Zimbra certificate ipa

From Asenjo
Revision as of 14:51, 28 February 2016 by Natxo (Talk | contribs) (Created page with "Category:IPA If you have a *test* zimbra host in a IPA environment, you will probably be confronted to the irritating certificate warnings every time you log in the zimbr...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


If you have a *test* zimbra host in a IPA environment, you will probably be confronted to the irritating certificate warnings every time you log in the zimbra admin interface or try using ldap tools or whatever.

DISCLAIMER

You probably do not want to do this in your production zimbra server because your ipa CA is most probably not distributed to all the clients that will be connecting to the zimbra webmail. Changing a zimbra certificate automatically changes it for all the zimbra services (http/ldap/smtp/imap/pop3...), so do not that this unless you know what you are doing.

generate csr in zimbra server

  • go to the zimbra admin console (https://fqdn:7071), login as a global administrative user;
  • go to configure, then click on 'certificates'.
  • go to settings wheel, click on 'Install certificate'
  • select the right host
  • select 'generate the CSR for the commercial authorizer'
  • fill the wizard fields in, important ones are 'Common name' and 'Subject alternate name'. The rest may remain empty. Fill in those 2 the fqdn of your zimbra host in the IPA domain.
  • finish.

This creates a csr and key files in /opt/zimbra/ssl/zimbra/commercial

add http service to zimbra host in ipa console

using the web interface or the ipa admin tool, add a new ipa service coupled to the IPA zimbra host. If your zimbra host is zimbra.ipa.domain.tld, then something like this should work (run this on a host with the ipa admin tools while logged in as an admin user of ipa): 

$ ipa service-add http/zimbra.ipa.domain.tld

add certificate to service

this is most easily done in the web interface. Go to the services tab, select the newly added service. Click on 'add new certificate'.

Paste the content of commercial.csr between "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" in the pop up 'issue new certificate for service ....". If you need to choose a ca profile, use IECUserRoles. Finnish the wizard by clicking on issue.

Done! the certificate is issued, now we need to retrieve it for Zimbra.

retrieve certificate

this piece should be a bit easier, but well.

We need the ldap server 'Directory Manager' password, because the normal ipa accounts do not have access to the ipaca ldap partition of ipa. Anyway, this is one way to do it: 


ldapsearch -b ou=certificaterepository,ou=ca,o=ipaca -h kdc1.sub.domain.tld -Z -D "cn=directory manager" -W "subjectname=CN=zimbra.sub.domain.tld,O=SUB.DOMAIN.TLD" usercertificate -t [enter]

Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=certificaterepository,ou=ca,o=ipaca> with scope subtree
# filter: subjectname=CN=zimbra.sub.domain.tld,O=sub.domain.tld
# requesting: usercertificate 
#

# 11, certificateRepository, ca, ipaca
dn: cn=11,ou=certificateRepository,ou=ca,o=ipaca
userCertificate;binary:< file:///tmp/ldapsearch-userCertificate;binary-SZcGh9

# 12, certificateRepository, ca, ipaca
dn: cn=12,ou=certificateRepository,ou=ca,o=ipaca
userCertificate;binary:< file:///tmp/ldapsearch-userCertificate;binary-aYkmRE

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2

This dumps the usercertificate attribute to the file /tmp/ldapsearch-userCertificate;binary-aYkmRE, like the output of ldapsearch points out.

Indeed, in this file we have the certificate in DER format. We want to have pem format, so we just convert it with openssl: 

openssl x509 -in ldapsearch-userCertificate\;binary-c5DPzK -inform DER > zimbra_sub_domain_tld.crt

copy pem file to zimbra host

using scp copy this file to /opt/zimbra/ssl/zimbra/commercial

install certificate in zimbra

as the root user, in /opt/zimbra/ssl/zimbra/commercial, run this: 

/opt/zimbra/bin/zmcertmgr deploycrt comm zimbra_sub_domain_tld.crt /etc/ipa/ca.crt

zmcertmgr requires two arguments, the host certificate and the CA certificate. In ipa hosts, that last one is in /etc/ipa/ca.crt.

If everything works according to plan, we shoud see something like this: 

** Verifying zimbra_sub.domain.tld.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (zimbra_sub.domain.tld.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: zimbra_sub.domain.tld.crt: OK
** Copying zimbra_sub.domain.tld.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /etc/ipa/ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

After which, we need to restart the zimbra services: 

# /opt/zimbra/bin/zmcontrol restart
Run as the zimbra user!
[root@zimbra commercial]# sudo zimbra
sudo: zimbra: command not found
[root@zimbra commercial]# su - zimbra
Last login: Sun Feb 28 11:29:44 CET 2016 on pts/0
[zimbra@zimbra ~]$ zmcontrol restart
Host zimbra.sub.domain.tld
	Stopping vmware-ha...skipped.
		/opt/zimbra/bin/zmhactl missing or not executable.
	Stopping zmconfigd...Done.
	Stopping zimlet webapp...Done.
	Stopping zimbraAdmin webapp...Done.
	Stopping zimbra webapp...Done.
	Stopping service webapp...Done.
	Stopping stats...Done.
	Stopping mta...Done.
	Stopping spell...Done.
	Stopping snmp...Done.
	Stopping cbpolicyd...Done.
	Stopping archiving...Done.
	Stopping opendkim...Done.
	Stopping amavis...Done.
	Stopping antivirus...Done.
	Stopping antispam...Done.
	Stopping proxy...Done.
	Stopping memcached...Done.
	Stopping mailbox...Done.
	Stopping logger...Done.
	Stopping dnscache...Done.
	Stopping ldap...Done.
Host zimbra.sub.domain.tld
	Starting ldap...Done.
	Starting zmconfigd...Done.
	Starting dnscache...Done.
	Starting logger...Done.
	Starting mailbox...Done.
	Starting memcached...Done.
	Starting proxy...Done.
	Starting amavis...Done.
	Starting antispam...Done.
	Starting antivirus...Done.
	Starting opendkim...Done.
	Starting snmp...Done.
	Starting spell...Done.
	Starting mta...Done.
	Starting stats...Done.
	Starting service webapp...Done.
	Starting zimbra webapp...Done.
	Starting zimbraAdmin webapp...Done.
	Starting zimlet webapp...Done.

That's it, now go to the the zimbra admin console and you should see a green lock an no more certificate warnings.

Indeed, using curl, we see that: 

$ curl -LIv https://zimbra.sub.domain.tld:7071
* Rebuilt URL to: https://zimbra.sub.domain.tld:7071/
*   Trying 192.168.5.115...
* Connected to zimbra.sub.domain.tld (192.168.5.115) port 7071 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=zimbra.sub.domain.tld,O=sub.domain.tld
* 	start date: Feb 28 09:41:48 2016 GMT
* 	expire date: Feb 28 09:41:48 2018 GMT
* 	common name: zimbra.sub.domain.tld
* 	issuer: CN=Certificate Authority,O=sub.domain.tld
> HEAD / HTTP/1.1
> User-Agent: curl/7.40.0
> Host: zimbra.sub.domain.tld:7071
> Accept: */*
>
Retrieved from "https://asenjo.nl/wiki/index.php?title=Zimbra_certificate_ipa&oldid=296"