====== Zimbra SSL - Redirection and Commercial Certificates ======
See also **[[internet:mail:zimbra:zimbra_ssl_letsencrypt|Using LetsEncrypt SSL Certificates with Zimbra]]**
**Useful for Wildcard Certs**: https://www.digicert.com/csr-creation-ssl-installation-zimbra.htm
http://wiki.zimbra.com/wiki/Transfer_SSL_certificates_between_servers
http://wiki.zimbra.com/wiki/SSL_certificates_per_domain
http://jamesreubenknowles.com/adding-a-godaddy-ssl-certificate-to-zimbra-7-1360
http://www.zimbra.com/forums/administrators/48461-solved-fyi-how-i-got-godaddy-ssl-certificate-installed-into-zimbra-7-a.html
===== Certificate Checker =====
https://www.digicert.com/help/
===== Force the Use of SSL =====
:!: Newer Zimbra installers default to installing the proxy component.
==== No Proxy ====
http://wiki.zimbra.com/wiki/CLI_zmtlsctl_to_set_Web_Server_Mode
This will redirect all HTTP connections to HTTPS:
su - zimbra
zmtlsctl redirect
exit
reboot
==== With Proxy ====
http://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy#Protocol_Requirements_Including_HTTPS_Redirect
zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect
reboot
===== Commercial Certificates =====
:!: If you have problems when installing or renewing a commercial cert, try installing a self-signed cert first, then install the commercial cert.
:!: If you continue to have problems, consider using the CLI.
http://www.andrewklau.com/adding-my-own-wildcard-ssl-certificate-to-zimbra-collabration-server-8/
http://www.sononaco.com/blog/wildcard-comodo-ssl-chains-and-zimbra/
https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools
**Zimbra Admin -> Configure -> Certificates -> (gear icon) -> Install Certificates**
:!: Comodo commercial certificate example
- Run the certificate wizard and generate a CSR
* If renewing, you can just use the existing CSR
- Order the SSL certificate using the CSR you just created
- Run the certificate wizard again to install the commercial cert you purchased
- Add a second intermediate CA certificate field if necessary
* Click the link ''Add Intermediate CA''
- Load the new server certificate
* ''mail_yourdomain_com.crt''
- Load the root CA certificate
* ''AddTrustExternalCARoot.crt''
- Load the first intermediate cert that came with your server certificate
* ''COMODORSAAddTrustCA.crt''
- Load the Second intermediate cert that came with your server certificate
* ''COMODORSADomainValidationSecureServerCA.crt''
- Click ''Install''
:!: If any errors are thrown, double-check that you are using the correct root and intermediate certificates. That's usually where the problem lies.
==== Comodo ====
:!: If the GUI cert installation fails, create and install a new self-signed cert, reboot, then use the CLI to install the new cert.
https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration
**Generate the CSR** (certificate signing request and the private key) using Zimbra Admin Console (ZAC):
**ZAC -> Configure -> Certificates -> YourZimbraHostName -> Gear Icon -> Install New Certificate**
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames "name2.example.com,example.com"
**Purchase the SSL certificate** using the CSR just created.
Create the file ''commercial_ca.crt'' by concatenating the 3 files that Comodo sent to you. CLI example:
cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > commercial_ca.crt
**Install the SSL certificate**, as user ''root'':
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
===== Self-Signed Certificates =====
:!: If your self-signed cert expires, or **if you have problems when installing a commercial cert**, you can use the following script to rebuild the SSL configuration and implement a self-signed certificate.
==== Newest Quickie Renew Expired Self-Signed SSL Certificate ====
Check for expired certificates, run the following command as the ''zimbra'' user:
/opt/zimbra/libexec/zmcheckexpiredcerts -days 1 -verbose
Run the following commands run as the ''zimbra'' user to regenerate the self-signed SSL certificates:
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
==== Quickie Renew Expired Self-Signed SSL Certificate ====
Create new certificate:
su - zimbra
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
/opt/zimbra/bin/zmcertmgr deploycrt self
zmcontrol restart
==== SSL Rebuild Script ====
##################################################
# Regenerate SSL Cert
##################################################
su - zimbra -c 'zmcontrol stop'
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd
# Java version dependent?
/opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/lib/jvm/openjdk-1.8.0_172-zimbra/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca -localonly'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
su - zimbra -c 'zmcontrol start'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca'
su - zimbra -c 'zmupdateauthkeys'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr viewdeployedcrt'