Certificates for multiple domains

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
cmilfo
Posts: 8
Joined: Fri Sep 12, 2014 10:32 pm

Certificates for multiple domains

Postby cmilfo » Mon Apr 30, 2007 11:24 am

Can someone reply in regards to mrfileio's inquiry? We're currently testing ZCS (testing with ZCS Network 4.5.4) for use with ~10 domains. At least 4 of these domains require SSL access.
[quote user="mrfileio"]So unless I'm mistaken, with all of the beautiful support for multiple domains (translated customers for an ASP-type hosting provider), support for multiple SSL certificates per one Zimbra instance is not available, correct?[/QUOTE]
Along the same lines, can multiple certificates be used with IMAP and SMTP?
(We're looking to migrate from a Postfix/Cyrus/DSPAM/SquirrelMail solution.)
Thank you,

Casey


User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2175
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Certificates for multiple domains

Postby L. Mark Stone » Tue May 01, 2007 12:21 pm

[quote user="cmilfo"]Can someone reply in regards to mrfileio's inquiry? We're currently testing ZCS (testing with ZCS Network 4.5.4) for use with ~10 domains. At least 4 of these domains require SSL access.

[/QUOTE]
Casey,
In our experience this is not possible.
There may be a way to do it, but we haven't found one. We are running NE 4.5.3 on SLES9 and have had requests from several customers for their own SSL cert, so they can go to "webmail.theirdomain.com" instead of going to ourzimbraserver.ourdomain.com.
The issue is that an SSL cert needs a unique IP address, but each Zimbra server only has one. Further, a wildcard cert only handles subdomains, and so won't work for your customers (nor ours).
On some of our other non-Zimbra Apache servers, we just bind multiple IP addresses to the NIC and put each virtual host on a separate IP.
There seems to be no facility within Zimbra presently to do that.
I'm about to open an enhancement request on the support portal for this.
Probably not what you wanted to hear, but there you are. It's still a great product and has been rock-solid for us, but this does seem like a surprising feature gap (at least to me!).
All the best,

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
cmilfo
Posts: 8
Joined: Fri Sep 12, 2014 10:32 pm

Certificates for multiple domains

Postby cmilfo » Tue May 01, 2007 3:08 pm

Well, that's not exactly what I wanted to hear, but I guessed as much. Anytime I've tried to run multiple SSL sites off a single web server, I've always had some sort of road block (certs not matching site, needing a wildcard cert, not enough IP addresses, not all sites using SSL, you name it).
We like ZCS a lot, so we're moving forward without the individual certificates. Here's my work around. I'm using a single commercial site. To get each domain to be able to use its own URL, I'm creating a web page with a 100% iframe that points to the mail server. Since the single domain has a valid certificate, they get no warning, and it appears they are going to their own URL. Here's the page I'm using:
[QUOTE]









https://mail.mailserver.com'>>



[/QUOTE]
Drop this in a index.html in a 'mail' folder, and the users can hit http://www.theirdomain.com/mail to get to their ZCS mail. The only catches are that they have to use their full email address to log in (e.g., user@theirdomain.com), I can't customize the login screen (I'm still able to customize the theme to the domain once the user is logged in), and it doesn't LOOK like it's secure (I'll just have to assure them otherwise).
If anyone sees an issue with this approach, let me know!
Casey
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2175
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Certificates for multiple domains

Postby L. Mark Stone » Wed May 02, 2007 2:29 pm

What happens if you try:

Where">https://mail.mailserver.com/?skin=mycustomskin'>
Where 'mycustomskin' is the name of the custom theme you have created. That should get you the pre-login screen with the desired theme.
Note the Zimbra licensing requirements re branding; they are different for the Network and Open Source editions.
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
cmilfo
Posts: 8
Joined: Fri Sep 12, 2014 10:32 pm

Certificates for multiple domains

Postby cmilfo » Wed May 02, 2007 4:38 pm

That works great. Thank you.
In regards to the rebranding, we're using the 60 day evaluation while we test. We're planning to purchase the Network Professional Edition.
cmilfo
Posts: 8
Joined: Fri Sep 12, 2014 10:32 pm

Certificates for multiple domains

Postby cmilfo » Tue May 15, 2007 10:22 am

I chose to post this question here since it's related to the thread. I hope some folks see this an reply.
A few posts up I received a response from LMStone suggesting I add skin=domainskin to customize the user's login for my iframe solution. (The iframe solution allows me to use SSL without getting the nasty IE7 warning for cert not matching the domain.) This works great, and I've been able to customize the logins for all the domains I will be hosting. (And yes, I will be running a licensed version once we're finished with testing.)
What other variables can I set through this method? Is there a way to set the login domain so the users do not have to type user@domain to login? I tried a few variations of domain= to no avail.
Thank you, much.
Casey
mmorse
Ambassador
Ambassador
Posts: 6036
Joined: Fri Sep 12, 2014 10:24 pm

Certificates for multiple domains

Postby mmorse » Tue May 15, 2007 10:46 am


[QUOTE">http://wiki.zimbra.com/index.php?title=SSL_Certificate_Problems
[QUOTE
] If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me. vi /opt/zimbra/conf/zmssl.cnf.in

[change section to appear as below]

0.organizationName = Zimbra

0.organizationName_default = Zimbra

# we can do this but it is not needed normally :-)

#1.organizationName = Second Organization Name (eg, company)

#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = Zimbra

organizationalUnitName_default = Zimbra

commonName =

commonName_max = 64

commonName_default =
Create the CA certificate (as zimbra)
zmcreateca


  • (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
...

Signature ok

subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=

Getting Private key

unable to write 'random state'
Install server ca files


  • After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key

cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem

Create the server certificate (as zimbra)
zmcreatecert

If you wish to have several names on the certificate, supply them as arguments

zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com
Install the server certificate files (as zimbra)
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt

zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key[/QUOTE]
riegersteve
Advanced member
Advanced member
Posts: 51
Joined: Fri Sep 12, 2014 9:55 pm

Certificates for multiple domains

Postby riegersteve » Tue May 15, 2007 5:06 pm

[quote user="DanCody"]I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:
"You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..
Anyone have this working for multi hostname machines?
Dan[/QUOTE]
get a root cert

expensive but works for as many subdomains as you can handle
sugiggs
Advanced member
Advanced member
Posts: 92
Joined: Sat Sep 13, 2014 12:42 am

Certificates for multiple domains

Postby sugiggs » Tue Sep 29, 2009 6:30 am

Bump 2007 post...
any solution??
I need multiple domains support for HTTPS, SMTPS, IMAPS
ewilen
Elite member
Elite member
Posts: 1429
Joined: Fri Sep 12, 2014 11:34 pm

Certificates for multiple domains

Postby ewilen » Wed Sep 30, 2009 8:54 am

You need a multiple domain certificate aka a cert that supports subject alternative names. GoDaddy calls them UCC. Comodo has another name for them.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 12 guests