Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: [SOLVED] Failed 4.5.11 to 5.0.4 GoDaddy Commercial Certificate Upgrade

  1. #1
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default [SOLVED] Failed 4.5.11 to 5.0.4 GoDaddy Commercial Certificate Upgrade

    We just upgraded one of our Zimbra servers from 4.5.11 to 5.0.4, and like others who have posted here, the GoDaddy commercial certificates failed to be incorporated as part of the upgrade.

    The good news (I hope) is that we did the upgrade by going from 32-bit SuSE ES9 on one server to 64-bit SuSE ES10 on a second server, so the original SLES9 server is still there, along with all the csr files, certificate bundles, etc. (FWIW We did the upgrade by following the Zimbra Certified 32-bit to 64-bit migration document, and then just upgrading 4.5.11 on the new server to 5.0.4.)

    I've read through a lot of bug reports and forum posts in the past few hours on this, and no one else's scenario quite matches ours, hence, this post.

    The 5.0.4 Install Certificate Wizard is nice, but it won't let me install a certificate if I didn't use the wizard to generate a csr.

    Perhaps there is a way I can "fool" the Wizard by copying the csr file from the old server to the new one?

    The wiki article on CLI certificate installs looks promising, but is not clear to me how to concatenate the various GoDaddy files, nor in which order. There is a forum post about the concatenation not putting in a proper CRLF, and enough other posts indicating that messing up certs can be a bear to fix.

    So, I'm more keen to "measure twice and cut once" rather than experiment!

    The output of:
    keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`

    shows four certificates: root, cross, intermed and our server's. But the admin UI shows only the two Zimbra self-signed certs (MTA and LDAP).

    Any takers on a Sunday with nothing better to do? :-)

    TIA!

    With best regards to all,
    Mark

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    So what files do you have? (gd_cross_intermediate.crt, gd_intermediate.crt, <server_name>.crt, gd_bundle.crt, RootCA.crt)

    Disclaimer - I don't have a GoDaddy cert to test (so feel free to wait for more examples or support would happily walk you through it) but generally the manual method is like:

    1. Download GoDaddy bundle from their primary Repo

    2. Reverse the certificate chain in an editor so that your the chain of trust goes from general to specific. (e.g. Root CA, Intermediate, Intermeidate_cross, your cert). Save this file as commercial.crt under /opt/zimbra/ssl/zimbra/commercial

    (Or if you don't have a bundle: cat root.crt intermediate.crt cross_intermediate.crt server.crt > commercial.crt or open an editor and append.)

    3. Copy your private key (must be named commercial.key) to /opt/zimbra/ssl/zimbra/commercial

    4. Copy files to other misc locations:

    cp commercial.crt /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt
    cp commercial.crt /opt/zimbra/jetty/webapps/zimbraAdmin/tmp/current.crt
    cp commercial.crt /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_chain.crt

    5. Always good to just have it test first
    /opt/zimbra/bin/zmcertmgr verifycrt comm

    6. Install the cert
    /opt/zimbra/bin/zmcertmgr install com

    7. zmcontrol stop/start

  3. #3
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Hi Mike, thanks for the fast reply. Re your numbered action items:

    1. I already have these files.
    2. Done, with the CRLF cleanup work done in a text editor.
    3. On the old server, where would Zimbra have stored the private key?
    4. and beyond. Pending completion of 3. :-)

    Thanks,
    Mark

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Check your old box for a /opt/zimbra/conf/my.key if not you'll probably need to export it from the old keystore/decrypt it.

  5. #5
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    In the conf directory on the old box are:
    perdition.key
    slapd.key
    smtpd.key

    There is also /opt/zimbra/conf/ca/ca.key

    The perdition, slapd and smtpd keys are identical to each other. The ca.key is unique.

    How can I test if the ca.key file is the one I need?

    Thanks,
    Mark

  6. #6
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    You could run them through /opt/zimbra/bin/zmcertmgr verifycrt comm

    Extract_the_private_key - Commercial Certificates - Zimbra :: Wiki (might have to use the base64 method) > your perdition/sldap/smtpd.key is the same as using my.key

    Do you still have the old /opt/zimbra/tomcat/conf/keystore or /opt/zimbra/ssl/ssl/commercial.keystore?
    Last edited by mmorse; 04-06-2008 at 06:19 PM.

  7. #7
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Hi Mike,

    No joy... The verification process claims there is a mismatch between the key and the bundle.

    I've opened a ticket with support.

    Did I miss something in the 5.0.4 Release Notes about this problem?

    All the best, and thanks again!
    Mark

  8. #8
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    On your 5.0.x box, check whether the tomcat alias still exist in the keystore. You can check with this command:
    keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`

    If the above command returns two aliases (tomcat and jetty), you may need to delete the tomcat alias with this command:
    keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`

  9. #9
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Just saw the ticket, someone will reply shortly to give you a hand remotely.

  10. #10
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Mike,

    Thanks for all your help; thought it was best to open up a ticket once the private key issue reared its head.

    FWIW:

    keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 4 entries

    root, May 1, 2007, trustedCertEntry,
    Certificate fingerprint (MD5): <snip>
    cross, May 1, 2007, trustedCertEntry,
    Certificate fingerprint (MD5): <snip>
    <hostname>, May 1, 2007, PrivateKeyEntry,
    Certificate fingerprint (MD5): <snip>
    intermed, May 1, 2007, trustedCertEntry,
    Certificate fingerprint (MD5): <snip>


    I'll post here once this is resolved so others can benefit.

    Please enjoy the rest of your weekend, and thanks again! Zimbra folks jumping in on a volunteer forum on a Sunday speaks volumes for the kind of dedication there is, and is one of the key reasons we are happy to be a paying customer!

    All the best,
    Mark

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade 5.0.2 to 5.0.4 OSS Failed
    By Grejao in forum Installation
    Replies: 15
    Last Post: 04-04-2008, 01:13 PM
  2. [SOLVED] Upgrade 5.0.2 to 5.0.4 OSS Failed
    By Chewie71 in forum Installation
    Replies: 3
    Last Post: 03-24-2008, 11:01 PM
  3. Problem with Mail Server - Need help!
    By joeleo in forum Installation
    Replies: 2
    Last Post: 03-04-2008, 12:03 PM
  4. My Zimbra server down ... please help :)
    By frankb in forum Administrators
    Replies: 2
    Last Post: 12-12-2007, 11:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •