|
|
Line 1: |
Line 1: |
| <yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb> | | <yambe:breadcrumb self="Install SSL certificate in Zimbra">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb> |
| =CentOS 7.x Install SSL certificate in Zimbra= | | =CentOS 7.x Install SSL certificate in Zimbra= |
|
| |
|
| To Install SSL certificate in Zimbra use following steps:
| | *[[CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra]] |
| # Login into admin console
| | *[[CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra]] |
| # Use the certificate wizard link on homepage/dashboard or look for certificate option under Configure
| |
| # Generate a CSR for sending to certificate authority for signing. Note that if you already have private key and certificate then you should replace /opt/zimbra/ssl/zimbra/commercial/commercial.key with your existing private key. Also, if you are not planning to get certificate signed by a recognized authority, but want to use a self-signed certificate then use following commands are root user:
| |
| #:<pre>
| |
| #:: /opt/zimbra/bin/zmcertmgr createca -new
| |
| #:: /opt/zimbra/bin/zmcertmgr createcrt -new -days 1825
| |
| #:: /opt/zimbra/bin/zmcertmgr deploycrt self
| |
| #:: /opt/zimbra/bin/zmcertmgr deployca
| |
| #:: /opt/zimbra/bin/zmcertmgr viewdeployedcrt
| |
| #:: su -c "zmcontrol restart" - zimbra
| |
| #:</pre>
| |
| #:: For self signed certificate one can also use [[Openssl]] or [[Easy-rsa]]
| |
| # Use [[Getting certificates signed by recognized CA]] or [[Using namecheap wildcard SSL certificates for HTTPS]] for purchasing certificate and getting them signed from a recognized CA
| |
| # After CSR is signed by a certificate authority, download both root CA and intermediate CA and combine them into a single file using:
| |
| #:<pre>
| |
| #:: cat /tmp/root-ca.crt /tmp/intermediate-ca.crt > /tmp/combined.crt
| |
| #:</pre>
| |
| #:: This requires the .crt or .pem files to have ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- type of certificate. Refer [[Openssl]] for different types of certificates and for converting from one form to another
| |
| # After this verify certificate is proper using:
| |
| #:<pre>
| |
| #::/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/signed_server_certificate.crt /tmp/combined.crt
| |
| #:</pre>
| |
| # If verification succeeds then install CA using:
| |
| #:<pre>
| |
| #:: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/signed_server_certificate.crt /tmp/combined.crt
| |
| #:</pre>
| |
| #:: Note that installation does not requires path to private key
| |
| # Look at deployed certificate
| |
| #:<pre>
| |
| #:: /opt/zimbra/bin/zmcertmgr viewdeployedcrt
| |
| #:</pre>
| |
| # Restart Zimbra for changes to take effect
| |
| #:<pre>
| |
| #:: su -c "zmcontrol restart" - zimbra
| |
| #:</pre>
| |
| | |
| Note that trying to install certificate via GUI installation wizard failed while the same server certificate, root certificate, intermediate, etc. worked from command-line. Hence use command-line for installing Zimbra SSL certificate.
| |
| | |
| Example terminal I/O of certificate installation:
| |
| <pre>
| |
| #Need to run certificate command as root user
| |
| [root@mail ~]# su - zimbra
| |
| [zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem
| |
| /opt/zimbra/bin/zmcertmgr must be run as user root
| |
| [zimbra@mail ~]$ exit
| |
| logout
| |
| | |
| #Need to combine intermediate and root CA using cat
| |
| [root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem
| |
| ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
| |
| Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
| |
| XXXXX ERROR: Invalid Certificate: /tmp/web.crt: C = IN, ST = Telangana, L = Hyderabad, O = Example, CN = *.example.com
| |
| error 20 at 0 depth lookup:unable to get local issuer certificate
| |
| [root@mail ~]# cat /tmp/*.{pem,crt} | |
| DigiCert_Global_Root_CA.pem inter.crt web.crt
| |
| [root@mail ~]# cat /tmp/DigiCert_Global_Root_CA.pem /tmp/inter.crt > /tmp/combined.crt | |
| [root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt
| |
| ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
| |
| Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
| |
| Valid Certificate: /tmp/web.crt: OK
| |
| | |
| ##Wrong set of arguments in next command
| |
| [root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt
| |
| ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key
| |
| unable to load certificate
| |
| 139915522893480:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
| |
| XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
| |
| XXXXX ERROR: provided cert isn't valid.
| |
| | |
| #Correct command
| |
| [root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/web.crt /tmp/combined.crt
| |
| ** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
| |
| Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
| |
| Valid Certificate: /tmp/web.crt: OK
| |
| ** Copying /tmp/web.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
| |
| ** Appending ca chain /tmp/combined.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
| |
| ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
| |
| ** NOTE: mailboxd must be restarted in order to use the imported certificate.
| |
| ** Saving server config key zimbraSSLCertificate...done.
| |
| ** Saving server config key zimbraSSLPrivateKey...done.
| |
| ** Installing mta certificate and key...done.
| |
| ** Installing slapd certificate and key...done.
| |
| ** Installing proxy certificate and key...done.
| |
| ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
| |
| ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
| |
| ** Installing CA to /opt/zimbra/conf/ca...done.
| |
| [root@mail ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
| |
| ::service mta::
| |
| | |
| ...redacted...
| |
| | |
| ::service proxy::
| |
| | |
| ...redacted...
| |
| | |
| ::service mailboxd::
| |
| | |
| ...redacted...
| |
| | |
| ::service ldap::
| |
| | |
| ...redacted...
| |
| | |
| [root@mail ~]# su - zimbra
| |
| [zimbra@mail ~]$ zmcontrol restart
| |
| Host example.com
| |
| Stopping vmware-ha...skipped.
| |
| /opt/zimbra/bin/zmhactl missing or not executable.
| |
| Stopping zmconfigd...Done.
| |
| Stopping zimlet webapp...Done.
| |
| Stopping zimbraAdmin webapp...Done.
| |
| Stopping zimbra webapp...Done.
| |
| Stopping service webapp...Done.
| |
| Stopping stats...Done.
| |
| Stopping mta...Done.
| |
| Stopping spell...Done.
| |
| Stopping snmp...Done.
| |
| Stopping cbpolicyd...Done.
| |
| Stopping archiving...Done.
| |
| Stopping opendkim...Done.
| |
| Stopping amavis...Done.
| |
| Stopping antivirus...Done.
| |
| Stopping antispam...Done.
| |
| Stopping proxy...Done.
| |
| Stopping memcached...Done.
| |
| Stopping mailbox...Done.
| |
| Stopping logger...Done.
| |
| Stopping dnscache...Done.
| |
| Stopping ldap...Done.
| |
| Host example.com
| |
| Starting ldap...Done.
| |
| Starting zmconfigd...Done.
| |
| Starting dnscache...Done.
| |
| Starting logger...Done.
| |
| Starting mailbox...Done.
| |
| Starting memcached...Done.
| |
| Starting proxy...Done.
| |
| Starting amavis...Done.
| |
| Starting antispam...Done.
| |
| Starting antivirus...Done.
| |
| Starting opendkim...Done.
| |
| Starting snmp...Done.
| |
| Starting spell...Done.
| |
| Starting mta...Done.
| |
| Starting stats...Done.
| |
| Starting service webapp...Done.
| |
| Starting zimbra webapp...Done.
| |
| Starting zimbraAdmin webapp...Done.
| |
| Starting zimlet webapp...Done.
| |
| [zimbra@mail ~]$
| |
| </pre>
| |
| | |
| | |
| Refer:
| |
| * https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools
| |
| * https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration
| |