I've just upgrade our Network Edition of Zimbra 5.0.1 to 5.0.2. After the upgrade I was no longer able to access the WebMail or the Administartion Interface. My Firefox was showing me the following error message: SSL_ERROR_NO_CYPHER_OVERLAP
After some searching I figured out that the Jetty keystore at /opt/zimbra/jetty/etc/keystore file was not looking good.
See below for the relevant part from my zmsetup.log.
Since I'm running on VMware, I quickly jumped to a snapshot before the upgrade, and fetched the valid keystore file. I overwrote the bad file with this version and after a restart of Zimbra all was fine again.
My questions are:
What could be the cause of this?
Is it because we use a wildcard certificate?
Should I re-import our commercial certificate in the Admin Console, to ensure it will work smooth during the next upgrade?
One annoyance is that the
documentation in the Wiki doesn't help once the SSL certificate is broken. There are a ton of tips for 4.x how to fix this, but for 5.x it just tells you to go to the Admin Console and use the SSL Certificate Manager. Thats bad advice, because here you cannot got to the Admin Console, because the SSL Certificate is missing
Regards
Toni
my zmsetup.log:
...
Setting up CA...
*** Running as root user: openssl verify -purpose sslserver -CAfile /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.pem | egrep ^error 10
*** Running as root user: /opt/zimbra/bin/zmcertmgr createca
done.
*** Running as root user: /opt/zimbra/bin/zmcertmgr verifycrt comm > /dev/null 2>&1
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Can't find private key /opt/zimbra/ssl/zimbra/commercial/commercial.key
*** Running as root user: /opt/zimbra/bin/zmcertmgr verifycrt self > /dev/null 2>&1
** Verifying /opt/zimbra/ssl/zimbra/server/server.crt against /opt/zimbra/ssl/zimbra/server/server.key
Certificate (/opt/zimbra/ssl/zimbra/server/server.crt) and private key (/opt/zimbra/ssl/zimbra/server/server.key) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/ssl/zimbra/server/server.crt: /C=CH/O=*.local.ch/OU=businessprofile.geotrust.com/get.jsp?GT00353217/OU=See RapidSSL.com - redirect (c)06/OU=Domain Control Validated - RapidSSL(R)/CN=*.local.ch
error 20 at 0 depth lookup:unable to get local issuer certificate
Warning: No valid SSL certificates were found.
New self-signed certificates will be generated and installed.
Creating SSL certificate...
*** Running as root user: /opt/zimbra/bin/zmcertmgr deploycrt self -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080309164904
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key
*** Running as root user: /opt/zimbra/bin/zmcertmgr deploycrt self -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080309164905
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key
*** Running as root user: /opt/zimbra/bin/zmcertmgr deploycrt self -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080309164907
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key
done.
...
Bugzilla
Wiki
Source
Damaged jetty SSL keystore after upgrade from 5.0.1 to 5.0.2 
Linear Mode
