Help with SSL Certificate install

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
sestores
Posts: 26
Joined: Thu Feb 26, 2015 9:40 am

Help with SSL Certificate install

Postby sestores » Wed Mar 30, 2016 3:13 pm

I am trying to install an SSL Certificate (Existing Cert expires tomorrow)
I am running into a problem and I remember having this same issue last time, but I have no idea how I got around it.

my local server name is zimbra.mydomain.local
We access this through https://mydomain.com

When I create the CSR, it tries to add zimbra.mydomain.LOCAL as a subject alt name.
I can remove it from the list before proceeding, but it appears that it still puts it in the CSR.
I generate the certificates using the CSR and go to install them and it lists zimbra.mydomain.LOCAL as one of the subject alt names
The certificate will not install because it says the .local domain is an invalid alt name.

What am I doing wrong? Why does zimbra insist on using the local server name as a subject alt name when local server names are not allowed?
I have tried generating the CSR again... ensuring the .local name is not listed in the subject alt names, but when I paste the CSR into here: https://cryptoreport.websecurity.symant ... rCheck.jsp
it shows the .local server name in the alt names still.

It looks like I need to revoke the cert I created, but the issuer wants to charge me to revoke it.
Is there some way to make this work? What am I missing?


User avatar
ppearl
Zimbra Employee
Zimbra Employee
Posts: 114
Joined: Thu May 15, 2014 7:36 am

Re: Help with SSL Certificate install

Postby ppearl » Wed Mar 30, 2016 7:30 pm

See if https://bugzilla.zimbra.com/show_bug.cgi?id=90016#c1 helps you work around that issue with zmcertmgr.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Help with SSL Certificate install

Postby jorgedlcruz » Wed Mar 30, 2016 8:00 pm

Hello,
I will recommend to you to change your DNS configuration, as .local is not a valid TLD, and you can't order a SSL with a .local anymore, more info here, search for the .local information
  • https://www.geocerts.com/multidomain

So, my recommendation will be to rename your Zimbra server internally, with all the internal DNS, etc. to a valid TLD domain, like zimbrasrv1.example.com and then you have multiple options:
  • If the internal hostname and the FQDN matchs, then buy a a simple SSL, like Comodo, RapidSSL, etc. This will be for example internall mail.example.com and externally mail.example.com
  • If the hostname and the FQDN doesn't match, you need to buy then a Multi-SAN SSL Certificate. For example your internal server is srv1.example.com and your FQDN will be mail.example.com or example.com
  • Finally and my suggestion in case you don't want to have much troubles, and also you can use the SSL in the future, is to buy a Wildcard SSL *.example.com, so you can name your server internally as you want.example.com and then externally have the domain you want as well, plus if you have other servers and services like webpage, etc, you can use it as well

You have couple of articles about this:

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 23 guests