Page 1 of 1

CSR without SAN

Posted: Tue Dec 22, 2020 1:08 pm
by glenndm
Hello,

Finally, I've bought a wildcard ssl for zimbra to resolve the issues with mobile apple devices.
But, as feared, I quickly ran into trouble with it.

I choose "Comodo Positive Wildcard SSL" via SSL2buy provider - because all those ssl things look alike to me and this was one of the cheaper ones.
Wildcard because the mail, web and application server are on different hosts.
The mail server is a local server.

For the configuration I followed https://support.sectigo.com/PS_KnowledgeDetailPage?Id=kA01N000000zFKL Other guides show similar instructions.

I got stuck at the CSR validation, where the site complains that "CSR with SAN is not allowed"
I recreate the csr via zimbra adminpage making sure the SAN was removed.
the error stayed the same.
I tried some iterations with the common name, to no avail.
20201222.1.jpg
20201222.1.jpg (187.73 KiB) Viewed 996 times

20201222.2.jpg
20201222.2.jpg (67.26 KiB) Viewed 996 times


zimbra: Zimbra 8.8.15_GA_3847 (build 20190823100304)
zimbra server: truckle.domain.com
intended certifcate for: *.domain.com

A similar issue was raised here on the forum https://forums.zimbra.org/viewtopic.php?f=15&t=60490&hilit=ssl+san+wildcard, but without solution.
I rather not mess with commandline unless I'm sure I won't break zimbra.

Suggestions are very welcome to overcome my fear of certificates :)
glenn

Re: CSR without SAN

Posted: Tue Dec 22, 2020 1:50 pm
by L. Mark Stone
You can generate the CSR from the command line using the steps in the wiki:

https://wiki.zimbra.com/wiki/Administra ... cate_Tools

Hope that helps,
Mark

Re: CSR without SAN

Posted: Tue Dec 22, 2020 3:12 pm
by glenndm
I've entered following command

Code: Select all

zmcertmgr createcsr comm -new -subject "/C=BE/L=R..../O=V./OU=V...../CN=*.domain.com" -subjectAltNames "*.domain.com" -noDefaultSubjectAltName

Code: Select all

** Generating a server CSR of type 'comm' for download
** Recreating /opt/zimbra/conf/zmssl.cnf
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20201222152520
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Retrieving Commercial CA cert from LDAP... ok
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr with keysize=2048 digest=sha256
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer truckle.domain.com...ok


that csr was accepted at the SSL config page and eventually I received certificates
I will see tomorrow if the zimbra server accepts them and finally hopefully then the iphones too.

thanks
glenn

Re: CSR without SAN

Posted: Tue Dec 22, 2020 3:46 pm
by L. Mark Stone
Sounds like progress!

I would do the certificate verification and installation from the commandline as well, using the examples in the wiki.

All the best,
Mark

Re: CSR without SAN

Posted: Wed Dec 23, 2020 2:44 pm
by Klug
You can use your wildcard without a CSR.
But you have to go through CLI to set it up, the admin WebUI is not very helpfull for pre-existing certs.