Install Comodo SSL in Zimbra 8.7

Initially Zimbra is configured with a Self Signed Certificate but there is a bit complicated process while installing a CA Certificate in Zimbra 8.7. This is also because Zimbra is a bit more picky on CA certificate chain.

There are two methods to install SSL. Through Zimbra Admin or through CLI interface. Zimbra admin requires that you must create CSR from its web interface otherwise you would have to install certificate through Zimbra CLI interface:

1: Through Zimbra Admin Console

1. Login Zimbra Admin Console through browser.

2. In left side navigation pane click Configure under home. Then Click Certificate.

Zimbra 8.6 ssl install 1

3. Now On right of Zimbra Admin console click “settings” icon and then select “Install Certificate”.

4. Now “Certificate Installation Wizard” will pop up.

5. From Drop Down Menu of “Server Name” Select required server you want to install certificate for. Now Click Next


6. Click on “Install the commercial signed certificate”. Now click Next.

7. If all info in review windows is fine, then press Next

8. Upload files in their respective places.

9. After uploading certificate files, click ‘Install’.


10. Now restart Zimbra services.

Finally, you can return to Zimbra Admin Console and View installed SSL Certificate.

Method 2: Via CLI

First login through SSH.

Backup SSL certificate directory:

Switch to Zimbra user:

root@zimbraserver:~$ su – zimbra

Move to Zimbra SSL directory:

zimbra@zimbraserver:~$ cd /opt/zimbra/ssl/zimbra/

Backup SSL directory first:

zimbra@zimbraserver:~/ssl/zimbra/$ cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date “+%Y%m%d”)

Create a temprory directory:

zimbra@zimbraserver:~/ssl/zimbra/$ mkdir new-cert && cd new-certs

zimbra@zimbraserver:~/ssl/zimbra/new-cert$

Now place all three files having chain, privatekey and certificate in this directory:

zimbra@zimbraserver:~/ssl/zimbra/new-cert$ vim chain.pem

zimbra@zimbraserver:~/ssl/zimbra/new-cert$ vim cert.pem

zimbra@zimbraserver:~/ssl/zimbra/new-cert$ vim privkey.pem

With below command we will verify consistancy of Certificate, Chain and Private key before installation:

zimbra@zimbraserver:~/ssl/zimbra/new-cert$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

** Verifying ‘cert.pem’ against ‘privkey.pem’
Certificate ‘cert.pem’ and private key ‘privkey.pem’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
ERROR: Unable to validate certificate chain: cert.pem: OU = Domain Control Validated, OU = PositiveSSL, CN =zimbraserver.mail.tech
error 20 at 0 depth lookup:unable to get local issuer certificate

The above error is because Zimbra is very picky over Chain certificates. Now we will download latest Comodo chains and install them. Goto below URL and download all three mentioned certificates:

https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2

Download All Three certificates respectively:

 comodorsaaddtrustca.crt
 addtrustexternalcaroot.crt
 comodorsadomainvalidationsecureserverca.crt
zimbra@zimbraserver:~/ssl/zimbra/new-cert$ vim /tmp/AddTrustExternalCARoot.crt
zimbra@zimbraserver:~/ssl/zimbra/new-cert$ vim /tmp/COMODORSAAddTrustCA.crt
zimbra@zimbraserver:~/ssl/zimbra/new-cert$ vim /tmp/COMODORSADomainValidationSecureServerCA.crt
Now combine them all in one file:
zimbra@zimbraserver:~/ssl/zimbra/new-cert$ cat /tmp/AddTrustExternalCARoot.crt /tmp/COMODORSAAddTrustCA.crt /tmp/COMODORSADomainValidationSecureServerCA.crt > chain.pem
Verify cert, chain and key:
zimbra@zimbraserver:~/ssl/zimbra/new-cert$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying ‘cert.pem’ against ‘privkey.pem’
Certificate ‘cert.pem’ and private key ‘privkey.pem’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
Valid certificate chain: cert.pem: OK
Now Copy private key to its required location in Zimbra:
zimbra@zimbraserver:~/ssl/zimbra.20170619/new-cert$ cp privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp: overwrite ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’? Y
Finally, its time to deploy new SSL certificate along with chain:
zimbra@zimbraserver:~/ssl/zimbra.20170619/new-cert$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
Valid certificate chain: cert.pem: OK
** Copying ‘cert.pem’ to ‘/opt/zimbra/ssl/zimbra/comercial/commercial.crt’
** Copying ‘chain.pem’ to ‘/opt/zimbra/ssl/zimbra/comercial/commercial_ca.crt’
** Appending ca chain ‘chain.pem’ to ‘/opt/zimbra/ssl/zimbra/comercial/commercial.crt’
** Importing cert ‘/opt/zimbra/ssl/zimbra/comercial/comercial_ca.crt’ as ‘zcs-user-commercial_ca’ into cacerts ‘/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts’
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key ‘zimbraSSLCertificate’ via zmprov modifyServer
zimbraserver.mail.tech…ok
** Saving config key ‘zimbraSSLPrivateKey’ via zmprov modifyServer
zimbraserver.mail.tech…ok
** Installing ldap certificate ‘/opt/zimbra/conf/slapd.crt’ and key ‘/opt/zimbra/conf/slapd.key’
** Copying ‘/opt/zimbra/ssl/zimbra/comercial/comercial.crt’ to ‘/opt/zimbra/conf/slapd.crt’
** Copying ‘/opt/zimbra/ssl/zimbra/comercial/comercial.key’ to ‘/opt/zimbra/conf/slapd.key’
** Creating file ‘/opt/zimbra/ssl/zimbra/jetty.pkcs12’
** Creating keystore ‘/opt/zimbra/mailboxd/etc/keystore’
** Installing mta certificate ‘/opt/zimbra/conf/smtpd.crt’ and key ‘/opt/zimbra/conf/smtpd.key’
** Copying ‘/opt/zimbra/ssl/zimbra/comercial/comercial.crt’ to ‘/opt/zimbra/conf/smtpd.crt’
** Copying ‘/opt/zimbra/ssl/zimbra/comercial/comercial.key’ to ‘/opt/zimbra/conf/smtpd.key’
** Installing proxy certificate ‘/opt/zimbra/conf/nginx.crt’ and key ‘/opt/zimbra/conf/nginx.key’
** Copying ‘/opt/zimbra/ssl/zimbra/comercial/comercial.crt’ to ‘/opt/zimbra/conf/nginx.crt’
** Copying ‘/opt/zimbra/ssl/zimbra/comercial/comercial.key’ to ‘/opt/zimbra/conf/nginx.key’
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from ‘/opt/zimbra/conf/ca’
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/44333d1e.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Copying CA to /opt/zimbra/conf/ca
** Copying ‘/opt/zimbra/ssl/zimbra/ca/ca.key’ to ‘/opt/zimbra/conf/ca/ca.key’
** Copying ‘/opt/zimbra/ssl/zimbra/ca/ca.pem’ to ‘/opt/zimbra/conf/ca/ca.pem’
** Creating CA hash symlink ‘4cd4f1d1e.0’ -> ‘ca.pem’
** Creating /opt/zimbra/conf/ca/comercial_ca_1.crt
** Creating CA hash symlink ’15fef4253a5.0′ -> ‘comercial_ca_1.crt’
** Creating /opt/zimbra/conf/ca/comercial_ca_2.crt
** Creating CA hash symlink ‘dfefev60.0’ -> ‘commercial_ca_2.crt’
** Creating /opt/zimbra/conf/ca/comercial_ca_3.crt
** Creating CA hash symlink ‘8fewfae65.0’ -> ‘comercial_ca_3.crt’
Now Restart Zimbra Services as below:
zimbra@zimbraserver:~/$ zmcontrol restart
zimbra@zimbraserver:~/$ zmcontrol restart
Host zimbraserver.mail.tech
Stopping zmconfigd…Done.
Stopping zimlet webapp…Done.
Stopping zimbraAdmin webapp…Done.
Stopping zimbra webapp…Done.
Stopping service webapp…Done.
Stopping stats…Done.
Stopping mta…Done.
Stopping spell…Done.
Stopping snmp…Done.
Stopping cbpolicyd…Done.
Stopping archiving…Done.
Stopping opendkim…Done.
Stopping amavis…Done.
Stopping antivirus…Done.
Stopping antispam…Done.
Stopping proxy…Done.
Stopping memcached…Done.
Stopping mailbox…Done.
Stopping logger…Done.
Stopping dnscache…Done.
Stopping ldap…Done.
Host zimbraserver.mail.tech
Starting ldap…Done.
Starting zmconfigd…Done.
Starting dnscache…Done.
Starting logger…Done.
Starting mailbox…Done.
Starting memcached…Done.
Starting proxy…Done.
Starting amavis…Done.
Starting antispam…Done.
Starting antivirus…Done.
Starting opendkim…Done.
Starting snmp…Done.
Starting spell…Done.
Starting mta…Done.
Starting stats…Done.
Starting service webapp…Done.
Starting zimbra webapp…Done.
Starting zimbraAdmin webapp…Done.
Starting zimlet webapp…Done.
Now you should see ssl installed and working. You can also verify ssl by going to:
https://www.sslshopper.com/
Source:
https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2
https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration

Leave a Reply

Your email address will not be published.


*