I expect Zammad to not serve its own certificate and instead use the certificate created on our reverseproxy (nginx) which is hosted on its own machine and IP-Address.
Actual behavior:
Zammad serves its own certificate, therefore our clients dont trust it.
I suppose it’s a problem with my zammad.conf on the zammad-server.
(it does indeed contain a “listen 443” using its own self-signed certificate)
Question: What zammad.conf do i have to use, so that Zammad does not serve a certificate on its own and just eats up the letsencrypt-certificate from our external ReverseProxy?
I have a question, where does it serve the Certificate? Website? E-Mail?
What Proxy are you using?
When you mention your configuration, what current configuration are you using? Could you, after redacting Information, post it?
I am talking about the webinterface/frontend/backend of Zammad.
Our users get the usual “The Browser doesnt trust this certificate, do you want to continue? yada-yada”.
Luckily i’m using the github zammad.conf without any modifications except the ones that are to be redacted anyway (servername, IPs).
So here’s the one i am currently using:
https://github_com/zammad/zammad/blob/develop/contrib/nginx/zammad_ssl.conf
Of course, there’s a 443-block in it, which overrides my reverseproxy certificate.
I do know that this is obviously the Issue.
Our reverseproxy forwards it’s legit certificate, Zammad “throws it away” because of it’s own 443-block and is therefore serving its own self-signed cert, as written in the zammad-ssl.conf. So this works as intended.
So i tried the non-ssl zammad.conf in the hopes that Zammad gets served using my reverseproxys certificate:
https://github_com/zammad/zammad/blob/develop/contrib/nginx/zammad.conf
Which doesnt work at all.
I can’t even connect to zammads interface anymore.
All I want is that zammad just accepts the certificate which is forwarded through our reverseproxy.
Maybe this is worded poorly, so just give me another heads-up if my post isnt understandable.
Thanks!
Edit: We are using nginx (on a different machine) as a reverseproxy which serves a whole bunch of services to our users.
I used the docker installation and have traefik v3.0 as Proxy Manager though. The NGINX on the Zammad server runs on the 8080 port, where i point my Traefik to.
You need to have it run without the proxy, the default Config should work.
like for example: zammad.internalhost.com
You then put the proxy with zammad.company.com or what you need.
Attention for all internal URI you have to check if under
https://zammad.company.com/#settings/system the FQDN is correctly set to zammad.company.com and the HTTP Type to https This is needed by Zammad if it’s behind a proxy.
This seems to go out of hand.
Double proxies especially with websockets involved is not trivial and you should proceed with absolute care.
You claim that the Zammad vHost overwrites your 2nd Proxies SSL certificate. That’s the part that is already faulty. That is not possible. It means you communicate directly with Zammad instead of the actual proxy. I am very sure about that.
Good point!
That seems to be true.
Mhhh, i gotta do some more digging.
It seems very reasonable that i am talking directly to Zammads “proxy” and dont even go the route trough our own.
Any idea how to check that? (Traceroute, etc)
How can i avoid speaking to Zammads proxy? Delete the config in /etc/nginx/sites-available? Would that work?
I am sorry. I cannot cover fundamentals in system administration like DNS and such. Your DNS record most likely points to the Zammad server which does not seem to be what you want.