Zimbra Hates GoDaddy

[void]

I decided to go for GoDaddy instead of spending 8 times as much money at one of the Verisign or Thawte resellers when I bought my SSL certificate today.

Remember when installing a cert was easy? You generated the CSR and just handed it to Thawte and they gave you back your server.crt which you loaded in apache. Easy!

Zimbra on the other hand is weird so I dug around for a guide and found one!

Commercial Certificates - Zimbra :: Wiki

Off I went to GoDaddy, bought my certs, and then followed the directions. Everything appears to work, no error messages at all.

I restart my server, and poof! There is NO GoDaddy certificate in there... Where did it go? I heard a rumor that Tomcat has been replaced by Jetty, so these directions probably don't work anymore.

Searching the forum you get bits and pieces, mostly people who are upgrading from 4 to 5 and have a GoDaddy cert already.

Can somebody post a guide on how somebody should install one of these wierd GoDaddy certs from scratch?

When you buy a cert from them, you get 4 files back (no idea why):
gd_bundle.crt
gd_cross_intermediate.crt
gd_intermediate.crt
mydomain.com.crt (name changed obviously)

I would like to use:
sudo zmcertmgr deploycrt comm <crt file> <ca chain file>

as is detailed in another post here which I think may be what I am supposed to do (I see no documentation referring to this in the wiki, which as we all know by now is about as useful as a screen door on a submarine.)

Ok... mydomain.com.crt is the <crt file> which on is the <ca chain file> ?

It doesn't matter which I use, because I just get this:
** Verifying mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commerc ial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.

So...

What am I supposed to do to install a GoDaddy Key?

I run:
Release 5.0.1_GA_1902.RHEL5_20080109173102 CentOS5 NETWORK edition

[mmorse]

FYI: There's also a new admin console cert wizard in 5.0 (in the tools section just below 'mail queues').
You'll need to concatenate the root and intermediaries into a single file.
CLI: How to manually install your commercial certificate in 5.x - Zimbra :: Wiki

EDIT: Installing a GoDaddy Commercial Certificate - Zimbra :: Wiki

[Rich Graves]

zmcertmgr is telling you that your server.key is missing or does not match your server.crt.

Copy the private key file that you used to create the CSR originally sent to godaddy to ssl/zimbra/commercial/commercial.key.

gd_bundle.crt is your ca chain file.

thawte & verisign are able to get away with charging a premium because their CAs are directly trusted by nearly all browsers, without needing a trust chain.

[void]

Quote:

Originally Posted by mmorse

FYI: There's also a new admin console cert wizard in 5.0 (in the tools section just below 'mail queues').
You'll need to concatenate the root and intermediaries into a single file.
CLI: How to manually install your commercial certificate in 5.x - Zimbra :: Wiki

Linking to the page that contains the commands I already said didn't work...

The GUI just vomits more key errors something about commercial.key not matching something in Jetty.

How does one concatenate the root and intermediaries in to a single file without knowing which file of the four listed is which?

See... I know which one is my crt, I just dont know which ones the other are. Even if I do cat these three files together I am left then with two files (the catted one, and my crt). The gui is asking me for three.

The wiki says that the zip file from go daddy doesnt contain the root cert, and then right below it, it says that it does. So...

At this point I'm just going to call tech support. This is why I paid for Zimbra in the first place. Oh wait I paid for it because I wanted Outlook to work. Good thing two support tickets come with it.

From following all these different directions, my install is pretty destroyed. I'll be lucky if the key file for the cert I just paid for is even still here.

[void]

Quote:

Originally Posted by Rich Graves

zmcertmgr is telling you that your server.key is missing or does not match your server.crt.

Copy the private key file that you used to create the CSR originally sent to godaddy to ssl/zimbra/commercial/commercial.key.

gd_bundle.crt is your ca chain file.

thawte & verisign are able to get away with charging a premium because their CAs are directly trusted by nearly all browsers, without needing a trust chain.

I was hopeful this would work.

But alas... The gui says:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.

I have my keystore and CSR files still, that were generated from running the commands the wiki dictated:

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

Although they seem to simply not work...

It looks like (from catting the keystore file) the key file is full of binary crap regarding GoDaddy, which shouldnt be possible if I just generated it... I think trying to get it to work through the GUI hammered my original key. If that is the case I just wasted 200 dollars at godaddy for a cert I no longer have a key for.

Or maybe not since I still see my "tomcat" key at the top.

Any ideas on how to sort this mess out?

[brian]

Generate a new CSR/private key from the gui and have the crt regenerated by godaddy. They should allow this as long as you aren't regenerating certs more then once every thirty days.

The top of the wiki page is pretty clear.

Quote:

- Please read all instructions and pay attention to specific 4.5(and prior) vs 5.0 sections & notes.
- DO NOT USE THIS DOCUMENT FOR ZCS Versions 5.0.0_GA and ABOVE. Use the Certificate wizard in the Admin Console of your installation to generate a commercial CSR.

[peng1can]

Quote:

Originally Posted by Rich Graves

thawte & verisign are able to get away with charging a premium because their CAs are directly trusted by nearly all browsers, without needing a trust chain.

Actually, the latest Thawte certs we got required an intermediate certificate as well, which is a change from the last time we bought one a couple years back. :-(

[void]

Quote:

Originally Posted by brian

Generate a new CSR/private key from the gui and have the crt regenerated by godaddy. They should allow this as long as you aren't regenerating certs more then once every thirty days.

The top of the wiki page is pretty clear.

So far I have had two Zimbra employees logged on to my server for no less than 6 hours, and they can't figure out what is wrong either.

At this point, there has been one bug in the Zimbra code located so far.

To their credit they have tried almost everything. We did in fact clean out everything, and then get a new CSR from the admin gui, then take that over to Go Daddy and get a new cert with it.

I asked "Which of these files is the Root CA the admin panel asks for?"

Zimbra Tech: I was just informed that you probably won't need to use the gd_bundle.crt

Good thing he said "probably" because that is indeed the root ca and is required.

So I put my crt with my hostname in the first box, the gd_intermediate and gd_bundle, ignoring their gd_cross_intermediate and hit submit on the gui, it worked!! It actually took my certificates! Woo!!

I restarted Zimbra to find that it was still using the self signed one.

Back to to the tech, this time with his "certificate expert" also logging on to my server and trying to figure out whats wrong.

So far we see something very wrong, the common name on all the certs is wrong: zmcertmgr viewdeployedcrt all ::service mta::

shows that there is a www in front of my mail servers name mail.mydomain.com is now www.mail.mydomain.com which is way wrong... I didn't type that in to Zimbra, and even sent a screenshot of my Certificate manager screen from GoDaddy over to the tech that shows there is no www in front of my common name.

Now we get to find out where that came from... is GoDaddy mental and adding hostnames, or is Zimbra?

Either way... will my mail server ever be secure? Will ever I stop whining in public? Who is Kaiser Soze?

Stay tuned true believers.

[theklone]

I successsfully installed a Go Daddy certificate on zcs-NETWORK-5.0.1_GA_1902.RHEL5_64.20080109190819 (upgrading from a self signed certificate).

This is basically how I did it:

Code:

1. Click Install Certificate under Certificates in the Zimbra admin panel
2. Select Generate the CSR (certificate signing request) for the commercial certificate authorizer
3. Enter information and download CSR.
4. Open downloaded CSR and paste contents into Go Daddy form
5. Once you complete domain verification, Go Daddy will email a download link for the certificate bundle zip
6. Download the Go Daddy certificate bundle using the link in the email and the ValiCert Root Certificate (valicert_class2_root.crt) from https://certificates.starfieldtech.com/Repository.go
7. Go back to Certificates in the Zimbra Administration interface
8. Click Install Certificate
9. Select Install the commercially signed certificate
   1. Certificate: your.domain.com.crt
   2. Root CA: valicert_class2_root.crt
   3. Intermediate CA: gd_bundle.crt
10. Click Install and hope it works!
11. Restart Zimbra

Once installed under Certificates it shows:

Code:

Subject Alternative Name: mail.mydomain.com, www.mail.mydomain.com

No, I didn't ask for www.mail.mydomain.com either... I don't know if it's like that for all certificate providers but maybe it's normal for all Go Daddy provided certificates?

[mmorse]

I believe it turned out that void had some old tomcat aliases hanging around in the keystore.