Zimbra SSL with Cloudflare Free SSL (HSTS) Enabled


I have a problem with my ISP provider in port forwarding the port 80, so to pass this issue with my network server i had enable and move all the traffic for ports 443,80 to be controlled by (HSTS) protocol HTTP Strict Transport Security, hence my SSL now on the webserver working fine, but the mail server * Self Signed Certificate * doesnt work to be validated with Cloudflare SSL…

any suggestion how to change the Zimbra Self Sign certificate to CloudFlate SSL using HSTS connection ?


HSTS is not a protocol but a mean to ensure HTTPS is used.

I am not quite sure what the problem is to be honest. Can you post the exact URL you have a problem with and explain the issue in detail?

1 Like

Are you using cPanel?

Thanks Sandro for correction…

Regard the cPanel i dont use, i only have Terminal as i prefer to work with…

But the main problem now is that this is my domain.com and the SSL (HSTS) working on it, but i disable it for mail.domain.com because it wont work with Self Sign Certificate…

My mail.domain.com Zimbra mail server with Nginx.
My Webserver < Apache server only.

These all connected to my public IP and all ports 443, 80 is now connected to Cloudflare HSTS and working well.

The main problem now is that my Zimbra SSL certifcate its a Self Signed, and still not validate with Cloudflare… i just want to make sure to fix this issue.

Thanks in Advance for all…

I am afraid it still is not clear to me what the actual issue is.

But as you mentioned email, you should make sure that any mail related DNS records are not proxied (:grey: instead of :orange:).

Exactly, this is what i’m going to do… also i’m trying to Validate the Zimbra mail with Cloudflare SSL on the mail server, because i already did validate it with apache server and now everything is fine now, but in the mail server i cannot figure it out how to Validate Cloudflare SSL there… should i use same SSL as its *.domain.com or i create a new one ?

Which Cloudflare certificate and what do you want to use it for? Post the exact host or URL you are having an issue with and describe it.

https://rightnao.com < apache sever - ( Internal ) - Free Cloudflare SSL with HSTS to bypass ISP blocking 80 port issue.

https://mail.rightnao.com < mail server ( internal ) disbaled from Cloudflare SSL because of HSTS connection, and now trying to validate SSL connection but doesnt work… specailly with Zimbra …

Well, your domain only loads on HTTPS, it does not load on HTTP as your server does not respond to HTTP. I presume that is okay, isnt it?

As for you mail record. That one points straight to your server where a Cloudflare origin certificate is configured. That certificate only works in a proxied context and not like it is right now. You’d need to switch to a publicly accepted certificate if you want it to be reachable from outside of Cloudflare.

Yes, it’s already ISP issue for blocking port 80, and i fix it by HSTS connection… and check now, i enable the Cloudflare … but what i’m looking to validate Cloudflare SSL with the mail server ( Zimbra ).

mail.rightnao.com normally uses encryption to protect your information. When Google Chrome tried to connect to mail.rightnao.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be mail.rightnao.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit mail.rightnao.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Now mail works too, however I am not sure what you mean by “validate Cloudflare SSL”. You need to elaborate on that.

hows that https://mail.rightnao.com works ?

there is HSTS issue when you visit it…doesnt it ?

Well, as you switched off proxying once more it now doesnt work any longer. If you want an origin certificate you need to proxy.

Well yes, but how can we pass this issue to make only Cloudflare SSL, not the server SSL

I dont know what you are trying to say with that. You need to paraphrase it.

What is the issue when you proxy mail? In that case it does load.

If i enabled Cloudflare proxy, the SSL doesnt work and website also doesnt work because there is an Self Signed SSL working in the mail server.

Hence i’m looking out to remove this Self Signed SSL from the Zimbra mail to make the website loading fine with Cloudflare!

Hope thats clear to understand ?

Which self-signed certificate? If you enable proxying the requests go to Cloudflare which forwards it to your server and that setup does work. If you want to use mail outside of a web context you’d need to rethink your approach and install a publicly valid certificate instead of Cloudflare’s.

Again, enable proxying and post screenshots of what is not working in that case.

Well thanks for clearify … but also i’m have this problem in verify the Cloudflare SSL with Zimbra through this command

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt

where is this verification command
/opt/zimbra/bin/zmcertmgr verifycrt comm

// this is Server SSL Certificate Key

// this is Cloudflare Public Key

// this is Cloudflare Origin CA

[zimbra@mail tmp]$ cat Cloudflare_origin_ecc.pem Cloudflare_origin_rsa.pem > /tmp/ca_chain.crt


after running verification i get this:

[zimbra@mail tmp]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt

** Verifying ‘/tmp/commercial.crt’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
ERROR: Certificate ‘/tmp/commercial.crt’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ do not match.
[zimbra@mail tmp]$

Sorry, but intersting to fix it to learn from my mistakes …

I am not sure what these commands do, but it seems as if they expect a different certificate. This is probably a question best for the support of that service.