https login and zmcertinstall

[DMRDave]

Hello all,

In attempting to get my self signed ssl certs functinonal for mail clients, i tried to recreate the certs using the instructions from this thead.

SSL Problem - No common encryption algorithm

I've gone though and tried to reset my cert numberous times, but i still am unable to login via https. Below are the error messages from zimbra.log.

2006-02-22 18:30:40,282 FATAL [ImapSSLServer] [] TcpServer/993 - accept loop failed
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.c heckEnabledSuites(SSLServerSocketImpl.java:303)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.a ccept(SSLServerSocketImpl.java:253)
at com.zimbra.cs.tcpserver.TcpServer.run(TcpServer.ja va:185)
at java.lang.Thread.run(Thread.java:595)

Can anyone be of assistance to get my https logins working again? Thank you.

[KevinH]

Here's the entry from the Wiki:

http://wiki.zimbra.com/index.php?tit...icate_Problems

Have all these commands run without error?

If so have you restarted zimbra?

[jonnyRo]

Could you provide a list of approved SSL certificate vendors in the wiki article, and instructions for installing commercial cert's provided by these vendors?

I wouldnt mind if you only had one or two official cert vendors, but some concrete guides on what type of cert to buy, and the process of adding the certs to both tomcat and the mta's would be very useful.

The place where this comes up is IMAP clients, like thunderbird, who get the certificate warning and are forced to accept the self-signed certificate that zimbra defaults to.

From a user training perspective, i'd rather not get the users used to hitting the accept button when those types of messages pop up.

Right now I ordered a cert for zimbra.mycompany.com from GeoTrust. It's a basic SSL webserver certificate. Installing on the MTA worked fine, but when trying to do the install to tomcat (zmcertinstall mailbox) things went very very wrong, and got the dreaded "firefox cannot communicate with zimbra.mycompany.com because we share no common encryption algorithms" message on the client side.

[marcmac]

Could you provide a list of approved SSL certificate vendors in the wiki article, and instructions for installing commercial cert's provided by these vendors?

No - we'd have to worry about keeping the docs up to date for each vendor, we'd have to (in some fashion) approve or certify the vendors, etc, and that's not what we do for a living.

I wouldnt mind if you only had one or two official cert vendors, but some concrete guides on what type of cert to buy, and the process of adding the certs to both tomcat and the mta's would be very useful.

The problem is that SSL certs are complicated - everyone has different needs, different systems, different requirements. So complicated, that many books have been written, and a huge industry exists to service this stuff.

Even if we were inclined to try to enter that space as a "simplified" cert training provider, or something along those lines - I'm not sure we'd do anything but further muddy the waters.

The place where this comes up is IMAP clients, like thunderbird, who get the certificate warning and are forced to accept the self-signed certificate that zimbra defaults to.

From a user training perspective, i'd rather not get the users used to hitting the accept button when those types of messages pop up.

Right now I ordered a cert for zimbra.mycompany.com from GeoTrust. It's a basic SSL webserver certificate. Installing on the MTA worked fine, but when trying to do the install to tomcat (zmcertinstall mailbox) things went very very wrong, and got the dreaded "firefox cannot communicate with zimbra.mycompany.com because we share no common encryption algorithms" message on the client side.

Did geotrust have information on how to generate a CSR for tomcat? What errors did you get when you installed it?

[KevinH]

I did add a basic how-to for removing the self-signed cert and adding your new one. As Marc says you'll need to figure out on your own how to get it into the right format as each vendor is different.

[DMRDave]

I continued on my path last night and was able to recreate the self signed cert and get https access back up and working. I followed the steps posted in these forums for recreating all the certs from scratch. Thank you Kevin for the new post and steps. I am almost back. I have full fuctionality from the webmail, i.e. I can login, send and recieve from my domain via https.

However, from my IMAP client, i am unable to send. I was able to send successfully from the client prior to my recreating my ssl certs. The error i'm getting is "TLS not available due to local problem". I've continued reading and searching in the forums, and think my issue lies with the saslauthd processes.

zimbra@dmrmail01:~/conf> zmcontrol stop
Host dmrmail01.dmrcom.com
Stopping antispam...Done
Stopping antivirus...Done
Stopping ldap...Done
Stopping logger...Done
Stopping mailbox...Done
Stopping mta...FAILED
/opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd: no process killed


Stopping snmp...Done
Stopping spell...Done
zimbra@dmrmail01:~/conf> zmcontrol start
Host dmrmail01.dmrcom.com
Starting ldap...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting mta...Done.
Starting snmp...Done.
Starting spell...Done.
zimbra@dmrmail01:~/conf> zmcontrol status
Host dmrmail01.dmrcom.com
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running

I've checked the saslauthd.conf and saslauthd.conf.in files and restarted the service. Additionally, i've restarted postfix.

dmrmail01:/ # cat /opt/zimbra/cyrus-sasl/etc/saslauthd.conf.in
zimbra_url: https://dmrmail01.dmrcom.com:443/service/soap/
zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
zimbra_cert_check: off
dmrmail01:/ # cat /opt/zimbra/cyrus-sasl/etc/saslauthd.conf
zimbra_url: https://dmrmail01.dmrcom.com:443/service/soap/
zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
zimbra_cert_check: off

Thank you for any assistance.

[marcmac]

What do you get from:
zmprov gs SERVERNAME | grep zimbraMtaAuthHost
and
zmprov gs SERVERNAME | grep zimbraMailMode

If mail mode is not mixed or https, then reset teh auth host to it's current value (workaround for a known bug):
zmprov ms SERVERNAME zimbraMtaAuthHost CURRENTVALUE

Then, restart sasl
zmsaslauthdctl stop
zmsaslauthdctl start

[DMRDave]

zimbra@dmrmail01:~/log> zmprov gs SERVERNAME | grep zimbraMtaAuthHost
ERROR: account.NO_SUCH_SERVER (no such server: SERVERNAME)
zimbra@dmrmail01:~/log> zmprov gs SERVERNAME | grep zimbraMailMode
ERROR: account.NO_SUCH_SERVER (no such server: SERVERNAME)

My mail mode is https - so i'll wait for some advice. Thank you.

[marcmac]

replace SERVERNAME with the name of your server. zmprov gas will return the full list.

[DMRDave]

zimbra@dmrmail01:~/log> zmprov gas
dmrmail01.dmrcom.com
zimbra@dmrmail01:~/log> zmprov ms dmrmail01.dmrcom.com zimbraMtaAuthHost CURRENTVALUE
ERROR: service.INVALID_REQUEST (invalid request: specified zimbraMtaAuthHost does not correspond to a valid service hostname: CURRENTVALUE)
zimbra@dmrmail01:~/log> zmsaslauthdctl stop
zimbra@dmrmail01:~/log> zmsaslauthdctl start

Thanks Marc.