[SOLVED] GoDaddy certs on 5.0.6

[ScottChapman]

I went through the process using the wizard, but I an getting an error.

I did go through the process of generating the CSR, submitting that to GoDaddy. I got back my certificate and the intermediate cretificate.

I downloaded their root certificate and use those three in the wizard.

Any ideas?

[tonythemediaguy]

I got EXACTLY the same message on a new install of 5.06 NE on RHEL 5.1 64.

[tonythemediaguy]

Hi All,

I've followed the instructions in the wiki for 5.x godaddy certificate install but it keeps defaulting back to the self-signed certificate. First I tried to install everything with the web gui, which gave an error that many others have seen around here. Then I manually put the files from godaddy along with their root certificate in the /opt/zimbra/ssl/zimbra/commercial folder then I restarted services but I'm still getting the signed certificate and no certificate installed in the admin gui either.

Anybody have any advice?

I'm on RHEL 5.1 64 using NE.


Thanks,

Tony

[ScottChapman]

Just out of curiosity. When you submitted the request to godaddy whih server did you specify? Tomcat or Apache?

Also, how many files did you get back from GD? I think I got back 4.

Bundle, mine, intermediate and cross intermediate.

I assume that one specified the bundle as their root, and add a second intermediate to the list to include the cross intermediate?

[tonythemediaguy]

I did Apache, since Tomcat doesn't exist in 5.x.

I got back 2 files, then I had to download the root certificate manually.
My domain cert and an intermediate cert.

[Ramadan Mansoura]

Please check the following:

(1) current aliases in the keystore
keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`

(2) delete all aliases except the jetty alias following this example
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
(3) verify the cert and the private key match
/opt/zimbra/bin/zmcertmgr verifycrt comm /path/to/private_key /path/to/server_crt
(4) verify the private_key , server_cert, and the chain
/opt/zimbra/bin/zmcertmgr verifycrt /path/to/private_key /path/to/server_cert /path/to/chain_cert
(4) deploy
/opt/zimbra/bin/zmcertmgr deploycrt comm /path/to/private_key /path/to/server_cert /path/to/chain_cert
(5) restart the zimbra services

[tonythemediaguy]

Thanks for your help.

(1) Only listed the Jetty alias
(2) None to delete
(3) Got the error that commercial_ca.crt doesn't exist. I renamed commercial.crt to commercial_ca.crt and now the verify works
(4) I had to change this command to verifycrtchain for it to work properly, but it informs me:

error 26 at 0 depth lookup:unsupported certificate purpose

And that's where I am. When I got the cert from GoDaddy I chose Apache as my server. The only other choice in the list I saw that I thought was relevant was Red Hat. Should I re-issue the crt and choose a different server type than apache?

Thanks Again

[JoshuaPrismon]

I think you might want to see if you can get it re-issued as Tomcat. I use Godaddy, exported it as a Tomcat key, andhad no problems with it.

[JoshuaPrismon]

Try not using their root certificate. See if it's conflicting against a certificate already installed.

[ScottChapman]

It won't let you proceed without the root certificate