Zimbra安装第三方签署的SSL证书有两种方式,一种是在WebAdmin后台安装,一种是用命令行安装。命令行安装相对于WebAdmin安装,个人感觉命令行操作比较简单,而且安装过程中如遇到错误,会有详细的报错原因。下面就记录一下安装步骤以供后用。
1、先把第三方颁发的证书文件与私钥文件上传至zimbra服务器的/opt/zimbra/ssl/zimbra/commercial/商业证书文件目录
我这边第三方证书颁发机构颁发的有三个证书文件:
1_root_bundle.crt-----根证书&中间证书
2_mail.heminjie.com.crt-----mail.heminjie.com的证书文件
3_mail.heminjie.com.key-----mail.heminjie.com的私钥文件
[zimbra@mail /]$ cd /opt/zimbra/ssl/zimbra/commercial/ [zimbra@mail commercial]$ ll total 12 -rw-r--r-- 1 root root 3021 Jun 19 15:23 1_root_bundle.crt -rw-r--r-- 1 root root 1987 Jun 19 11:15 2_mail.heminjie.com.crt -rw-r--r-- 1 root root 1700 Jun 19 11:15 3_mail.heminjie.com.key
2、把证书私钥文件重命名为commercial.key
[zimbra@mail commercial]$ mv 3_mail.heminjie.com.key commercial.key
3、验证证书是否有效
[zimbra@mail commercial]$ zmcertmgr verifycrt comm commercial.key 2_mail.heminjie.com.crt 1_root_bundle.crt ** Verifying '2_mail.heminjie.com.crt' against 'commercial.key' Certificate '2_mail.heminjie.com.crt' and private key 'commercial.key' match. ** Verifying '2_mail.heminjie.com.crt' against '1_root_bundle.crt' Valid certificate chain: 2_mail.heminjie.com.crt: OK
4、安装证书
[zimbra@mail commercial]$ zmcertmgr deploycrt comm 2_mail.heminjie.com.crt 1_root_bundle.crt ** Fixing newlines in '2_mail.heminjie.com.crt' ** Fixing newlines in '1_root_bundle.crt' ** Verifying '2_mail.heminjie.com.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '2_mail.heminjie.com.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '2_mail.heminjie.com.crt' against '1_root_bundle.crt' Valid certificate chain: 2_mail.heminjie.com.crt: OK ** Copying '2_mail.heminjie.com.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '1_root_bundle.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '1_root_bundle.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.testmail.cn...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.testmail.cn...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 9 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/8d28ae65.0 ** Removing /opt/zimbra/conf/ca/dd182a49.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt ** Removing /opt/zimbra/conf/ca/d6325660.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_3.crt ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt ** Removing /opt/zimbra/conf/ca/157753a5.0 ** Removing /opt/zimbra/conf/ca/ca.pem ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink 'dd182a49.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '4d6d4f45.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '3513523f.0' -> 'commercial_ca_2.crt'
5、验证证书是否安装成功
[zimbra@mail commercial]$ zmcertmgr viewdeployedcrt - imapd: /opt/zimbra/conf/imapd.crt notBefore=Jun 19 00:00:00 2018 GMT notAfter=Jun 19 12:00:00 2019 GMT subject= /CN=mail.heminjie.com issuer= /C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA SubjectAltName=mail.heminjie.com - ldap: /opt/zimbra/conf/slapd.crt notBefore=Jun 19 00:00:00 2018 GMT notAfter=Jun 19 12:00:00 2019 GMT subject= /CN=mail.heminjie.com issuer= /C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA SubjectAltName=mail.heminjie.com - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Jun 19 00:00:00 2018 GMT notAfter=Jun 19 12:00:00 2019 GMT subject= /CN=mail.heminjie.com issuer= /C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA SubjectAltName=mail.heminjie.com - mta: /opt/zimbra/conf/smtpd.crt notBefore=Jun 19 00:00:00 2018 GMT notAfter=Jun 19 12:00:00 2019 GMT subject= /CN=mail.heminjie.com issuer= /C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA SubjectAltName=mail.heminjie.com - proxy: /opt/zimbra/conf/nginx.crt notBefore=Jun 19 00:00:00 2018 GMT notAfter=Jun 19 12:00:00 2019 GMT subject= /CN=mail.heminjie.com issuer= /C=CN/O=TrustAsia Technologies, Inc./OU=Domain Validated SSL/CN=TrustAsia TLS RSA CA SubjectAltName=mail.heminjie.com
6、重启服务,使证书生效
[zimbra@mail commercial]$ zmcontrol restart
至此,证书安装完成,通过WebAdmin后台和WebMail登录界面查看证书是否生效:
安装过程中报错与解决办法:
1、验证证书是否有效时报错如下:
[zimbra@mail commercial]$ zmcertmgr verifycrt comm commercial.key 2_mail.heminjie.com.crt 1_root_bundle.crt ** Verifying '2_mail.heminjie.com.crt' against 'commercial.key' Certificate '2_mail.heminjie.com.crt' and private key 'commercial.key' match. ** Verifying '2_mail.heminjie.com.crt' against '1_root_bundle.crt' ERROR: Unable to validate certificate chain: 2_mail.heminjie.com.crt: C = CN, O = "TrustAsia Technologies, Inc.", OU = Domain Validated SSL, CN = TrustAsia TLS RSA CA error 2 at 1 depth lookup:unable to get issuer certificate
原因:因为找不到证书文件的根证书,很多第三方证书颁发机构给的证书文件中,缺少根证书或者中间证书,导致证书链出错。
解决办法:向证书颁发机构索要完整的根证书与中间证书,并把根证书与中间证书合并为一张证书
2、证书安装成功后,重启服务报错
[zimbra@mail commercial]$ zmcontrol restart
Host mail.testmail.cn
Stopping vmware-ha...Done.
Stopping zmconfigd...Done.
Stopping imapd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping convertd...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.
Host mail.testmail.cn
Starting ldap...Done.
Unable to start TLS: hostname verification failed when connecting to ldap master.
原因:Zimbra服务器的主机名没有被包含在证书中,一般主机名并不是我们申请证书时所使用的正式域名。
解决办法:关闭LDAP服务的TLS验证,再重启服务
[zimbra@mail commercial]$ zmlocalconfig -e ldap_starttls_supported=0
3、如遇到暂时无法解决的奇怪问题,还可以强制回退到安装之前的证书状态
[zimbra@mail commercial]$ zmcertmgr deploycrt self
原文链接:Zimbra 8.8.x用命令安装第三方SSL证书,转载请注明来源!