ssl certificates fo...
 
Notifications
Clear all

ssl certificates for multi-server and mail client access

2 Posts
1 Users
0 Reactions
544 Views
antonio
(@antonio)
Joined: 1 year ago
Posts: 48
Topic starter  

Hello Mr @sharif

Some help needed here:

I have a multi-server 23.11 version over ubuntu 20.04

I have installed last July, and running smootly so far

Now I had my first user connecting with Outlook client to ports 993 and 587 and he's getting ssl errors

after checking my certificates I have different information/certificates on mta node and on proxy node.

My conclusions:

After analyzing the entire carbonio installation process, the difference between the single server and multi-server setups is merely that the commands are executed on different servers. In fact, the multi-server setup lacks specific installation instructions; instead, it provides links to the installation pages of various components.

Certificate Propagation
There is no command to propagate the certificate between servers, nor are there instructions in that regard. If the certificate needs to be installed on more than one server, it is not indicated. The instructions for installing the SSL certificate are the same for both single and multi-server setups.

Now each of the servers has a certificate installed with the name of the host itself. This certificate is installed with Carbonio itself.

Examples:

zextras@storage:~$ zmcertmgr viewdeployedcrt
- ldap: /opt/zextras/conf/slapd.crt
notBefore=Jul 20 18:08:50 2023 GMT
notAfter=Jul 18 18:08:50 2028 GMT
subject=OU = Zextras Carbonio, CN = storage.yobi365.com
issuer=O = CA, OU = Zextras Carbonio, CN = ldap.yobi365.com

....

but on my proxy

zextras@connect:~$ zmcertmgr viewdeployedcrt
- ldap: /opt/zextras/conf/slapd.crt
notBefore=Jan 11 16:51:18 2024 GMT
notAfter=Apr 10 16:51:17 2024 GMT
subject=CN = connect.yobi365.com
issuer=C = US, O = Let's Encrypt, CN = R3
SubjectAltName=connect.yobi365.com

Now the SMTP access on port 587 is directly to the server with MTA, (it does not pass through the proxy server) and access to IMAP/POP/Web is through the proxy server.
This results in different certificates being presented to outlook and first certificate not being recognized

What is missing? Did I failed some instrutions for multi-server instalation?

Thanks in advance


   
Quote
antonio
(@antonio)
Joined: 1 year ago
Posts: 48
Topic starter  

Some additional questions to help clarify this:

- In a multi-server environment, on which node should the certificate be installed?

- Will the certificate be authomatically propagated to other nodes, or should we install it? If so, where? and what about upgrades?

- What domains/hosts should be included in the certificate?


   
ReplyQuote