Results 1 to 3 of 3

Thread: Certificate fun...

  1. #1
    TommyTheKid is offline Active Member
    Join Date
    Feb 2007
    Location
    Broomfield, CO
    Posts
    26
    Rep Power
    8

    Default Certificate fun...

    We have installed a zimbra server, and its name is something like zimbra-1.domain.com, however, when we started using it in production, we wanted to just change the "mail.domain.com" certificate to point there and not have our users make changes to their clients. When we installed the commercial certificate using the magical wizard, it broke mail because postfix could not connect to the ldap server due to certificate errors. We installed the original certificate (was also a "commercial" certificate from the zimbra perspective, but signed by our internal CA) and things started flowing again, except of course users got certificate errors when they tried to connect.

    After some thought, we decided to back up the slapd.crt/slapd.key, then install the proper user facing certificate using the wizard, then restore the slapd.crt/slapd.key file. Oh we thought we were smart, but *still* no mail flowage.. even though the certificate "trick" worked. (connections to the zimbra LDAP server did present the correct certificate) The problem turned out to be in the conf/ca directory, where Zimbra keeps its "trusted certificate authorities." The wizard replaced the commercial ca cert file, but failed to remove the old hash entry pointing to that file, and thus caused the certificate validation to fail when postfix tried to connect to the ldap server. We copied in the internal CA cert into that directory, then removed and re-linked the "hash.0" to the internal ca cert file and everything worked.

    I am not sure, but I think I would file a bug against the certificate wizard for not removing the hash link before creating a new one. The error would have just been that there was a "self signed certificate" rather than an invalid certificate in that case, right?

    It would be nice if there was a place to manage trusted CA certs rather than this hocus pocus magic trick that the wizard tries to pull off. It would also be nice if there was a way to upload a key in the wizard type interface without using scp to some pre-determined filename (again with the hocus pocus magic).


    Also I wondered whether the jetty process used a java keystore for CA certs, meaning that I would have to add the internal CA to that as well or if it uses the same openssl style CA directory.. or maybe it just doesn't validate certs? (or use SSL when it connects to LDAP?)

    Tommy

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Tommy,
    Have you contacted Zimbra support? They might be able to help further, as they can login to your server, and help.

  3. #3
    TommyTheKid is offline Active Member
    Join Date
    Feb 2007
    Location
    Broomfield, CO
    Posts
    26
    Rep Power
    8

    Default

    I believe we tried, but apparently didn't properly project the sense of urgency. We ended up fiddling around till we got it right. The problem, as I noted was a bit too simplistic certificate management. Also, the rest of the problem is that our current hosting provider is doing the "everything on one host" deployment. A proper multi-tiered configuration may have made this a bit simpler, as the LDAP server would not have been affected when we loaded the "mail.domain.com" certificate onto the front-end, user-facing server.

    Tommy
    Last edited by TommyTheKid; 02-12-2008 at 10:53 PM. Reason: part of my thought was missing

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 03:08 AM
  2. Self-Signed SSL Certificate Causing Crash
    By VxJasonxV in forum Administrators
    Replies: 1
    Last Post: 12-06-2007, 01:24 PM
  3. Replies: 1
    Last Post: 11-05-2007, 06:55 PM
  4. Certificate problem with SMTP using TLS
    By yuit in forum Installation
    Replies: 4
    Last Post: 11-02-2006, 06:03 PM
  5. Certificate problem following 3.1.0 -> 4.0 upgrade
    By simonellistonball in forum Migration
    Replies: 5
    Last Post: 09-26-2006, 01:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •