I have seen tons of requests for installing trusted SSL on Zentyal. I have found a TON of tutorials on how to do it but somehow screwed them all up at one point of another. Being a SBS refugee and having worked primarily on Windows for the last thousand years I have never gone this deep into a Linux server.
That being said I knew there had to be an easy way to get 3rd party SSL working on my test box. All in all I am $15 into this (the cost of the cert basically) and it's working like a charm! I am on Zentyal 4.1 so I cannot test upgrade survivability but I have rebooted my server several times to see if it would live on and it has.
One key point I need to make here is that in doing this you will have to split your web server and mail server up into seperate entities. What I mean by that is if you create a vhost file for Apache using your domain TLD then your autodiscover will stop working from yourdomain.com/autodiscover/autodiscover.xml BUT it still works at hostname.yourdomain.com/autodiscover/autodiscover.xml so you have to redirect traffic usinge a CNAME or .htaccess or whatever works best for you. In my case I just created a CNAME and it's working great! An example would be if your Zentyal host name was 'mx' and your domain was 'example.com' you can redirect requestst for 'autodiscover.example.com' TO '
https://mx.example.com:443/autodiscover/autodiscover.xml' and it works like a champ for Outlook clients outside of the LAN/local domain.
Now that we have that sorted out we can get into the certificates. These certs will ONLY work for Apache served websites, you will still need to install your Zentyal issued cert on any machine running an Outlook client wth autodiscover/Outlook Anywhere. Like I said we are splitting web and mail traffic up, this is no big deal though because you really shouldn't have a problem with random people connecting to your mail server. I just installed the CA cert from Zentyal into my "Trusted Root Authority" store and both services work with Outlook. You will likely have to allow a website to configure your account, just check the box to not ask again and click allow and if you have your CNAME in place everything else should go super smooth. Now to get that Apache cert all trusted and happy so people can come and see your site is all secure and such!
First things first - Apache 2.4 does NOT require you to put anything in the ports.conf file, this will only cause Apache to stop working. This all just works from the vhost file.
Create a vhost file in /etc/apache2/sites-available named 'yourdomain.com.conf' (obviously change 'yourdomain.com' to suit your needs but don't forget the .conf at the end) similar to:
<VirtualHost *:443>
SSLEngine On
#Change the following 3 lines to suit your needs
SSLCertificateFile /etc/apache2/ssl/yourdomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.com.key
SSLCACertificateFile /etc/apache2/ssl/yourdomain.com.crt
#Change ServerAdmin to suit your needs
ServerAdmin
info@yourdomain.com ServerName
www.yourdomain.com #Change the DocumentRoot to suit your needs
DocumentRoot /var/www/yourdomain.com/public_html/
#change yourdomain.com to suit your needs
ErrorLog /var/www/yourdomain.com/logs/error.log
CustomLog /var/www/yourdomain.com/logs/access.log combined
</VirtualHost>
SSLCertificateFile - Comodo will likely send you a .crt name yourdomain_com.crt (in my case it was tiki7_com.crt
SSLCertificateKeyFile - This is created with your CSR and should be put in the same directory as your SSL Certificate.
SSLCACertificateFile - This one we need to make out of the other files Comodo issued with your SSL cert.
Upload the following 2 files and cd your way to the directory you upload them to.
•COMODORSADomainValidationSecureServerCA.crt
•COMODORSAAddTrustCA.crt
To make the necessary cert run:
sudo cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > yourdomain.ca.crt
Obviously change the yourdomain bit to suit your needs.
Technically the AddTrustExternalCARoot.crt file is not needed. This file is required for older versions of Apache and it can be added into the above 'cat' command as the final argument before 'yourdomain.ca.crt'.
Now we run the following commands:
sudo a2ensite yourdomain.com
sudo service apache2 reload
Now for the fun part - open up a browser and go to '
https://yourdoman.com" and if you still see that stupid certificate warning refresh the page. This is working like a champ in my little world and I've even got a second TLD working on Apache/OpenChange/autodiscover and so on using this setup. Now I am super green in this whole thing but I got this all figured out using the Zentyal Wiki for creating vhost files and a couple of tutorials on installing SSL on Apache. I would also like to add that I used the CSR generator tool on
https://cheapsslsecurity.com to get my CSR and private key, not open-ssl. If anyone sees a problem with my findings please let me know, like I said this is on my test box so I don't want to put a messy/unsecure box into production. Hopefully this will help someone else from pullng tons of hair out and spilling coffee into their keyboard out of anger.
EDIT - on another post I'd put up about getting 3rd party SSL built-in someone mentioned STUBS and I found myself a better way! The above IS required for additional domains (as far as I can tell), but if you only have a single domain this "should" even be upgrade proof! The SSL cert stuff is all the same, but just do the following to get 3rd party SSL working on most everything in no time flat!!!!!
sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/openchange
cp /usr/share/zentyal/stubs/openchange/apache-ocsmanager.conf.mas /etc/zentyal/stubs/openchange
sudo nano /etc/zentyal/stubs/openchange/apache-ocsmanager.conf.mas
Find the following lines:
% if ($ssl) {
SSLEngine on
SSLCertificateFile <% $certificate %>
Change SSLCertificateFile <% $certificate %> to the following 3 lines:
SSLCertificateFile /srv/certs/tiki7_com.crt
SSLCertificateKeyFile /srv/certs/tiki7.key
SSLCACertificateFile /srv/certs/tiki7.com.crt
Save it, close it and restart it and then watch the magic happen!!! This route took me all of 5 minutes LoL.
EDIT - I also found out that if you keep buying Comodo SSL certs then you can keep using the CA cert made earlier in this post - you still need to get the yourdomain_com.crt and private key files uploaded to your server. I can now have a vhost up, running and secure in less than 4 hours other than provisioning which takes about 8 hours total these days!