Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Failed Commercial Cert Migration

  1. #1
    solarsail is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    16
    Rep Power
    9

    Default Failed Commercial Cert Migration

    When I upgrade from 4.5.9 to 5.0.1, the commercial cert migration failed. While the cert for the tomcat/jetty moved over successfully, it did not move over the cert for postfix/ldap/etc...

    After installing, mail stopped working I went ahead and installed a self-signed cert [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure just so i could get something up and running.

    I still have a Java keystore file with my commercial cert. What is the procedure for installing this cert in 5.0. Commercial Certificates - Zimbra :: Wiki doesn't seem quite up to date (doesn't mention zmcertmgr). Not sure what format it expects, etc...

  2. #2
    gmsmith is offline Moderator
    Join Date
    Apr 2006
    Location
    Williamsburg, VA
    Posts
    451
    Rep Power
    9

    Default

    Out of curiosity does your cert name match your Zimbra host name? Ran into a similar problem myself. The guys in support (kudos to Brian, Mike and Ramadan) were able to get the issue resolved. During the initial upgrade, the tomcat cert migrated over, but nothing else was maintained. When re-installing the commercial cert with zmcertmgr it halted mail delivery. It was traced down to the tls communication between postfix and ldap and because the hostname of the zimbra server did not match the certificate name. The quick work around was to modify the zmmtainit to turn of tls, once that was done everything worked fine.

    My understanding is that bug 23922 is tracking this issue and it appears there is at least a work around done.

  3. #3
    solarsail is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    16
    Rep Power
    9

    Default

    Yes, the cert does match the hostname of the machine.

  4. #4
    davidfsmith is offline Special Member
    Join Date
    Jan 2007
    Location
    UK
    Posts
    160
    Rep Power
    8

    Default

    Quote Originally Posted by gmsmith View Post
    Out of curiosity does your cert name match your Zimbra host name? Ran into a similar problem myself. The guys in support (kudos to Brian, Mike and Ramadan) were able to get the issue resolved. During the initial upgrade, the tomcat cert migrated over, but nothing else was maintained. When re-installing the commercial cert with zmcertmgr it halted mail delivery. It was traced down to the tls communication between postfix and ldap and because the hostname of the zimbra server did not match the certificate name. The quick work around was to modify the zmmtainit to turn of tls, once that was done everything worked fine.

    My understanding is that bug 23922 is tracking this issue and it appears there is at least a work around done.
    Exactly the problem I had going from 5.0.0 to 5.0.1 (and by the sounds of things resolved with exactly the same fix)

  5. #5
    Klug's Avatar
    Klug is offline Moderator
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,292
    Rep Power
    13

  6. #6
    solarsail is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    16
    Rep Power
    9

    Default

    So, since this doesn't seem to be documented anywhere, this is what i ended up doing to migrate my keys:

    1. Extract my cert and private key from the old Java keystore.
    2. Download my ca's root cert.
    3. Copy these to /opt/zimbra/ssl/zimbra/commercial/{commercial_ca.crt|commercial.crt|commercial.key}
    4. Also copy to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/{current_chain.crt|current.crt}
    5. Run /opt/zimbra/bin/zmcertmgr deploycrt comm

  7. #7
    gmsmith is offline Moderator
    Join Date
    Apr 2006
    Location
    Williamsburg, VA
    Posts
    451
    Rep Power
    9

    Default

    Quote Originally Posted by solarsail View Post
    So, since this doesn't seem to be documented anywhere, this is what i ended up doing to migrate my keys:

    1. Extract my cert and private key from the old Java keystore.
    2. Download my ca's root cert.
    3. Copy these to /opt/zimbra/ssl/zimbra/commercial/{commercial_ca.crt|commercial.crt|commercial.key}
    4. Also copy to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/{current_chain.crt|current.crt}
    5. Run /opt/zimbra/bin/zmcertmgr deploycrt comm
    What steps did you use to extract your cert and private key from the keystore?

  8. #8
    solarsail is offline Intermediate Member
    Join Date
    Mar 2006
    Posts
    16
    Rep Power
    9

    Default

    Quote Originally Posted by gmsmith View Post
    What steps did you use to extract your cert and private key from the keystore?
    To extract the cert:
    Code:
    keytool -keystore commercial.keystore -export -alias tomcat -file exported.crt
    openssl x509 -out commercial.crt -outform pem -text -in exported.crt -inform der
    To extract the key (You want to use the old version of ExportPriv.java, the new one doesn't wrap the base64 in a way zmcertmgr can handle):
    Code:
     
    curl http://mark.foster.cc/pub/java/ExportPriv.old.java > ExportPriv.java
    javac ExportPriv.java
    java ExportPriv commercial.keystore tomcat zimbra >commercial.key

  9. #9
    Nutz is offline Special Member
    Join Date
    Feb 2007
    Location
    Massachusetts
    Posts
    136
    Rep Power
    8

    Default

    Thank you SolarSail. Without your documentation, I don't think I would have ever figured that out!

    -Nutz

  10. #10
    shaver is offline Intermediate Member
    Join Date
    Oct 2006
    Posts
    24
    Rep Power
    8

    Default

    Seconded -- I couldn't figure anything else out after the 5.0.4->5.0.5 upgrade overwrote my commercial cert with a new self-signed one. Thank you so much!

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  2. My Zimbra server down ... please help :)
    By frankb in forum Administrators
    Replies: 2
    Last Post: 12-12-2007, 11:29 AM
  3. Replies: 2
    Last Post: 03-25-2007, 09:40 PM
  4. Lotus migration
    By babou in forum Migration
    Replies: 15
    Last Post: 03-05-2007, 10:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •