Thread: Zimbra 5.08 SSL Certificate Instalation
View Single Post
  #2 (permalink)  
Old 08-16-2008, 03:02 PM
greenrenault greenrenault is offline
Partner (VAR/HSP)
  
Posts: 196
Smile I had problems too using the Zimbra SSL Wizard - but found a solution
IMHO the instructions in the Zimbra Wiki are WRONG and need to be updated.

I found a solution by searching the forums & trial / error. Wasted two hours on this one, this should have been a simple process. I expect that the error in the Zimbra SSL Wizard was caused by either permissions of a failed file copy (ie. Zimbra does not copy the CA file correctly). So I've included our solution below at the bottom of this page.

THE PROBLEM
I have found that using the Zimbra SSL Wizard or the command-line steps from Commercial Certificate in 5.x - Zimbra :: Wiki to install SSL certs DOES NOT WORK (ZCS 5.0.8), see below:

Code:
root@mail:~# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ~/commercial.crt  ~/commercial_ca.crt
** Verifying /root/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/commercial.crt: OK
root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt comm ~/commercial.crt  ~/commercial_ca.crt
** Verifying /root/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/commercial.crt: OK
** Copying /root/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /root/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
 
XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key
 
root@mail:~#                     
zimbra@mail:~$ zmcontrol start
Host mail.zimbra.net
        Starting ldap...Done.
FAILED
Failed to start slapd.  Attempting debug start to determine error.
TLS: error:0906D066:PEM routines:PEM_read_bio:bad end line pem_lib.c:746
TLS: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib ssl_                                 rsa.c:491
main: TLS init def ctx failed: -1
THE SOLUTION
Based on [SOLVED] Trouble installing commercial certificates on Zimbra

I found the solution to be the following steps:
1. As root, creating /opt/zimbra/certs directory
2. Copying the certificate and root certificate into /opt/zimbra/certs directory
3. Changing ownership of /opt/zimbra/certs to zimbra:zimbra
4. Adding an extra line at the end of the signed certificate
5. As root execute:
Code:
zmcertmgr deploycrt comm /opt/zimbra/certs/commercial.crt  /opt/zimbra/certs/commercial_ca.crt
6. Certificates should install OK now
7. Start Zimbra

This even worked with RapidSSL certificates - the real cheap'n nasty ones

Woo hoo!
Reply With Quote