Failed Commercial Cert Migration

[solarsail]

When I upgrade from 4.5.9 to 5.0.1, the commercial cert migration failed. While the cert for the tomcat/jetty moved over successfully, it did not move over the cert for postfix/ldap/etc...

After installing, mail stopped working I went ahead and installed a self-signed cert [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure just so i could get something up and running.

I still have a Java keystore file with my commercial cert. What is the procedure for installing this cert in 5.0. Commercial Certificates - Zimbra :: Wiki doesn't seem quite up to date (doesn't mention zmcertmgr). Not sure what format it expects, etc...

[gmsmith]

Out of curiosity does your cert name match your Zimbra host name? Ran into a similar problem myself. The guys in support (kudos to Brian, Mike and Ramadan) were able to get the issue resolved. During the initial upgrade, the tomcat cert migrated over, but nothing else was maintained. When re-installing the commercial cert with zmcertmgr it halted mail delivery. It was traced down to the tls communication between postfix and ldap and because the hostname of the zimbra server did not match the certificate name. The quick work around was to modify the zmmtainit to turn of tls, once that was done everything worked fine.

My understanding is that bug 23922 is tracking this issue and it appears there is at least a work around done.

[solarsail]

Yes, the cert does match the hostname of the machine.

[davidfsmith]

Quote:

Originally Posted by gmsmith

Out of curiosity does your cert name match your Zimbra host name? Ran into a similar problem myself. The guys in support (kudos to Brian, Mike and Ramadan) were able to get the issue resolved. During the initial upgrade, the tomcat cert migrated over, but nothing else was maintained. When re-installing the commercial cert with zmcertmgr it halted mail delivery. It was traced down to the tls communication between postfix and ldap and because the hostname of the zimbra server did not match the certificate name. The quick work around was to modify the zmmtainit to turn of tls, once that was done everything worked fine.

My understanding is that bug 23922 is tracking this issue and it appears there is at least a work around done.

Exactly the problem I had going from 5.0.0 to 5.0.1 (and by the sounds of things resolved with exactly the same fix)

[Klug]

23922 is marked as fixed for 5.0.2 : Bug 23922 - 4.x.x to 5.0.x upgrades with existing commercial certs may fail.

[solarsail]

So, since this doesn't seem to be documented anywhere, this is what i ended up doing to migrate my keys:

1. Extract my cert and private key from the old Java keystore.
2. Download my ca's root cert.
3. Copy these to /opt/zimbra/ssl/zimbra/commercial/{commercial_ca.crt|commercial.crt|commercial.key}
4. Also copy to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/{current_chain.crt|current.crt}
5. Run /opt/zimbra/bin/zmcertmgr deploycrt comm

[gmsmith]

Quote:

Originally Posted by solarsail

So, since this doesn't seem to be documented anywhere, this is what i ended up doing to migrate my keys:

1. Extract my cert and private key from the old Java keystore.
2. Download my ca's root cert.
3. Copy these to /opt/zimbra/ssl/zimbra/commercial/{commercial_ca.crt|commercial.crt|commercial.key}
4. Also copy to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/{current_chain.crt|current.crt}
5. Run /opt/zimbra/bin/zmcertmgr deploycrt comm

What steps did you use to extract your cert and private key from the keystore?

[solarsail]

Quote:

Originally Posted by gmsmith

What steps did you use to extract your cert and private key from the keystore?

To extract the cert:

Code:

keytool -keystore commercial.keystore -export -alias tomcat -file exported.crt
openssl x509 -out commercial.crt -outform pem -text -in exported.crt -inform der

To extract the key (You want to use the old version of ExportPriv.java, the new one doesn't wrap the base64 in a way zmcertmgr can handle):

Code:

 
curl http://mark.foster.cc/pub/java/ExportPriv.old.java > ExportPriv.java
javac ExportPriv.java
java ExportPriv commercial.keystore tomcat zimbra >commercial.key

[Nutz]

Thank you SolarSail. Without your documentation, I don't think I would have ever figured that out!

-Nutz

[shaver]

Seconded -- I couldn't figure anything else out after the 5.0.4->5.0.5 upgrade overwrote my commercial cert with a new self-signed one. Thank you so much!