This article is a short how-to on making your Zimbra reachable via
multiple HTTPS domains. This will allow your users to reach Zimbra using
different URL’s such as: https://mail.zimbra.com and https://mail.zimbra.org.
Set-up initial TLS certificate
Set-up Zimbra to work with the fist HTTPS domain. Install the
certificate obtained from your Certificate Authority by using one of
these guides:
This example sets up the first HTTPS domain barrydegraaff.nl on a Zimbra
server (zimbra-sni-blog.barrydegraaff.nl) using a Let’s Encrypt
Certificate:
cp /etc/letsencrypt/live/barrydegraaff.nl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.nl/chain.pem chown -R zimbra:zimbra /etc/letsencrypt sudo su zimbra - cd ~ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
The result should look like:
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem' Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK
Deploy the certificate as follows:
/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
Set-up additional certificates
This example sets up an additional domain (zimbra.tech) on a Zimbra
server (zimbra-sni-blog.barrydegraaff.nl) using a Let’s Encrypt
Certificate:
wget -O /etc/letsencrypt/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt cat /etc/letsencrypt/ISRG-X1.pem /etc/letsencrypt/live/zimbra.tech/chain.pem > /etc/letsencrypt/live/zimbra.tech/chain-with.pem cat /etc/letsencrypt/live/zimbra.tech/cert.pem /etc/letsencrypt/live/zimbra.tech/chain-with.pem > /etc/letsencrypt/live/zimbra.tech/deployme.bundle chown -R zimbra:zimbra /etc/letsencrypt sudo su zimbra - cd ~ source /opt/zimbra/bin/zmshutil zmsetvars /opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/zimbra.tech/privkey.pem /etc/letsencrypt/live/zimbra.tech/cert.pem /etc/letsencrypt/live/zimbra.tech/deployme.bundle
The result should look like:
** Verifying '/etc/letsencrypt/live/zimbra.tech/cert.pem' against '/etc/letsencrypt/live/zimbra.tech/privkey.pem' Certificate '/etc/letsencrypt/live/zimbra.tech/cert.pem' and private key '/etc/letsencrypt/live/zimbra.tech/privkey.pem' match. ** Verifying '/etc/letsencrypt/live/zimbra.tech/cert.pem' against '/etc/letsencrypt/live/zimbra.tech/deployme.bundle' Valid certificate chain: /etc/letsencrypt/live/zimbra.tech/cert.pem: OK
Deploy the certificate as follows:
zmprov cd zimbra.tech zmprov md zimbra.tech zimbraVirtualHostName zimbra.tech /opt/zimbra/libexec/zmdomaincertmgr savecrt zimbra.tech /etc/letsencrypt/live/zimbra.tech/deployme.bundle /etc/letsencrypt/live/zimbra.tech/privkey.pem /opt/zimbra/libexec/zmdomaincertmgr deploycrts
The result should look like:
** Deploying cert for zimbra.tech...done.
To make the changes effective, enable zimbraReverseProxySNIEnabled
and
restart Zimbra via:
zmprov mcf zimbraReverseProxySNIEnabled TRUE zmcontrol restart
You are now ready to start using Zimbra with multiple domains!
Troubleshooting
In some cases if there is something wrong with the certificates Zimbra
LDAP will not be able to restart, which will cause your Zimbra server to
refuse to start. In this case you can temporary install self-signed
certificates to start Zimbra and then re-install your real certificates.
For more information see:
Renewing certificates
In case of certificates renewal you have to re-do the steps above for
each certificate to renew. This means you will use different steps for
the initial domain and the additional domains.
The initial domain certificate is the one that is copied to
/opt/zimbra/ssl/zimbra/commercial/commercial.key
and deployed (and
renewed) via zmcertmgr deploycrt comm
.
Additional domains are deployed (and renewed) via zmdomaincertmgr
.
No comments yet.