Author Topic: [HOWTO] Trusted SSL With Zentyal 4+  (Read 5301 times)

trysomething

  • Zen Warrior
  • ***
  • Posts: 118
  • Karma: +5/-0
  • Founder of The Tiki Lab
    • View Profile
    • The Tiki Lab | Bridging the gap between technology and vision impairment!
[HOWTO] Trusted SSL With Zentyal 4+
« on: August 20, 2015, 06:49:43 pm »
I have seen tons of requests for installing trusted SSL on Zentyal.  I have found a TON of tutorials on how to do it but somehow screwed them all up at one point of another.  Being a SBS refugee and having worked primarily on Windows for the last thousand years I have never gone this deep into a Linux server.
That being said I knew there had to be an easy way to get 3rd party SSL working on my test box.  All in all I am $15 into this (the cost of the cert basically) and it's working like a charm!  I am on Zentyal 4.1 so I cannot test upgrade survivability but I have rebooted my server several times to see if it would live on and it has.
One key point I need to make here is that in doing this you will have to split your web server and mail server up into seperate entities.  What I mean by that is if you create a vhost file for Apache using your domain TLD then your autodiscover will stop working from yourdomain.com/autodiscover/autodiscover.xml BUT it still works at hostname.yourdomain.com/autodiscover/autodiscover.xml so you have to redirect traffic usinge a CNAME or .htaccess or whatever works best for you.  In my case I just created a CNAME and it's working great!  An example would be if your Zentyal host name was 'mx' and your domain was 'example.com' you can redirect requestst for 'autodiscover.example.com' TO 'https://mx.example.com:443/autodiscover/autodiscover.xml' and it works like a champ for Outlook clients outside of the LAN/local domain.
Now that we have that sorted out we can get into the certificates.  These certs will ONLY work for Apache served websites, you will still need to install your Zentyal issued cert on any machine running an Outlook client wth autodiscover/Outlook Anywhere.  Like I said we are splitting web and mail traffic up, this is no big deal though because you really shouldn't have a problem with random people connecting to your mail server.  I just installed the CA cert from Zentyal into my "Trusted Root Authority" store and both services work with Outlook.  You will likely have to allow a website to configure your account, just check the box to not ask again and click allow and if you have your CNAME in place everything else should go super smooth.  Now to get that Apache cert all trusted and happy so people can come and see your site is all secure and such!
First things first - Apache 2.4 does NOT require you to put anything in the ports.conf file, this will only cause Apache to stop working.  This all just works from the vhost file.
Create a vhost file in /etc/apache2/sites-available named 'yourdomain.com.conf' (obviously change 'yourdomain.com' to suit your needs but don't forget the .conf at the end)  similar to:

 <VirtualHost *:443>
     SSLEngine On
     #Change the following 3 lines to suit your needs
     SSLCertificateFile /etc/apache2/ssl/yourdomain.com.crt
     SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.com.key
     SSLCACertificateFile /etc/apache2/ssl/yourdomain.com.crt
     #Change ServerAdmin to suit your needs
     ServerAdmin info@yourdomain.com
     ServerName www.yourdomain.com
     #Change the DocumentRoot to suit your needs
     DocumentRoot /var/www/yourdomain.com/public_html/
     #change yourdomain.com to suit your needs
     ErrorLog /var/www/yourdomain.com/logs/error.log
     CustomLog /var/www/yourdomain.com/logs/access.log combined
</VirtualHost>
 

SSLCertificateFile - Comodo will likely send you a .crt name yourdomain_com.crt (in my case it was tiki7_com.crt

SSLCertificateKeyFile - This is created with your CSR and should be put in the same directory as your SSL Certificate.

SSLCACertificateFile - This one we need to make out of the other files Comodo issued with your SSL cert.

Upload the following 2 files and cd your way to the directory you upload them to.

•COMODORSADomainValidationSecureServerCA.crt
•COMODORSAAddTrustCA.crt
To make the necessary cert run:
sudo cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt  > yourdomain.ca.crt

Obviously change the yourdomain bit to suit your needs.
Technically the AddTrustExternalCARoot.crt file is not needed.  This file is required for older versions of Apache and it can be added into the above 'cat' command as the final argument before 'yourdomain.ca.crt'.
Now we run the following commands:
sudo a2ensite yourdomain.com
sudo service apache2 reload

Now for the fun part - open up a browser and go to 'https://yourdoman.com" and if you still see that stupid certificate warning refresh the page.  This is working like a champ in my little world and I've even got a second TLD working on Apache/OpenChange/autodiscover and so on using this setup.  Now I am super green in this whole thing but I got this all figured out using the Zentyal Wiki for creating vhost files and a couple of tutorials on installing SSL on Apache.  I would also like to add that I used the CSR generator tool on https://cheapsslsecurity.com to get my CSR and private key, not open-ssl.  If anyone sees a problem with my findings please let me know, like I said this is on my test box so I don't want to put a messy/unsecure box into production.  Hopefully this will help someone else from pullng tons of hair out and spilling coffee into their keyboard out of anger.

EDIT - on another post I'd put up about getting 3rd party SSL built-in someone mentioned STUBS and I found myself a better way!  The above IS required for additional domains (as far as I can tell), but if you only have a single domain this "should" even be upgrade proof!  The SSL cert stuff is all the same, but just do the following to get 3rd party SSL working on most everything in no time flat!!!!!

sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/openchange
cp /usr/share/zentyal/stubs/openchange/apache-ocsmanager.conf.mas /etc/zentyal/stubs/openchange
sudo nano /etc/zentyal/stubs/openchange/apache-ocsmanager.conf.mas
Find the following lines:

% if ($ssl) {
    SSLEngine on
    SSLCertificateFile <% $certificate %>

Change SSLCertificateFile <% $certificate %> to the following 3 lines:
        SSLCertificateFile      /srv/certs/tiki7_com.crt
        SSLCertificateKeyFile /srv/certs/tiki7.key
        SSLCACertificateFile /srv/certs/tiki7.com.crt
Save it, close it and restart it and then watch the magic happen!!!  This route took me all of 5 minutes LoL.

EDIT - I also found out that if you keep buying Comodo SSL certs then you can keep using the CA cert made earlier in this post - you still need to get the yourdomain_com.crt and private key files uploaded to your server.  I can now have a vhost up, running and secure in less than 4 hours other than provisioning which takes about 8 hours total these days!
« Last Edit: August 20, 2015, 09:55:23 pm by trysomething »
You will have to excuse my posts not having actual links in them.  I'm blind and can never find that insert hyperlink button LoL.  If you, or someone you know has vision problems check out The Tiki Lab.

JayJay

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: [HOWTO] Trusted SSL With Zentyal 4+
« Reply #1 on: August 26, 2015, 09:41:17 am »
On Zentyal 4.1.3 system.
Here's a procedure to achieve ActiveSync including SSL/TLS support, using  Openssl to convert the pfx file
Start of with Zentyal 4.1 system including the ActiveSync patch from Sogo.
Then , the SSL part......


I extracted a pfx file , using openssl , to a certificate.crt file and a keyfile.key file.
According to the method described in the 1st three commands here...
http://forum.hostek.com/showthread.php?599-How-do-I-install-a-SSL-Certificate-from-a-PFX-file-on-my-Linux-VPS

I downloaded a CA chain certificate from the Certificate Authority's website, Alphassl.
(https://www.alphassl.com/support/install-root-certificate.html)

I copied the certificate.crt file to /srv/certs
I copied the keyfile.key to /srv/certs
I copied the CAcertificatefile.crt to /srv/certs

Then....
sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/openchange
cp /usr/share/zentyal/stubs/openchange/apache-ocsmanager.conf.mas /etc/zentyal/stubs/openchange
sudo nano /etc/zentyal/stubs/openchange/apache-ocsmanager.conf.mas
Find the following lines:

% if ($ssl) {
    SSLEngine on
    SSLCertificateFile <% $certificate %>

Change SSLCertificateFile <% $certificate %> to the following 3 lines:
        SSLCertificateFile      /srv/certs/certificatefile.crt
        SSLCertificateKeyFile /srv/certs/keyfile.key
        SSLCACertificateFile /srv/certs/CAcertificatefile.crt

I have not checked all possible circumstances and email client types, and not done any update from Zentyal yet.
On Android device 5+ ActiveSync email with SSL support (security type SSL/TLS) is provided and working fine .
Also tested on iOS 8 (Ipad mini)...working.
« Last Edit: August 30, 2015, 05:47:16 pm by JayJay »

trysomething

  • Zen Warrior
  • ***
  • Posts: 118
  • Karma: +5/-0
  • Founder of The Tiki Lab
    • View Profile
    • The Tiki Lab | Bridging the gap between technology and vision impairment!
Re: [HOWTO] Trusted SSL With Zentyal 4+
« Reply #2 on: September 16, 2015, 10:13:55 pm »
HOLY COW - Even easier on the wallet AND the certs!!!  I was having some trouble getting everyone and everything to play nicely just using the Comodo Positive SSL certs, so I went hunting for something better.  I just picked up a Comodo Positive UCC or SAN (whichever you want to call it).  There's no need to cat anything and you can add domains/subdomains to it as you need.  Ironically the fix came when I was troubleshooting someone's Exchange 2013 setup and I noticed they'd used a legit 3rd party SSL but it was ONLY for their FQDN.  Suddenly I remembered that you need the TLD, FQDN and an autodiscover domain listing.
It cost me less than $50 and it comes with a .ca-bundle file that is already all setup and ready to rock!  If your domain is Zentyal.org and your server name is mx then you'd want to use the following set of domains:
Common Name:  Zentyal.org
Domain 1:  mx.zentyal.org
Domain 2:  autodiscover.zentyal.org
To make things run even better you can add up to 300 domains so throw in a couple of potential future domain names:
Domain 3:  blog.zentyal.org
Domain 4:  shop.zentyal.org

OR if you're trying to corner the market on a specific domain you could add:
Zentyal.net
Zentyal.com
Zentyal.online
and so on and so on.  You can add up to the limit for additional domains whether they're subdomains or something completely different like covering Zentyal.org, Microsoft.com, google.com, netzero.net and you get the point now.  Depending on where you buy your UCC/SAN cert there's a cost for additional domains, some give you the first 3 free, some give you 1 free, some charge $35.00/additional domain and some charge $5.95/additional domain.  I just bought mine direct from Comodo and with verification and everything it literally took me 10 minutes from start to finish - that's including updating my stub file and restarting my server!
You will have to excuse my posts not having actual links in them.  I'm blind and can never find that insert hyperlink button LoL.  If you, or someone you know has vision problems check out The Tiki Lab.