CentOS 7.x Install SSL certificate in Zimbra

From Notes_Wiki
Revision as of 06:50, 5 April 2018 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb> =CentOS 7.x Install SSL certificate in Zimbra= To Install SSL certificate...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>CentOS_7.x_Zimbra_configuration|CentOS 7.x Zimbra configuration</yambe:breadcrumb>

CentOS 7.x Install SSL certificate in Zimbra

To Install SSL certificate in Zimbra use following steps:

  1. Login into admin console
  2. Use the certificate wizard link on homepage/dashboard or look for certificate option under Configure
  3. Generate a CSR for sending to certificate authority for signing. Note that if you already have private key and certificate then you should replace /opt/zimbra/ssl/zimbra/commercial/commercial.key with your existing private key. Also, if you are not planning to get certificate signed by a recognized authority, but want to use a self-signed certificate then use following commands are root user:
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr createcrt -new -days 1825
    /opt/zimbra/bin/zmcertmgr deploycrt self
    /opt/zimbra/bin/zmcertmgr deployca
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    su -c "zmcontrol restart" - zimbra
    For self signed certificate one can also use Openssl or Easy-rsa
  4. Use Getting certificates signed by recognized CA or Using namecheap wildcard SSL certificates for HTTPS for purchasing certificate and getting them signed from a recognized CA
  5. After CSR is signed by a certificate authority, download both root CA and intermediate CA and combine them into a single file using:
    cat /tmp/root-ca.crt /tmp/intermediate-ca.crt > /tmp/combined.crt
    This requires the .crt or .pem files to have ---BEGIN CERTIFICATE---, ---END CERTIFICATE--- type of certificate. Refer Openssl for different types of certificates and for converting from one form to another
  6. After this verify certificate is proper using:
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/signed_server_certificate.crt /tmp/combined.crt
  7. If verification succeeds then install CA using:
    /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/signed_server_certificate.crt /tmp/combined.crt
    Note that installation does not requires path to private key
  8. Look at deployed certificate
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  9. Restart Zimbra for changes to take effect
    su -c "zmcontrol restart" - zimbra

Note that trying to install certificate via GUI installation wizard failed while the same server certificate, root certificate, intermediate, etc. worked from command-line. Hence use command-line for installing Zimbra SSL certificate.

Example terminal I/O of certificate installation:

#Need to run certificate command as root user
[root@mail ~]# su - zimbra                  
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem
/opt/zimbra/bin/zmcertmgr must be run as user root
[zimbra@mail ~]$ exit
logout

#Need to combine intermediate and root CA using cat
[root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/DigiCert_Global_Root_CA.pem
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /tmp/web.crt: C = IN, ST = Telangana, L = Hyderabad, O = Example, CN = *.example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
[root@mail ~]# cat /tmp/*.{pem,crt}
DigiCert_Global_Root_CA.pem  inter.crt                    web.crt                     
[root@mail ~]# cat /tmp/DigiCert_Global_Root_CA.pem /tmp/inter.crt > /tmp/combined.crt
[root@mail ~]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/web.crt: OK

##Wrong set of arguments in next command
[root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/web.crt /tmp/combined.crt
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key
unable to load certificate
139915522893480:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.

#Correct command
[root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/web.crt /tmp/combined.crt
** Verifying /tmp/web.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/web.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/web.crt: OK
** Copying /tmp/web.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /tmp/combined.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mail ~]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::

...redacted...

::service proxy::

...redacted...

::service mailboxd::

...redacted...

::service ldap::

...redacted...

[root@mail ~]# su - zimbra
[zimbra@mail ~]$ zmcontrol restart
Host example.com
    Stopping vmware-ha...skipped.
        /opt/zimbra/bin/zmhactl missing or not executable.
    Stopping zmconfigd...Done.
    Stopping zimlet webapp...Done.
    Stopping zimbraAdmin webapp...Done.
    Stopping zimbra webapp...Done.
    Stopping service webapp...Done.
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping cbpolicyd...Done.
    Stopping archiving...Done.
    Stopping opendkim...Done.
    Stopping amavis...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping proxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping dnscache...Done.
    Stopping ldap...Done.
Host example.com
    Starting ldap...Done.
    Starting zmconfigd...Done.
    Starting dnscache...Done.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting memcached...Done.
    Starting proxy...Done.
    Starting amavis...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting opendkim...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.
    Starting service webapp...Done.
    Starting zimbra webapp...Done.
    Starting zimbraAdmin webapp...Done.
    Starting zimlet webapp...Done.
[zimbra@mail ~]$


Refer: