiple domains!

Troubleshooting

In some cases if there is something wrong with the certificates Zimbra
LDAP will not be able to restart, which will cause your Zimbra server to
refuse to start. In this case you can temporary install self-signed
certificates to start Zimbra and then re-install your real certificates.
For more information see:

Renewing certificates

In case of certificates renewal you have to re-do the steps above for
each certificate to renew. This means you will use different steps for
the initial domain and the additional domains.

The initial domain certificate is the one that is copied to
/opt/zimbra/ssl/zimbra/commercial/commercial.key and deployed (and
renewed) via zmcertmgr deploycrt comm.

Additional domains are deployed (and renewed) via zmdomaincertmgr.

Further reading

,

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures