At the beginning of the 21st century, such a resource as IPv4 addresses is on the verge of depletion. Back in 2011, IANA allocated the last five remaining /8 blocks from its address space to regional Internet registrars, and already in 2017 they also ran out of addresses. The answer to the catastrophic shortage of IPv4 addresses was not only the emergence of the IPv6 protocol, but also the SNI technology, which made it possible to host a huge number of websites on a single IPv4 address. The essence of SNI is that this extension allows clients to tell the server the name of the site with which it wants to connect during the handshake process. This allows the server to store multiple certificates, which means multiple domains can operate on the same IP address. SNI technology has become especially in demand among SaaS providers for businesses, which have the opportunity to host an almost unlimited number of domains without regard to the number of IPv4 addresses required for this. Let's find out how you can implement SNI support in the Zimbra Collaboration Suite Open-Source Edition.
SNI works in all current and supported versions of Zimbra OSE. In the event that you have Zimbra Open-Source running on a multi-server infrastructure, you will need to perform all of the following steps on the node with the Zimbra Proxy installed. In addition, you will need matching certificate+key pairs as well as trusted certificate chains from your CA for each of the domains you want to host on your IPv4 address. Please note that the reason for the vast majority of errors when configuring SNI in Zimbra OSE lies precisely in incorrect files with certificates. Therefore, we advise you to carefully check everything before installing them directly.
First of all, in order for SNI to work normally, you need to enter the command zmprov mcf zimbraReverseProxySNIEnabled TRUE on the node with the Zimbra proxy server, and then restart the proxy service with the command zmproxyctl restart.
We'll start by creating a domain name. For example, we will take the domain company.ru and, after the domain has already been created, let's decide on the Zimbra virtual host name and virtual IP address. Please note that the name of the Zimbra virtual host must match the name that the user must enter in the browser line to access the domain, and also match the name specified in the certificate. For example, let's take Zimbra as the virtual host name mail.company.ru, and as a virtual IPv4 address we use the address 1.2.3.4.
After that, just enter the command zmprov md company.ru zimbraVirtualHostName mail.company.ru zimbraVirtualIPAddress 1.2.3.4to bind the Zimbra virtual host to a virtual IP address. Please note that if the server is behind a NAT or a firewall, you need to make sure that all requests to the domain go exactly to the external IP address associated with it, and not to its address on the local network.
After everything is done, all that remains is to check and prepare the domain certificates for installation, and then install them.
If the issuance of the certificate for the domain went well, you should have three files with certificates on hand: two of them are chains of certificates from your certification authority, and one is a direct certificate for the domain. In addition, you must have the file with the key that you used to obtain the certificate on hand. Create a separate folder /tmp/company.ru and put there all the available files with keys and certificates. The end result should be something like this:
ls /tmp/company.ru
company.ru.key
company.ru.crt
company.ru.root.crt
company.ru.intermediate.crtAfter that, we will combine the chains of certificates into one file using the command cat company.ru.root.crt company.ru.intermediate.crt >> company.ru_ca.crt and make sure that everything is in order with the certificates using the command /opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/company.ru/company.ru.key /tmp/company.ru/company.ru.crt /tmp/company.ru/company.ru_ca.crt. After the verification of the certificates and the key is successful, you can proceed to install them.
In order to start the installation, we first combine the certificate for the domain and the trusted chains from the certificate authorities into one file. It is also done with a single command of the form cat company.ru.crt company.ru_ca.crt >> company.ru.bundle. After that, you need to run the command in order to write all the certificates and the key to LDAP: /opt/zimbra/libexec/zmdomaincertmgr savecrt company.ru company.ru.bundle company.ru.keyand then install the certificates with the command /opt/zimbra/libexec/zmdomaincertmgr deploycrts. After installation, the certificates and the key from the company.ru domain will be stored in the folder /opt/zimbra/conf/domaincerts/company.ru.
By repeating these steps using different domain names but the same IP address, several hundred domains can be hosted on a single IPv4 address. At the same time, you can use certificates from a variety of certificate issuing centers without any problems. You can check the correctness of all the steps taken in any browser, where each virtual host name should display its own SSL certificate.
For all questions related to Zextras Suite, you can contact the Representative of Zextras Ekaterina Triandafilidi by e-mail [email protected]
Source: habr.com