A self-signed certificate is automatically generated when the Zimbra is installed, but I have previously applied for a wildcard certificate in RapidSSL, so just upload the certificate.
The files that download the certificate first include the following (the wildcard certificate that was purchased is the previous prefix is star)
1. server Certificate CRT STAR.XXXX.COM.CRT
2. Server Private key STAR.xxxx.com.key
3, Root certificate Ca-bundle CA-BUNDLE.CRT also have called Ca_chain
Because the Zimbra with the certificate of more places, manual installation estimates will produce a lot of inconsistencies, or with ZM tools good
In the Administration page, "Home-configuration-Certificate" to create a new enterprise CSR, regardless of the input of what information as long as the production line (for you to apply for certificate use), we have already had so do not care about it.
In the terminal, enter the Zimbra user
sudo su Zimbra
Overwrite key file
CP Star.xxxx.com.key/opt/zimbra/ssl/zimbra/commercial/commercial.key
Verifying certificates
Zmcertmgr verifycrt Comm/opt/zimbra/ssl/zimbra/commercial/commercial.key STAR.xxxx.com.crt ca-bundle.crt
Normal should return OK
But the error:
Error 2 at 2 depth lookup:unable to get issuer certificate
Final Solution:
Because only 2 segments of the root certificate given by the vendor contain 2 parts:
The first one:
Issued To:rapidssl SHA256 CA
Issued By:geotrust Global CA
Valid from:12/11/2013 to 5/20/2022
Serial NUMBER:02 3a 71
The second one:
Issued To:geotrust Global CA
Issued by:equifax Secure Certificate Authority
Valid from:5/20/2002 to 8/20/2018
Serial number:12 BB e6
It is not the trust authority that Linux can authenticate (the root certificate of the larger institution is built into OpenSSL, but RapidSSL is obviously not, it requires a certificate chain to authenticate, in other words the certificate chain is incomplete);
You need to add a higher-level root certificate to the CA file.
Until it is associated and trusted with the built-in certificate in OpenSSL
Issued to:equifax Secure Certificate Authority
Issued by:equifax Secure Certificate Authority
Valid from:8/22/1998 to 8/22/2018
Download from the following address:
Https://knowledge.rapidssl.com/library/VERISIGN/INTERNATIONAL_AFFILIATES/GeoTrust/Equifax_Secure_Certificate_Authority.pem
Or if it doesn't, you need to have your supplier complete a certificate chain until the
Verify through you will get a Mach and an OK
Okay, you can continue to install the certificate.
Zmcertmgr DEPLOYCRT Comm STAR.XXXX.COM.CRT CA-BUNDLE.CRT
Get a large number of OK and final save copy and create after it is ready
Verify that:
Zmcertmgr VIEWDEPLOYEDCRT
If you get the results, the certificates in the different modules are all their own.
Of course, it requires a reboot.
Zmcontrol status
After the restart, remember to close the browser open Zimbra can see the certificate you have imported
The biggest problem in the installation is the certificate, if your root certificate is not in a file, you need to merge all the root certificates for later use, if you are operating in the web, you need to import all the root certificates to the line, of course, you can also merge and upload 1 files.
This article is from "仝渊 's operation and maintenance station" blog, please be sure to keep this source http://axe999.blog.51cto.com/8295103/1927331
Zimbra 8.x Installation RapidSSL