HOWTO:ZimbraC

Da Helpedia.

sync di tutti i certificati self sui px

si copia il certificato (.crt e .key) da

/opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/ssl/zimbra/server/server.crt

si esegue

/opt/zimbra/bin/zmcertmgr deploycrt self


a questo punto si riavviano i servizi. il certificato è stato installto e copiato sul ldap.


sync di tutti i certificati commerciali sui px

2) Certificates

I bought an UCC Certificate from GoDaddy (I noticed they are quite popular amongst the Forum's users). It works very well. What I did is:

- I generated a Certificate Request from the Admin Console, specifying it would be for ALL the Servers (LDAP, MTA, Mbox, Proxy).

- Using the CR, I generated the final Certificate at GoDaddy. I took care to specify 2 different SANs (Subject Alternative Names): one was the FQDN that I use in the browser to get to the Webmail Login, and the other one is for the SMTP Server.

Doing so, when I configure whatever Mail Client, I can use secure connections both for the Incoming and Outgoing Servers. The Certificate will be OK on both of them (of course, it has to be deployed an ALL the Servers that will be accepting connections from outside with THAT PARTICULAR FQDN).

The procedure to deploy the Certificate was a bit tricky. I had to:

- Leave all the Services active on ALL the Servers (it is MANDATORY to leave the LDAP running, otherwise the Certificates deployed on the other Servers cannot be stored in the LDAP Database when deployed, causing a big mess).

- Copy the following files from the MBOX Server (the one originally used to create the Certificate Request) on ALL the other Servers:

/opt/zimbra/ssl/zimbra/commercial/commercial.csr /opt/zimbra/ssl/zimbra/commercial/commercial.key

- Then, one by one, I had to log in to all the servers and put the Certificate Files downloaded from GoDaddy in a directory, e.g. "/root/certs":

cp gd_bundle.crt /root/certs cp mydomain.com.crt /root/certs

- At this point, on ALL the Servers, deploy the Certificates (as root):

cd /root/certs /opt/zimbra/bin/zmcertmgr deploycrt comm ./mydomain.com.crt ./gd_bundle.crt

- NOW, A KEY STEP: As the Certificate Authority has changed, this command has to be run as root on ALL the Servers. Failure to do so will cause a blocking error at the next reboot, and no Zimbra service would start!!

/opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

(it has to be typed as it is, password is exactly "changeit", it looks like it's a default)...

- Finally, on ALL the Servers, back to user zimbra and:

su - zimbra zmcontrol stop zmcontrol start

Hope this is going to be of help to somebody sooner or later.


oppure si può provare

################################################## ################################################## ###########
# Regenerate SSL Cert
################################################## ################################################## ############
su - zimbra -c 'zmcontrol stop'
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd
/opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
vi /opt/zimbra/bin/zmcertmgr

# Find line 
# SUBJECT="/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}" 
# and change to your company name

# then find and change you want value days expire cert validation_days=365 to validation_days=3650
# save /opt/zimbra/bin/zmcertmgr

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca -localonly
/opt/zimbra/bin/zmcertmgr createcrt self -new
/opt/zimbra/bin/zmcertmgr deploycrt self

su - zimbra -c 'zmcontrol start'

/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr deployca

su - zimbra -c 'zmupdateauthkeys'
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

################################################## ################################################## ############
Strumenti personali
Namespace
Varianti
Azioni
Navigazione
Strumenti