Results 1 to 3 of 3

Thread: how to install multi-node commercial certificate - 3 servers

Hybrid View

  1. #1
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default how to install multi-node commercial certificate - 3 servers

    Hi List,

    This is my Zimbra setup

    3 servers

    MTA1 ( where Primary ldap is also ruunig )
    MTA2 ( wthere Secondary ldap is also running)
    Mailbox server

    Since Zimbra 7.X ships with one year certificate by default, We installed 10 year certificate with below commands.


    Zimbra must be running on all nodes , then,

    on mta1 ( wheere primary ldap is ruunig )

    1. /opt/zimbra/bin/zmcertmgr createca -new

    2. /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=*.example.com"


    3. /opt/zimbra/bin/zmcertmgr deploycrt self -allserver

    on all 3 nodes

    4. /opt/zimbra/bin/zmcertmgr viewdeployedcrt

    5. on mta1 ( wheere primary ldap is ruunig )
    scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mta2:/opt/zimbra/conf/ca/
    scp /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key root@mailbox:/opt/zimbra/conf/ca/


    6. on mta1, mta2 and mailbox

    /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem

    5. On ALL nodes

    su - zimbra -c 'zmcontrol restart'


    Everythig works fine. Now, we need to install a commercial certificate?


    I found below URL

    http://www.zimbra.com/forums/adminis...tallation.html

    I need a little bit help.

    According to my zimbra setup having 3 servers ( mailbox.example.com, mta1.example.com and mta2.example.com ), Users want to access webmail ( i.e - https://mailbox.example.com )

    For that purpose, How can I begin this ?

    firtst, I have to run below command?

    zmtlsctl mixed

    then, I think first, I have to create a .csr in this way ( since I have 3 servers, I need it in a Wild Card manner )


    /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=*.example.com"

    It generates 2 files commercial.key and commercial.csr

    Am I right?

    Should I run this command on all 3 servers or on one server and then copy those commercial.key and commercial.csr to the other 2 servers ? pls answer.

    Then, I will have to send this CSR to a SSL provider to buy a commercial.crt

    Am I right so far?

    then, What else will I have to do?

    Hope to hear from you...

  2. #2
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default

    The easiest way are generate CSR within Zimbra Admin and pick "for ALL Server" options from the drop down list.

    I think it will be possible. I will let you know after doing.

    You will need to copy the commercial.key and .csr file to another server

    Why? What does it mean. Since I have 3 servers, If I generate .csr via admin web GUI of server called mail.example.com, Will I have to copy commercial.key and .csr to only one server or remaining 2 servers (mta1 and mta2 in my case). Pls answer.


    and then, use the downloaded CSR to get the SSL certificate from your SSL provider

    I can do it.

    and install it on every server.

    How to install? Via admin web gui of server called mail.example.com or command line? If it is in command line what are the commands?

    According to wildcard or single domain, it should be doesn't matter if you wish to access your server with single domain. Ex :

    I have 3 server : ldap.excellent.co.id, mta.excellent.co.id and mail1.excellent.co.id. I'm using Zimbra proxy on MTA and access IMAP, POP3 and SMTP by using : mail.excellent.co.id. Then, I can go with a single domain certificate with mail.excellent.co.id name

    Hmm, sounds good. I also use zimbra proxy on both mta1 and mta2. On both mta1 and mta2 TWO Linux VMs are running as loadbalancers ( HAproxy) it has a Virtual ip. So all clients connect to this Virtual ip. This virtual ip forwards traffic to 2 zimbra proxies. This Virtual ip is mail.example.com

    Now, users access http://mail.example.com. I think I also can go with a single domain certificate with mail.example.com

    But,now they need access to either http://mail.example.com that will switch to https:// for the login only, then will revert to http:// for normal session traffic or If they browse to https:// then they will stay https://mail.example.com

    zmtlsctl mixed can do it.


    I will need wildcard certificate if I want to access mail.excellent.co.id for webmail, smtp.excellent.co.id for SMTP, pop.excellent.co.id for POP3 and imap.excellent.co.id for IMAP connection.

    I Do not need that requirement. Thanks for enlightening me

    Hope this helps.

    Yes, it really helps me.

    Please let me know if you need further information,

    I need further info from you.

    I'll be trying to make it clear for you. I got similar problem (and confused) in the past and will be glad to help anyone with similar problem [/QUOTE]


    Many many thanks. I really appreciate your compassion.


    Waiting for your brilliant reply. ...


    C ya.

  3. #3
    Join Date
    Jul 2009
    Posts
    51
    Rep Power
    6

    Default

    [QUOTE=vavai;255271]If you got warning regarding your CSR entry, ignore it and typing your CSR entry correctly.

    ok

    You can be installing the SSL certificate on remaining server without copying the key and csr, but if Zimbra complained regarding incorrect CSR and the certificate (due to the CSR and key on remaining server are different with another one), just copy the key and csr

    ok


    I'm using godaddy SSL certificate and below is the command to deploy the SSL certificate :
    Code:
    /opt/zimbra/bin/zmcertmgr deploycrt comm <name-of-certificate> <name-of-gd_bundle>
    example :
    Code:
    /opt/zimbra/bin/zmcertmgr deploycrt comm mail.excellent.co.id.crt gd_bundle.crt

    I think I will have to run this command on all 3 Servers.

    Am I right?


    Hmm, Since I need NOT any wild card certificate, I can download a free 30 day trail certificate and try it out.
    Am I right aint I?

    How to download this gd_bundle.crt pack. Can I download from godaddy? If so, Can you send me a URL to download? Does Godaddy give free 30 day SSL trial certificate?



    Hope to hear from you.

    Thanks a LOT for your effort you have put forth.

Similar Threads

  1. multi-node commercial certificate installation?
    By tiger2000 in forum Administrators
    Replies: 3
    Last Post: 01-06-2013, 08:12 PM
  2. Replies: 4
    Last Post: 07-26-2012, 06:42 AM
  3. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 04:08 AM
  4. sinlge node to multi node migration
    By baktolio in forum Migration
    Replies: 2
    Last Post: 04-04-2010, 09:13 PM
  5. Commercial Certs for Multi-Server Install
    By jterhune in forum Administrators
    Replies: 5
    Last Post: 09-08-2009, 03:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •