Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Zimbra SSL behind ACME and HAProxy

    Cache/Proxy
    2
    3
    1118
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      genotix last edited by

      Hi Guys,

      I've been recently installing the ACME Let's encrypt module to easily manage SSL certificates in HAProxy.
      This works like a charm and releases me from a lot of SSL headache.

      The HAProxy service is configured to catch and handle all */.well-known/acme-challenge so PFSense fully handles the ACME challenges and Key refresh.

      Now I'm running a Zimbra Mailserver in the backend that also uses SSL for IMAPS on port 993 and see two ways of "consuming" the ACME generated certificates.

      • Let HAProxy handle all SSL (To me this is the tidyest)

      • Copy the ACME generated certificates to Zimbra and script zimbra to import them

      I've been trying to find a method to WRAP HAProxy TCP requests to IMAPS and offload the SSL bit to HAProxy but haven't succeeded at it so far.
      I seem to be the only one trying this since I haven't found any documentation on it.

      I have now (temporary) adopted option 2 but hope that you guys can guide me on how I either:

      • Get the TCP SSL going (Maybe there is some hidden document on how to approach this with Zimbra

      • In the ACME refresh process SCP the key and crt files to my Zimbra backend

      For the second option I would like to build a cron script on my PFSense (yes; I'm sorry, I don't like it either) that extracts the needed .key and .crt files and put's them into a file which i would then SCP followed by a call of the Zimbra renew certificate script.

      Would really appreciate your help in this.

      1 Reply Last reply Reply Quote 0
      • G
        genotix last edited by

        Is there a way to extract the SSL certificates from the config?

        1 Reply Last reply Reply Quote 0
        • C
          Ced91 last edited by Ced91

          Hi,
          I'm very interrested by your configuration, since this is exactly what I want to perform.
          Is it possible to put your config (GUI) or a link to a tuto about.
          I expect that you put a DNS record to point to HaProxy for internals requests?
          Are you caching all Zimbra services behind HaProxy?
          Best.

          Hope this post will be read since it is a little outdated.; )

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy