CSR without SAN

glenndm · Postby **glenndm** » Tue Dec 22, 2020 1:08 pm

Hello,

Finally, I've bought a wildcard ssl for zimbra to resolve the issues with mobile apple devices.
But, as feared, I quickly ran into trouble with it.

I choose "Comodo Positive Wildcard SSL" via SSL2buy provider - because all those ssl things look alike to me and this was one of the cheaper ones.
Wildcard because the mail, web and application server are on different hosts.
The mail server is a local server.

For the configuration I followed https://support.sectigo.com/PS_KnowledgeDetailPage?Id=kA01N000000zFKL Other guides show similar instructions.

I got stuck at the CSR validation, where the site complains that "CSR with SAN is not allowed"
I recreate the csr via zimbra adminpage making sure the SAN was removed.
the error stayed the same.
I tried some iterations with the common name, to no avail.

: 20201222.1.jpg (187.73 KiB) Viewed 939 times

: 20201222.2.jpg (67.26 KiB) Viewed 939 times

zimbra: Zimbra 8.8.15_GA_3847 (build 20190823100304)
zimbra server: truckle.domain.com
intended certifcate for: *.domain.com

A similar issue was raised here on the forum https://forums.zimbra.org/viewtopic.php?f=15&t=60490&hilit=ssl+san+wildcard, but without solution.
I rather not mess with commandline unless I'm sure I won't break zimbra.

Suggestions are very welcome to overcome my fear of certificates

glenn

L. Mark Stone · Postby **L. Mark Stone** » Tue Dec 22, 2020 1:50 pm

You can generate the CSR from the command line using the steps in the wiki:

https://wiki.zimbra.com/wiki/Administra ... cate_Tools

Hope that helps,
Mark

glenndm · Postby **glenndm** » Tue Dec 22, 2020 3:12 pm

I've entered following command

Code: Select all

zmcertmgr createcsr comm -new -subject "/C=BE/L=R..../O=V./OU=V...../CN=*.domain.com" -subjectAltNames "*.domain.com" -noDefaultSubjectAltName

Code: Select all

** Generating a server CSR of type 'comm' for download
** Recreating /opt/zimbra/conf/zmssl.cnf
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20201222152520
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Retrieving Commercial CA cert from LDAP... ok
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr with keysize=2048 digest=sha256
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer truckle.domain.com...ok

that csr was accepted at the SSL config page and eventually I received certificates
I will see tomorrow if the zimbra server accepts them and finally hopefully then the iphones too.

thanks
glenn

L. Mark Stone · Postby **L. Mark Stone** » Tue Dec 22, 2020 3:46 pm

Sounds like progress!

I would do the certificate verification and installation from the commandline as well, using the examples in the wiki.

All the best,
Mark

Klug · Postby **Klug** » Wed Dec 23, 2020 2:44 pm

You can use your wildcard without a CSR.
But you have to go through CLI to set it up, the admin WebUI is not very helpfull for pre-existing certs.

CSR without SAN

CSR without SAN

Re: CSR without SAN

Re: CSR without SAN

Re: CSR without SAN

Re: CSR without SAN

Who is online