Results 1 to 2 of 2

Thread: Damaged jetty SSL keystore after upgrade from 5.0.1 to 5.0.2

  1. #1
    tbirrer is offline New Member
    Join Date
    Jan 2007
    Posts
    4
    Rep Power
    8

    Default Damaged jetty SSL keystore after upgrade from 5.0.1 to 5.0.2

    I've just upgrade our Network Edition of Zimbra 5.0.1 to 5.0.2. After the upgrade I was no longer able to access the WebMail or the Administartion Interface. My Firefox was showing me the following error message: SSL_ERROR_NO_CYPHER_OVERLAP

    After some searching I figured out that the Jetty keystore at /opt/zimbra/jetty/etc/keystore file was not looking good.

    See below for the relevant part from my zmsetup.log.

    Since I'm running on VMware, I quickly jumped to a snapshot before the upgrade, and fetched the valid keystore file. I overwrote the bad file with this version and after a restart of Zimbra all was fine again.

    My questions are:
    What could be the cause of this?
    Is it because we use a wildcard certificate?
    Should I re-import our commercial certificate in the Admin Console, to ensure it will work smooth during the next upgrade?

    One annoyance is that the documentation in the Wiki doesn't help once the SSL certificate is broken. There are a ton of tips for 4.x how to fix this, but for 5.x it just tells you to go to the Admin Console and use the SSL Certificate Manager. Thats bad advice, because here you cannot got to the Admin Console, because the SSL Certificate is missing

    Regards
    Toni

    my zmsetup.log:
    ...
    Setting up CA...
    *** Running as root user: openssl verify -purpose sslserver -CAfile /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.pem | egrep ^error 10
    *** Running as root user: /opt/zimbra/bin/zmcertmgr createca
    done.
    *** Running as root user: /opt/zimbra/bin/zmcertmgr verifycrt comm > /dev/null 2>&1
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    XXXXX ERROR: Can't find private key /opt/zimbra/ssl/zimbra/commercial/commercial.key
    *** Running as root user: /opt/zimbra/bin/zmcertmgr verifycrt self > /dev/null 2>&1
    ** Verifying /opt/zimbra/ssl/zimbra/server/server.crt against /opt/zimbra/ssl/zimbra/server/server.key
    Certificate (/opt/zimbra/ssl/zimbra/server/server.crt) and private key (/opt/zimbra/ssl/zimbra/server/server.key) match.
    XXXXX ERROR: Invalid Certificate: /opt/zimbra/ssl/zimbra/server/server.crt: /C=CH/O=*.local.ch/OU=businessprofile.geotrust.com/get.jsp?GT00353217/OU=See RapidSSL.com - redirect (c)06/OU=Domain Control Validated - RapidSSL(R)/CN=*.local.ch
    error 20 at 0 depth lookup:unable to get local issuer certificate
    Warning: No valid SSL certificates were found.
    New self-signed certificates will be generated and installed.
    Creating SSL certificate...
    *** Running as root user: /opt/zimbra/bin/zmcertmgr deploycrt self -new
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080309164904
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key

    *** Running as root user: /opt/zimbra/bin/zmcertmgr deploycrt self -new
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080309164905
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key

    *** Running as root user: /opt/zimbra/bin/zmcertmgr deploycrt self -new
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080309164907
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key

    done.
    ...

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade ZCS 4.5.11 GA to 5.0.1
    By aerojasc in forum Migration
    Replies: 1
    Last Post: 02-21-2008, 09:43 AM
  2. Upgrade from 4.5.6 to 5.0.1 (or 5.0.2) RHEL5
    By mluxton in forum Administrators
    Replies: 19
    Last Post: 02-20-2008, 11:11 AM
  3. 5.0.1 -> 5.0.2 wiki templates defaulted after upgrade
    By holbor in forum Administrators
    Replies: 3
    Last Post: 02-12-2008, 03:55 PM
  4. Upgrade from 4.5.6 to 5.0.2
    By danny.sierra@omtech.net in forum Installation
    Replies: 2
    Last Post: 02-07-2008, 01:22 PM
  5. Replies: 1
    Last Post: 11-05-2007, 06:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •