Zimbra certificate ipa

From Asenjo
Jump to: navigation, search

If you have a *test* zimbra host in a IPA environment, you will probably be confronted to the irritating certificate warnings every time you log in the zimbra admin interface or try using ldap tools or whatever.


You probably do not want to do this in your production zimbra server because your ipa CA is most probably not distributed to all the clients that will be connecting to the zimbra webmail. Changing a zimbra certificate automatically changes it for all the zimbra services (http/ldap/smtp/imap/pop3...), so do not that this unless you know what you are doing.

generate csr in zimbra server

  • go to the zimbra admin console (https://fqdn:7071), login as a global administrative user;
  • go to configure, then click on 'certificates'.
  • go to settings wheel, click on 'Install certificate'
  • select the right host
  • select 'generate the CSR for the commercial authorizer'
  • fill the wizard fields in, important ones are 'Common name' and 'Subject alternate name'. The rest may remain empty. Fill in those 2 the fqdn of your zimbra host in the IPA domain.
  • finish.

This creates a csr and key files in /opt/zimbra/ssl/zimbra/commercial

add http service to zimbra host in ipa console

using the web interface or the ipa admin tool, add a new ipa service coupled to the IPA zimbra host. If your zimbra host is zimbra.ipa.domain.tld, then something like this should work (run this on a host with the ipa admin tools while logged in as an admin user of ipa):

$ ipa service-add http/zimbra.ipa.domain.tld

add certificate to service

this is most easily done in the web interface. Go to the services tab, select the newly added service. Click on 'add new certificate'.

Paste the content of commercial.csr between "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" in the pop up 'issue new certificate for service ....". If you need to choose a ca profile, use IECUserRoles. Finnish the wizard by clicking on issue.

Done! the certificate is issued, now we need to retrieve it for Zimbra.

retrieve certificate

in the ipa admin console, go to the service we just created. We see now that there is a green check mark next to the service certificate.

Next to it, we see an 'Actions' menu, clik on 'get' and copy the content of the certificate to a new text file exactly like it is presented in the window. Do not modify the format. I name this file host_sub_domain_tld.crt to more easily identify it.

We can verify this file with openssl x509 -in host_sub_domain_tld.crt -noout -text

If you have create this file on the zimbra host, then you do not need to upload it then. Else copy it to /opt/zimbra/ssl/zimbra/commercial

install certificate in zimbra

as the root user, in /opt/zimbra/ssl/zimbra/commercial, run this:

/opt/zimbra/bin/zmcertmgr deploycrt comm zimbra_sub_domain_tld.crt /etc/ipa/ca.crt

zmcertmgr requires two arguments, the host certificate and the CA certificate. In ipa hosts, that last one is in /etc/ipa/ca.crt.

If everything works according to plan, we shoud see something like this:

** Verifying zimbra_sub.domain.tld.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (zimbra_sub.domain.tld.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: zimbra_sub.domain.tld.crt: OK
** Copying zimbra_sub.domain.tld.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /etc/ipa/ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

After which, we need to restart the zimbra services:

# /opt/zimbra/bin/zmcontrol restart
Run as the zimbra user!
[root@zimbra commercial]# sudo zimbra
sudo: zimbra: command not found
[root@zimbra commercial]# su - zimbra
Last login: Sun Feb 28 11:29:44 CET 2016 on pts/0
[zimbra@zimbra ~]$ zmcontrol restart
Host zimbra.sub.domain.tld
	Stopping vmware-ha...skipped.
		/opt/zimbra/bin/zmhactl missing or not executable.
	Stopping zmconfigd...Done.
	Stopping zimlet webapp...Done.
	Stopping zimbraAdmin webapp...Done.
	Stopping zimbra webapp...Done.
	Stopping service webapp...Done.
	Stopping stats...Done.
	Stopping mta...Done.
	Stopping spell...Done.
	Stopping snmp...Done.
	Stopping cbpolicyd...Done.
	Stopping archiving...Done.
	Stopping opendkim...Done.
	Stopping amavis...Done.
	Stopping antivirus...Done.
	Stopping antispam...Done.
	Stopping proxy...Done.
	Stopping memcached...Done.
	Stopping mailbox...Done.
	Stopping logger...Done.
	Stopping dnscache...Done.
	Stopping ldap...Done.
Host zimbra.sub.domain.tld
	Starting ldap...Done.
	Starting zmconfigd...Done.
	Starting dnscache...Done.
	Starting logger...Done.
	Starting mailbox...Done.
	Starting memcached...Done.
	Starting proxy...Done.
	Starting amavis...Done.
	Starting antispam...Done.
	Starting antivirus...Done.
	Starting opendkim...Done.
	Starting snmp...Done.
	Starting spell...Done.
	Starting mta...Done.
	Starting stats...Done.
	Starting service webapp...Done.
	Starting zimbra webapp...Done.
	Starting zimbraAdmin webapp...Done.
	Starting zimlet webapp...Done.

That's it, now go to the the zimbra admin console and you should see a green lock an no more certificate warnings.

Indeed, using curl, we see that:

$ curl -LIv https://zimbra.sub.domain.tld:7071
* Rebuilt URL to: https://zimbra.sub.domain.tld:7071/
*   Trying
* Connected to zimbra.sub.domain.tld ( port 7071 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=zimbra.sub.domain.tld,O=sub.domain.tld
* 	start date: Feb 28 09:41:48 2016 GMT
* 	expire date: Feb 28 09:41:48 2018 GMT
* 	common name: zimbra.sub.domain.tld
* 	issuer: CN=Certificate Authority,O=sub.domain.tld
> HEAD / HTTP/1.1
> User-Agent: curl/7.40.0
> Host: zimbra.sub.domain.tld:7071
> Accept: */*