Installing COMODO SSL Certificate - Zimbra 8

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
jrp7591
Posts: 7
Joined: Mon Aug 11, 2014 10:42 am

Installing COMODO SSL Certificate - Zimbra 8

Postby jrp7591 » Sat Jun 27, 2015 12:44 pm

I just received my COMODO SSL certificate(s) and there are four of them named:


AddTrustExternalCARoot.crt


COMODORSAAddTrustCA.crt


COMODORSADomainValidationSecureServerCA.crt


my_domain_com.crt


From everything I'm finding I need to combine two of the certs and rename my_domain_com.crt to commercial.crt, then install. The question is, what two certs do I need to combine?


A step by step would be great


Thanks, 



imanudin11
Outstanding Member
Outstanding Member
Posts: 294
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Installing COMODO SSL Certificate - Zimbra 8

Postby imanudin11 » Sat Jun 27, 2015 8:54 pm

Hi,


You need to combine these files : AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt and COMODORSADomainValidationSecureServerCA.crt. For the guidance, please take a look this guidance : [View:https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_ZCS_5.0.x:0:0]

**

Best Regards,
Ahmad Imanudin - Sharing is Beautiful !
Personal Blog [EN] :http://www.imanudin.net
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2777
Joined: Thu May 22, 2014 4:47 pm

Installing COMODO SSL Certificate - Zimbra 8

Postby jorgedlcruz » Sun Jun 28, 2015 4:11 am

Did you generate the CSR and the private key also using Zimbra Collaboration?


If you have 8.0.x you are generating CSR with SHA1, and is not secure anymore and the browsers will tell you that you don't have a valid SSL certificate.


To generate a valid CSR using Zimbra Collaboration 8.0.x, please follow this steps:


Per default, Zimbra Collaboration 8.0.x didn't generate a valid CSR with a 256bit hash. To force it, edit the next file as root:


vi /opt/zimbra/bin/zmcertmgr

And change this line:


${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} 

For the next one, adding the -sha256 to the OpenSSL command:


${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} 

Then generate again the CSR:


/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames host.example.com

Then you need to move into /tmp and create the files called commercial_ca.crt an commercial.crt:


Create the commercial_ca.crt first where you will add the content of the 3 files that Comodo sent to you AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt. You can use vi or nano to paste the content, you can open that .crt in Notepad, or any texteditor.


Then create the commercal.crt file, where you need to paste the content of my_domain_com.crt You can use vi or nano to paste the content, you can open that .crt in Notepad, or any texteditor.


Your last step is launch the installation of the SSL certificate, as user root:


/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial.ca.crt

That's it. I will update the Wiki that Imanudin sent to you anyway.


Best regards

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2777
Joined: Thu May 22, 2014 4:47 pm

Installing COMODO SSL Certificate - Zimbra 8

Postby jorgedlcruz » Mon Jun 29, 2015 6:33 am

The Wiki has been updated, and now points to a new URL:



Best regards

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Martinwiertz
Posts: 45
Joined: Sat Sep 13, 2014 3:55 am

Installing COMODO SSL Certificate - Zimbra 8

Postby Martinwiertz » Sun Jan 31, 2016 2:31 pm

Hello,



Could someone point me in the right direction with this error?



my servername is zimbra.A.local and my external domein is www.A.info.



I made an CSR with both names in the SAN and the CRT is also filled with these names. .local shouldn't be there..... but it is.



Current error:

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt

** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key

XXXXX ERROR: Unmatching certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.

XXXXX ERROR: provided cert isn't valid.



Running: Versie 8.6.0_GA_1191.NETWORK 16 dec 2015
fbzimblet
Advanced member
Advanced member
Posts: 119
Joined: Sun Apr 17, 2016 4:15 pm

Re: Installing COMODO SSL Certificate - Zimbra 8

Postby fbzimblet » Fri Sep 09, 2016 3:06 am

were you able to solve this? I also encountered this on 7.1.4 and found md5 of cert is not same as CSR

# openssl x509 -noout -modulus -in /tmp/commercial.crt | openssl md5
caaa514df83b0206e3a1ff89e6ab66eb
# openssl rsa -noout -modulus -in /opt/zimbra/ssl//zimbra/commercial/commercial.key | openssl md5
a34ed8da29d85b585973c3ed3d6f0432
# openssl req -noout -modulus -in /opt/zimbra/ssl//zimbra/commercial/commercial.csr | openssl md5
a34ed8da29d85b585973c3ed3d6f0432

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 1 guest