Results 1 to 5 of 5

Thread: certificate error

  1. #1
    mclain is offline Loyal Member
    Join Date
    Jul 2007
    Location
    Buffalo, NY
    Posts
    91
    Rep Power
    7

    Default certificate error

    Trying to install cert via console. It errors when trying to install. Here is the error.

    Certificate failed due to error: unmatching cert
    /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt
    and a private key
    /opt/zimbra/ssl/zimbra/commercial/commercial.key

    error code:ZaCertWizard.prototype.installCallback

    using 5.0.1

    Also, started this in 5.0, errored was told to wait to 5.0.1 . I've been able to atleast get to the install button now but still obviously I have not been able to start. Just wondering if my prior attempt in 5.0 is screwing something up.

    Thanks.

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    When it fails, can you get a stack trace? It should display the trace in the /opt/zimbra/log/zmmailboxd.out

  3. #3
    mclain is offline Loyal Member
    Join Date
    Jul 2007
    Location
    Buffalo, NY
    Posts
    91
    Rep Power
    7

    Default

    Sorry, I've been away for a week and haven't responded to your reply. We use solaris for everything here except zimbra and are not sure what the command is to run a stack trace on red hat. Could you help me out with that. Thanks.

  4. #4
    Centurion's Avatar
    Centurion is offline Active Member
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Default Same here...

    Here's the stack trace from our 5.0.4 Network Edition server running on CentOS 4.6. We have a 2 tier in-house PKI where the root CA creates a "signing certificate" and all our certs are signed by this second cert. When I try to install the certificate generated by openssl I get the same error as in this thread (sorry to hijack it, but I figured it was the same problem).

    Here's the stack trace:
    Code:
    2008-05-08 08:21:42,026 INFO  [btpool0-8] [ip=10.10.101.22;ua=Mozilla/5.0 (Macintosh;; U;; Intel Mac OS X;; en-US;; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14;] mailbox - FileUp
    loadServlet received Upload: { accountId=24536d70-f006-450b-9369-b38005d02ca9, time=Thu May 08 08:21:42 EST 2008, uploadId=ca735881-3a39-4eb2-b0a3-1e7368a7abf0:f8a14f33-77f8-4214-
    8577-fbd174e07197, mail.office...snipped...crt}
    2008-05-08 08:21:42,026 INFO  [btpool0-8] [ip=10.10.101.22;ua=Mozilla/5.0 (Macintosh;; U;; Intel Mac OS X;; en-US;; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14;] mailbox - FileUp
    loadServlet received Upload: { accountId=24536d70-f006-450b-9369-b38005d02ca9, time=Thu May 08 08:21:42 EST 2008, uploadId=ca735881-3a39-4eb2-b0a3-1e7368a7abf0:4a615676-8e91-4425-
    aecc-877280256839, DotCa.crt}
    2008-05-08 08:21:42,026 INFO  [btpool0-8] [ip=10.10.101.22;ua=Mozilla/5.0 (Macintosh;; U;; Intel Mac OS X;; en-US;; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14;] mailbox - FileUp
    loadServlet received Upload: { accountId=24536d70-f006-450b-9369-b38005d02ca9, time=Thu May 08 08:21:42 EST 2008, uploadId=ca735881-3a39-4eb2-b0a3-1e7368a7abf0:6d526a7d-b051-43e8-
    a364-943705c858b9, DotSigning.crt}
    2008-05-08 08:21:46,805 INFO  [btpool0-8] [name=adminUser@dot.com.au;ip=10.10.101.22;ua=ZimbraWebClient - FF2.0 (Mac);] SoapEngine - handler exception
    com.zimbra.common.service.ServiceException: system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zi
    mbra/ssl/zimbra/commercial/commercial.key) pair.
    ExceptionId:btpool0-8:1210198906805:121c43156beac3c3
    Code:service.FAILURE
            at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:253)
            at com.zimbra.cert.OutputParser.parseOuput(OutputParser.java:53)
            at com.zimbra.cert.InstallCert.checkUploadedCommCert(InstallCert.java:218)
            at com.zimbra.cert.InstallCert.handle(InstallCert.java:87)
            at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:391)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:250)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:156)
            at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:266)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
            at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:177)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
            at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
            at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
            at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
            at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
            at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
            at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
            at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
            at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
            at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
            at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
            at org.mortbay.jetty.handler.RewriteHandler.handle(RewriteHandler.java:176)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
            at org.mortbay.jetty.Server.handle(Server.java:313)
            at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)
            at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:844)
            at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
            at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:205)
            at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)
            at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
            at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
    This is a real pain as I did the same thing on a testing system but without the 2-tiered approach and it worked. This is probably something really simple, but I can't seem to nut it out. Ideas anyone?

    Cheers,

    James
    Attached Images Attached Images

  5. #5
    Centurion's Avatar
    Centurion is offline Active Member
    Join Date
    Apr 2007
    Location
    NSW, Australia
    Posts
    38
    Rep Power
    8

    Default SOLVED (my problem anyway...not sure about OP)

    After reading through the Zimbra 5.x command line certificate installation it revealed I had a problem with the certificate generated by our internal PKI system (EasyRSA from the OpenVPN project). If you simply sign a CSR from zimbra WITHOUT adding the "--server" switch, you will end up with a SSL client certificate which is the wrong purpose. This will manifest itself with messages like this:
    Code:
    [root@mail tmp]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./current.crt ./myChain.crt 
    ** Verifying ./current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: ./current.crt: /C=AU/ST=NSW/L=Sydney/O=Our Organisation/OU=System Operations/CN=mail.server.address
    error 26 at 0 depth lookup:unsupported certificate purpose
    OK
    Notice the certificates match, but we are trying to use it for a purpose it wasn't certified (signed) for. You can see this clearly:
    Code:
    [root@mail tmp]# openssl x509 -purpose -in current.crt
    Certificate purposes:
    SSL client : Yes   <== NO - wrong certificate purpose!
    SSL client CA : No
    SSL server : No  <== we want Yes
    SSL server CA : No
    Netscape SSL server : No  <== we also want this to be yes
    Netscape SSL server CA : No
    ...snipped...
    So the CORRECT procedure when using your own internal PKI (EasyRSA in this example) is the following:
    1. Generate CSR from the Zimbra Admin Console
    2. Copy your CSR to the relevant place for your PKI system, for us, that is /usr/local/pki/SigningCerts
    3. Assuming you're using EasyRSA, (as root): /path/to/pki/source ./vars
    4. Now sign the the CSR with the correct options: pkitool --server --sign CSR_filename_without_the_csr_extension (notice the inclusion of --server; without this, EasyRSA/pkitool will generate a client cert...no good!)
    5. Enter any passwords etc for your CA.
    6. You now have a server certificate with the same file name as your CSR except with a ".crt" on the end.
    7. Create a valid certificate chain by ensuring your CA and intermediate certs are all in PEM format (google how to convert if you're unsure) then, simply concatenate them together: cat ca.crt intermediate1.crt intermediate2.crt > myChain.crt (if you don't have any intermediate certs, simply copy the "ca.crt" and skip the concatenation.)
    8. Now simply copy your new <server>.crt (where <server> is cert you created in step 4) and your "myChain.crt" (or "ca.crt" as appropriate) to your workstation.
    9. Go to the Zimbra Admin Console and install your new <server>.crt with the CA being "myChain.crt" (no need for any intermediates, as we bundled them all up earlier) or "ca.crt" if you don't have any intermediate certs to worry about..


    To verify your certificate's suitability BEFORE copying it to your workstation etc, simply use the same "openssl x509 -purpose -in /path/to/<server>.crt" as we used earlier:
    Code:
    [root@mail tmp]# openssl x509 -purpose -in current.crt
    Certificate purposes:
    SSL client : No
    SSL client CA : No
    SSL server : Yes   <== YAY!
    SSL server CA : No
    Netscape SSL server : Yes   <== YAY!
    Netscape SSL server CA : No
    ...snipped...
    This works for me on Zimbra 5.0.4 Network Edition on CentOS 4.6, using EasyRSA 2.0.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  2. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  3. Yet another get.DirectContext issue
    By dccpark in forum Installation
    Replies: 5
    Last Post: 03-08-2006, 01:25 PM
  4. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 01:01 PM
  5. Building native libraries on MacOS X
    By ajmas in forum Developers
    Replies: 3
    Last Post: 10-14-2005, 11:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •