How to configure SNI in Zimbra OSE?
At the beginning of the 21st century, a resource such as IPv4 addresses is on the verge of depletion. Back in 2011, IANA allocated the last five remaining blocks / 8 from its address space to regional Internet registrars, and already in 2017 they ended their addresses. The answer to the catastrophic shortage of IPv4 addresses was not only the advent of IPv6, but also SNI technology, which made it possible to host a huge number of websites on one IPv4 address. The essence of SNI is that this extension allows customers to tell the server the name of the site with which they want to connect during a handshake. This allows the server to store multiple certificates, which means that multiple domains can operate on the same IP address. SNI technology has become especially popular among SaaS providers for business, which have the opportunity to host an almost unlimited number of domains without regard to the number of IPv4 addresses needed for this. Let's find out how you can implement SNI support in the Zimbra Collaboration Suite Open-Source Edition.
SNI works in all current and supported versions of Zimbra OSE. In the event that your Zimbra Open-Source runs on a multiserver infrastructure, you will need to perform all of the following actions on the node with the Zimbra Proxy server installed. In addition, you will need matching certificate + key pairs, as well as trusted certificate chains from your certificate authority for each of the domains that you want to place on your IPv4 address. Please note that the reason for the vast majority of errors when configuring SNI in Zimbra OSE is precisely in incorrect certificate files. Therefore, we advise you to carefully check everything before installing them directly.
First of all, in order for SNI to work normally, you need to enter the command zmprov mcf zimbraReverseProxySNIEnabled TRUE on the node with the Zimbra proxy server, and then restart the Proxy service using the zmproxyctl restart command.
We will start by creating a domain name. For example, we take the company.ru domain and, after the domain has already been created, we will determine the name of the Zimbra virtual host and the virtual IP address. Please note that the name of the Zimbra virtual host must correspond to the name that the user must enter in the browser line to access the domain, and also match the name specified in the certificate. For example, take Zimbra mail.company.ru as the virtual host name, and use 1.2.3.4 as the virtual IPv4 address.
After that, just enter the command zmprov md company.ru zimbraVirtualHostName mail.company.ru zimbraVirtualIPAddress 1.2.3.4 to bind the Zimbra virtual host to the virtual IP address. We draw your attention to the fact that if the server is located behind a NAT or a firewall, care must be taken that all requests to the domain go to the external IP address bound to it, and not to its address on the local network.
After everything is done, it remains only to verify and prepare the domain certificates for installation, and then install them.
If the certificate for the domain was issued correctly, you should have three files with certificates on hand: two of them are chain of certificates from your certification authority, and one is a direct certificate to the domain. In addition, on your hands you should have a file with the key that you used to obtain the certificate. Create a separate folder /tmp/company.ru and put there all the existing files with keys and certificates. The result should be something like this:
After that, we will combine the certificate chains into one file using the cat company.ru.root.crt company.ru.intermediate.crt >> company.ru_ca.crt command and make sure that everything is ok with the certificates using the / opt / command zimbra / bin / zmcertmgr verifycrt comm /tmp/company.ru/company.ru.key /tmp/company.ru/company.ru.crt /tmp/company.ru/company.ru_ca.crt . After the verification of the certificates and the key is successful, you can proceed with their installation.
In order to start the installation, first we will combine the domain certificate and trusted chains from certification authorities into one file. It is also done using one command of the form cat company.ru.crt company.ru_ca.crt >> company.ru.bundle . After that, you need to run the command in order to write all the certificates and the key to LDAP: / opt / zimbra / libexec / zmdomaincertmgr savecrt company.ru company.ru.bundle company.ru.key , and then install the certificates using the / opt / command zimbra / libexec / zmdomaincertmgr deploycrts . After installation, the certificates and the key to the company.ru domain will be stored in the /opt/zimbra/conf/domaincerts/company.ru folder.
By repeating these steps using different domain names, but with the same IP address, you can achieve the location of several hundred domains on the same IPv4 address. At the same time, you can use certificates from various centers of their issuance without any problems. You can verify the correctness of all the actions performed in any browser, where for each virtual host name its SSL certificate should be displayed.
For all questions related to the Zextras Suite, you can contact the representative of the company "Zextras" Ekaterina Triandafilidi by e-mail katerina@zextras.com
SNI works in all current and supported versions of Zimbra OSE. In the event that your Zimbra Open-Source runs on a multiserver infrastructure, you will need to perform all of the following actions on the node with the Zimbra Proxy server installed. In addition, you will need matching certificate + key pairs, as well as trusted certificate chains from your certificate authority for each of the domains that you want to place on your IPv4 address. Please note that the reason for the vast majority of errors when configuring SNI in Zimbra OSE is precisely in incorrect certificate files. Therefore, we advise you to carefully check everything before installing them directly.
First of all, in order for SNI to work normally, you need to enter the command zmprov mcf zimbraReverseProxySNIEnabled TRUE on the node with the Zimbra proxy server, and then restart the Proxy service using the zmproxyctl restart command.
We will start by creating a domain name. For example, we take the company.ru domain and, after the domain has already been created, we will determine the name of the Zimbra virtual host and the virtual IP address. Please note that the name of the Zimbra virtual host must correspond to the name that the user must enter in the browser line to access the domain, and also match the name specified in the certificate. For example, take Zimbra mail.company.ru as the virtual host name, and use 1.2.3.4 as the virtual IPv4 address.
After that, just enter the command zmprov md company.ru zimbraVirtualHostName mail.company.ru zimbraVirtualIPAddress 1.2.3.4 to bind the Zimbra virtual host to the virtual IP address. We draw your attention to the fact that if the server is located behind a NAT or a firewall, care must be taken that all requests to the domain go to the external IP address bound to it, and not to its address on the local network.
After everything is done, it remains only to verify and prepare the domain certificates for installation, and then install them.
If the certificate for the domain was issued correctly, you should have three files with certificates on hand: two of them are chain of certificates from your certification authority, and one is a direct certificate to the domain. In addition, on your hands you should have a file with the key that you used to obtain the certificate. Create a separate folder /tmp/company.ru and put there all the existing files with keys and certificates. The result should be something like this:
ls /tmp/company.ru company.ru.key company.ru.crt company.ru.root.crt company.ru.intermediate.crt
After that, we will combine the certificate chains into one file using the cat company.ru.root.crt company.ru.intermediate.crt >> company.ru_ca.crt command and make sure that everything is ok with the certificates using the / opt / command zimbra / bin / zmcertmgr verifycrt comm /tmp/company.ru/company.ru.key /tmp/company.ru/company.ru.crt /tmp/company.ru/company.ru_ca.crt . After the verification of the certificates and the key is successful, you can proceed with their installation.
In order to start the installation, first we will combine the domain certificate and trusted chains from certification authorities into one file. It is also done using one command of the form cat company.ru.crt company.ru_ca.crt >> company.ru.bundle . After that, you need to run the command in order to write all the certificates and the key to LDAP: / opt / zimbra / libexec / zmdomaincertmgr savecrt company.ru company.ru.bundle company.ru.key , and then install the certificates using the / opt / command zimbra / libexec / zmdomaincertmgr deploycrts . After installation, the certificates and the key to the company.ru domain will be stored in the /opt/zimbra/conf/domaincerts/company.ru folder.
By repeating these steps using different domain names, but with the same IP address, you can achieve the location of several hundred domains on the same IPv4 address. At the same time, you can use certificates from various centers of their issuance without any problems. You can verify the correctness of all the actions performed in any browser, where for each virtual host name its SSL certificate should be displayed.
For all questions related to the Zextras Suite, you can contact the representative of the company "Zextras" Ekaterina Triandafilidi by e-mail katerina@zextras.com
All Articles