Difference between revisions of "CentOS 7.x Install SSL certificate in Zimbra"

From Notes_Wiki
(Created page with "<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb> =CentOS 7.x Install SSL certificate in Zimbra= To Install SSL certificate...")
 
m (Replaced content with "<yambe:breadcrumb self="Install SSL certificate in Zimbra">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb> =CentOS 7.x Install SSL certificate in Z...")
Tag: Replaced
Line 1: Line 1:
<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>
<yambe:breadcrumb self="Install SSL certificate in Zimbra">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb>
=CentOS 7.x Install SSL certificate in Zimbra=
=CentOS 7.x Install SSL certificate in Zimbra=


To Install SSL certificate in Zimbra use following steps:
*[[CentOS 7.x Install yearly or longer duration purchased SSL certificate in Zimbra]]
# Login into admin console
*[[CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra]]
# Use the certificate wizard link on homepage/dashboard or look for certificate option under Configure
# Generate a CSR for sending to certificate authority for signing.  Note that if you already have private key and certificate then you should replace /opt/zimbra/ssl/zimbra/commercial/commercial.key with your existing private key.  Also, if you are not planning to get certificate signed by a recognized authority, but want to use a self-signed certificate then use following commands are root user:
#:<pre>
#:: /opt/zimbra/bin/zmcertmgr createca -new
#:: /opt/zimbra/bin/zmcertmgr createcrt -new -days 1825
#:: /opt/zimbra/bin/zmcertmgr deploycrt self
#:: /opt/zimbra/bin/zmcertmgr deployca
#:: /opt/zimbra/bin/zmcertmgr viewdeployedcrt
#:: su -c "zmcontrol restart" - zimbra
#:</pre>
#:: For self signed certificate one can also use [[Openssl]] or [[Easy-rsa]]
# Use [[Getting certificates signed by recognized CA]] or [[Using namecheap wildcard SSL certificates for HTTPS]] for purchasing certificate and getting them signed from a recognized CA
# After CSR is signed by a certificate authority, download both root CA and intermediate CA and combine them into a single file using:
#:<pre>
#:: cat /tmp/root-ca.crt /tmp/intermediate-ca.crt > /tmp/combined.crt
#:</pre>
#:: This requires the .crt or .pem files to have ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- type of certificate.  Refer [[Openssl]] for different types of certificates and for converting from one form to another
# After this verify certificate is proper using:
#:<pre>
#::/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/signed_server_certificate.crt /tmp/combined.crt
#:</pre>
# If verification succeeds then install CA using:
#:<pre>
#:: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/signed_server_certificate.crt /tmp/combined.crt
#:</pre>
#:: Note that installation does not requires path to private key
# Look at deployed certificate
#:<pre>
#:: /opt/zimbra/bin/zmcertmgr viewdeployedcrt
#:</pre>
# Restart Zimbra for changes to take effect
#:<pre>
#:: su -c "zmcontrol restart" - zimbra
#:</pre>
 
Note that trying to install certificate via GUI installation wizard failed while the same server certificate, root certificate, intermediate, etc. worked from command-line.  Hence use command-line for installing Zimbra SSL certificate.
 
Example terminal I/O of certificate installation:
<pre>
#Need to run certificate command as root user
[root@mail ~]# su - zimbra                 
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem
/opt/zimbra/bin/zmcertmgr must be run as user root
[zimbra@mail ~]$ exit
logout
 
#Need to combine intermediate and root CA using cat
[root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /tmp/web.crt: C = IN, ST = Telangana, L = Hyderabad, O = Example, CN = *.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
[root@mail ~]# cat /tmp/*.{pem,crt}
DigiCert_Global_Root_CA.pem  inter.crt                    web.crt                   
[root@mail ~]# cat /tmp/DigiCert_Global_Root_CA.pem /tmp/inter.crt > /tmp/combined.crt
[root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/web.crt: OK
 
##Wrong set of arguments in next command
[root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key
unable to load certificate
139915522893480:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.
 
#Correct command
[root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/web.crt /tmp/combined.crt
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/web.crt: OK
** Copying /tmp/web.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /tmp/combined.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mail ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
 
...redacted...
 
::service proxy::
 
...redacted...
 
::service mailboxd::
 
...redacted...
 
::service ldap::
 
...redacted...
 
[root@mail ~]# su - zimbra
[zimbra@mail ~]$ zmcontrol restart
Host example.com
    Stopping vmware-ha...skipped.
        /opt/zimbra/bin/zmhactl missing or not executable.
    Stopping zmconfigd...Done.
    Stopping zimlet webapp...Done.
    Stopping zimbraAdmin webapp...Done.
    Stopping zimbra webapp...Done.
    Stopping service webapp...Done.
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping cbpolicyd...Done.
    Stopping archiving...Done.
    Stopping opendkim...Done.
    Stopping amavis...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping proxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping dnscache...Done.
    Stopping ldap...Done.
Host example.com
    Starting ldap...Done.
    Starting zmconfigd...Done.
    Starting dnscache...Done.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting memcached...Done.
    Starting proxy...Done.
    Starting amavis...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting opendkim...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.
    Starting service webapp...Done.
    Starting zimbra webapp...Done.
    Starting zimbraAdmin webapp...Done.
    Starting zimlet webapp...Done.
[zimbra@mail ~]$
</pre>
 
 
Refer:
* https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools
* https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration

Revision as of 03:13, 14 February 2019

<yambe:breadcrumb self="Install SSL certificate in Zimbra">CentOS_7.x_Zimbra_configuration|Zimbra configuration</yambe:breadcrumb>

CentOS 7.x Install SSL certificate in Zimbra

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CentOS_7.x_Install_SSL_certificate_in_Zimbra&oldid=4070"