Zimbra SSL with Cloudflare Free SSL (HSTS) Enabled


#1

Hello,

I have a problem with my ISP provider in port forwarding the port 80, so to pass this issue with my network server i had enable and move all the traffic for ports 443,80 to be controlled by (HSTS) protocol HTTP Strict Transport Security, hence my SSL now on the webserver working fine, but the mail server * Self Signed Certificate * doesnt work to be validated with cloudFlare SSL…

any suggestion how to change the Zimbra Self Sign certificate to CloudFlate SSL using HSTS connection ?

Thanks.


#2

HSTS is not a protocol but a mean to ensure HTTPS is used.

I am not quite sure what the problem is to be honest. Can you post the exact URL you have a problem with and explain the issue in detail?


#3

Are you using cPanel?


#4

Thanks Sandro for correction…

Regard the cPanel i dont use, i only have Terminal as i prefer to work with…

But the main problem now is that this is my domain.com and the SSL (HSTS) working on it, but i disable it for mail.domain.com because it wont work with Self Sign Certificate…

My mail.domain.com 192.168.1.10 Zimbra mail server with Nginx.
My Webserver 192.168.1.11 < Apache server only.

These all connected to my public IP and all ports 443, 80 is now connected to CloudFlare HSTS and working well.

The main problem now is that my Zimbra SSL certifcate its a Self Signed, and still not validate with CloudFlare… i just want to make sure to fix this issue.

Thanks in Advance for all…


#5

I am afraid it still is not clear to me what the actual issue is.

But as you mentioned email, you should make sure that any mail related DNS records are not proxied (:grey: instead of :orange:).


#6

Exactly, this is what i’m going to do… also i’m trying to Validate the Zimbra mail with CloudFlare SSL on the mail server, because i already did validate it with apache server and now everything is fine now, but in the mail server i cannot figure it out how to Validate cloudFlare SSL there… should i use same SSL as its *.domain.com or i create a new one ?


#7

Which Cloudflare certificate and what do you want to use it for? Post the exact host or URL you are having an issue with and describe it.


#8

https://rightnao.com < apache sever - 192.168.1.11 ( Internal ) - Free CloudFlare SSL with HSTS to bypass ISP blocking 80 port issue.

https://mail.rightnao.com < mail server 192.168.1.10 ( internal ) disbaled from CloudFlare SSL because of HSTS connection, and now trying to validate SSL connection but doesnt work… specailly with Zimbra …


#9

Well, your domain only loads on HTTPS, it does not load on HTTP as your server does not respond to HTTP. I presume that is okay, isnt it?

As for you mail record. That one points straight to your server where a Cloudflare origin certificate is configured. That certificate only works in a proxied context and not like it is right now. You’d need to switch to a publicly accepted certificate if you want it to be reachable from outside of Cloudflare.


#10

Yes, it’s already ISP issue for blocking port 80, and i fix it by HSTS connection… and check now, i enable the CloudFlare … but what i’m looking to validate Cloudflare SSL with the mail server ( Zimbra ).


#11

mail.rightnao.com normally uses encryption to protect your information. When Google Chrome tried to connect to mail.rightnao.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be mail.rightnao.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit mail.rightnao.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.


#12

Now mail works too, however I am not sure what you mean by “validate Cloudflare SSL”. You need to elaborate on that.


#13

hows that https://mail.rightnao.com works ?

there is HSTS issue when you visit it…doesnt it ?


#14

Well, as you switched off proxying once more it now doesnt work any longer. If you want an origin certificate you need to proxy.


#15

Well yes, but how can we pass this issue to make only Cloudflare SSL, not the server SSL


#16

I dont know what you are trying to say with that. You need to paraphrase it.

What is the issue when you proxy mail? In that case it does load.


#17

If i enabled CloudFlare proxy, the SSL doesnt work and website also doesnt work because there is an Self Signed SSL working in the mail server.

Hence i’m looking out to remove this Self Signed SSL from the Zimbra mail to make the website loading fine with CloudFlare!

Hope thats clear to understand ?


#18

Which self-signed certificate? If you enable proxying the requests go to Cloudflare which forwards it to your server and that setup does work. If you want to use mail outside of a web context you’d need to rethink your approach and install a publicly valid certificate instead of Cloudflare’s.

Again, enable proxying and post screenshots of what is not working in that case.


#19

Well thanks for clearify … but also i’m have this problem in verify the CloudFlare SSL with Zimbra through this command

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt

where is this verification command
/opt/zimbra/bin/zmcertmgr verifycrt comm

// this is Server SSL Certificate Key
/opt/zimbra/ssl/zimbra/commercial/commercial.key

// this is CloudFlare Public Key
/tmp/commercial.crt

// this is Cloudflare Origin CA
/tmp/ca_chain.crt

[[email protected] tmp]$ cat cloudflare_origin_ecc.pem cloudflare_origin_rsa.pem > /tmp/ca_chain.crt

[[email protected] tmp] cat /tmp/ca_chain.crt -----BEGIN CERTIFICATE----- MIICiDCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0xNjAyMjIxODI0MDBaFw0yMTAyMjIwMDI0MDBaMIGPMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5 tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E AwIDSAAwRQIgEiIEHQr5UKma50D1WRMJBUSgjg24U8n8E2mfw/8UPz0CIQCr5V/e mcifak4CQsr+DH4pn5SJD7JxtCG3YGswW8QZsw== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIID/DCCAuagAwIBAgIID+rOSdTGfGcwCwYJKoZIhvcNAQELMIGLMQswCQYDVQQG EwJVUzEZMBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE0MDIGA1UECxMrQ2xvdWRG bGFyZSBPcmlnaW4gU1NMIENlcnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEBxMN U2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xNDExMTMyMDM4 NTBaFw0xOTExMTQwMTQzNTBaMIGLMQswCQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xv dWRGbGFyZSwgSW5jLjE0MDIGA1UECxMrQ2xvdWRGbGFyZSBPcmlnaW4gU1NMIENl cnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEG A1UECBMKQ2FsaWZvcm5pYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AMBIlWf1KEKR5hbB75OYrAcUXobpD/AxvSYRXr91mbRu+lqE7YbyyRUShQh15lem ef+umeEtPZoLFLhcLyczJxOhI+siLGDQm/a/UDkWvAXYa5DZ+pHU5ct5nZ8pGzqJ p8G1Hy5RMVYDXZT9F6EaHjMG0OOffH6Ih25TtgfyyrjXycwDH0u6GXt+G/rywcqz /9W4Aki3XNQMUHNQAtBLEEIYHMkyTYJxuL2tXO6ID5cCsoWw8meHufTeZW2DyUpl yP3AHt4149RQSyWZMJ6AyntL9d8Xhfpxd9rJkh9Kge2iV9rQTFuE1rRT5s7OSJcK xUsklgHcGHYMcNfNMilNHb8CAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgAGMBIGA1Ud EwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFCToU1ddfDRAh6nrlNu64RZ4/CmkMB8G A1UdIwQYMBaAFCToU1ddfDRAh6nrlNu64RZ4/CmkMAsGCSqGSIb3DQEBCwOCAQEA cQDBVAoRrhhsGegsSFsv1w8v27zzHKaJNv6ffLGIRvXK8VKKK0gKXh2zQtN9SnaD gYNe7Pr4C3I8ooYKRJJWLsmEHdGdnYYmj0OJfGrfQf6MLIc/11bQhLepZTxdhFYh QGgDl6gRmb8aDwk7Q92BPvek5nMzaWlP82ixavvYI+okoSY8pwdcVKobx6rWzMWz ZEC9M6H3F0dDYE23XcCFIdgNSAmmGyXPBstOe0aAJXwJTxOEPn36VWr0PKIQJy5Y 4o1wpMpqCOIwWc8J9REV/REzN6Z1LXImdUgXIXOwrz56gKUJzPejtBQyIGj0mveX Fu6q54beR89jDc+oABmOgg== -----END CERTIFICATE----- [[email protected] tmp]

after running verification i get this:

[[email protected] tmp]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt

** Verifying ‘/tmp/commercial.crt’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
ERROR: Certificate ‘/tmp/commercial.crt’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ do not match.
[[email protected] tmp]$

Sorry, but intersting to fix it to learn from my mistakes …


#20

I am not sure what these commands do, but it seems as if they expect a different certificate. This is probably a question best for the support of that service.