Zimbra SkillZ: How to use Zimbra with multiple HTTPS domains (Server Name Indication)

This article is a short how-to on making your Zimbra reachable via
multiple HTTPS domains. This will allow your users to reach Zimbra using
different URL’s such as: https://mail.zimbra.com and https://mail.zimbra.org.

Set-up initial TLS certificate

Set-up Zimbra to work with the fist HTTPS domain. Install the
certificate obtained from your Certificate Authority by using one of
these guides:

This example sets up the first HTTPS domain barrydegraaff.nl on a Zimbra
server (zimbra-sni-blog.barrydegraaff.nl) using a Let’s Encrypt
Certificate:

cp /etc/letsencrypt/live/barrydegraaff.nl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/barrydegraaff.nl/chain.pem
chown -R zimbra:zimbra /etc/letsencrypt
sudo su zimbra -
cd ~
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem

The result should look like:

** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/barrydegraaff.nl/cert.pem' against '/etc/letsencrypt/live/barrydegraaff.nl/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/barrydegraaff.nl/cert.pem: OK

Deploy the certificate as follows:

/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/barrydegraaff.nl/cert.pem /etc/letsencrypt/live/barrydegraaff.nl/chain.pem

Set-up additional certificates

This example sets up an additional domain (zimbra.tech) on a Zimbra
server (zimbra-sni-blog.barrydegraaff.nl) using a Let’s Encrypt
Certificate:

wget -O /etc/letsencrypt/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /etc/letsencrypt/ISRG-X1.pem /etc/letsencrypt/live/zimbra.tech/chain.pem > /etc/letsencrypt/live/zimbra.tech/chain-with.pem
cat /etc/letsencrypt/live/zimbra.tech/cert.pem /etc/letsencrypt/live/zimbra.tech/chain-with.pem > /etc/letsencrypt/live/zimbra.tech/deployme.bundle
chown -R zimbra:zimbra /etc/letsencrypt
sudo su zimbra -
cd ~
source /opt/zimbra/bin/zmshutil
zmsetvars
/opt/zimbra/bin/zmcertmgr verifycrt comm /etc/letsencrypt/live/zimbra.tech/privkey.pem /etc/letsencrypt/live/zimbra.tech/cert.pem /etc/letsencrypt/live/zimbra.tech/deployme.bundle

The result should look like:

** Verifying '/etc/letsencrypt/live/zimbra.tech/cert.pem' against '/etc/letsencrypt/live/zimbra.tech/privkey.pem'
Certificate '/etc/letsencrypt/live/zimbra.tech/cert.pem' and private key '/etc/letsencrypt/live/zimbra.tech/privkey.pem' match.
** Verifying '/etc/letsencrypt/live/zimbra.tech/cert.pem' against '/etc/letsencrypt/live/zimbra.tech/deployme.bundle'
Valid certificate chain: /etc/letsencrypt/live/zimbra.tech/cert.pem: OK

Deploy the certificate as follows:

zmprov cd zimbra.tech
zmprov md zimbra.tech zimbraVirtualHostName zimbra.tech
/opt/zimbra/libexec/zmdomaincertmgr savecrt zimbra.tech /etc/letsencrypt/live/zimbra.tech/deployme.bundle /etc/letsencrypt/live/zimbra.tech/privkey.pem
/opt/zimbra/libexec/zmdomaincertmgr deploycrts

The result should look like:

** Deploying cert for zimbra.tech...done.

To make the changes effective, enable zimbraReverseProxySNIEnabled and
restart Zimbra via:

zmprov mcf zimbraReverseProxySNIEnabled TRUE
zmcontrol restart

You are now ready to start using Zimbra with multiple domains!

Troubleshooting

In some cases if there is something wrong with the certificates Zimbra
LDAP will not be able to restart, which will cause your Zimbra server to
refuse to start. In this case you can temporary install self-signed
certificates to start Zimbra and then re-install your real certificates.
For more information see:

Renewing certificates

In case of certificates renewal you have to re-do the steps above for
each certificate to renew. This means you will use different steps for
the initial domain and the additional domains.

The initial domain certificate is the one that is copied to
/opt/zimbra/ssl/zimbra/commercial/commercial.key and deployed (and
renewed) via zmcertmgr deploycrt comm.

Additional domains are deployed (and renewed) via zmdomaincertmgr.

Gotchas

SNI is currently only supported for the Web-UI (https) and not other protocols such as IMAP, SMTP etc.

Further reading

,

4 Responses to Zimbra SkillZ: How to use Zimbra with multiple HTTPS domains (Server Name Indication)

  1. rokoyato August 30, 2022 at 12:26 AM #

    Hi Barry,

    Thanks for the write up.

    I just need a little confirmation here,

    I have a new server where the hostname is (example): mail.branch.net

    I want my user to access the webmail using : webmail.group.org

    So if I understood correctly I need to deploy the initial certificate on “mail.branch.net” and the additional one on “webmail.group.org” right ?

    But I read somewhere that Zimbra SNI only cover port 80/443, so what is the configuration I should give to user for IMAP and SMTP as these uses 465 and 993 ports ?

    I want to properly set imaps and smtps.

    Regards

    • Avatar photo
      Barry de Graaff August 31, 2022 at 4:31 AM #

      Hello, Zimbra currently does not support SNI for IMAP, I have added this to the blog.

  2. Fiza November 27, 2022 at 11:12 PM #

    Hi,

    We are facing an issue on renewal of SSL certificate on zimbra foss edition servers. we are using multi domain ssl certificate which was renewed and deployed on server before the expiry of previously deployed SSL certificate. The renewed SSL certificate is working fine on web mail but on outlook and mobile clients using secure IMAP and POP services are getting old certificate which has expired. Due to which users are unable to receive emails on their clients. we are unable to find any solution for this issue and now customers are getting annoyed.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures