Results 1 to 4 of 4

Thread: Problem with Commercial Certificate in 5.0.9 GA

  1. #1
    bibo is offline Senior Member
    Join Date
    Jul 2007
    Location
    Brazil
    Posts
    55
    Rep Power
    8

    Unhappy Problem with Commercial Certificate in 5.0.9 GA

    Hi All,

    I have read the wiki page about Commercial Certificate
    (Commercial Certificate in 5.x - Zimbra :: Wiki) and
    I have installed my certificate created by CACert. But when I restarted zimbra I had problem with ldap. Bellow I show the commands and tests during the installation.

    ++++
    [root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key

    /root/certs/commercial.crt /root/certs/commercial_ca.crt
    ** Verifying /root/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/certs/commercial.crt: OK

    [root@mailhost certs]# sudo /opt/zimbra/bin/zmcertmgr deploycrt comm /root/certs/commercial.crt /root/certs/commercial_ca.crt
    ** Verifying /root/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/certs/commercial.crt: OK
    ** Copying /root/certs/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain /root/certs/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    [root@mailhost certs]#

    [root@mailhost ~]# su - zimbra
    [zimbra@mailhost ~]$ zmcontrol stop
    Host mailhost.coc.ufrj.br
    Stopping stats...Done
    Stopping mta...Done
    Stopping spell...Done
    Stopping snmp...Done
    Stopping archiving...Done
    Stopping antivirus...Done
    Stopping antispam...Done
    Stopping imapproxy...Done
    Stopping mailbox...Done
    Stopping logger...Done
    Stopping ldap...Done
    [zimbra@mailhost ~]$ zmcontrol start
    Host mailhost.coc.ufrj.br
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.
    [zimbra@mailhost ~]$

    [root@mailhost commercial]# cd /opt/zimbra/ssl/zimbra/commercial
    [root@mailhost commercial]# diff commercial.key /opt/zimbra/conf/slapd.key
    [root@mailhost commercial]# diff commercial.key /opt/zimbra/conf/nginx.key
    [root@mailhost commercial]# diff commercial.crt /opt/zimbra/conf/nginx.crt
    [root@mailhost commercial]# diff commercial.crt /opt/zimbra/conf/slapd.crt
    [root@mailhost commercial]#
    ++++

    Whatīs the problem? What do I do wrong? How do I fix this?

    Best regards,
    Bibo

  2. #2
    bibo is offline Senior Member
    Join Date
    Jul 2007
    Location
    Brazil
    Posts
    55
    Rep Power
    8

    Default

    Hi All,

    I think that I found my problem in log bellow.

    zmmtaconfig.log:Tue Sep 16 13:40:19 2008 Skipping getAllMemcachedServers ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLPeerUnverifiedException hostname of the server 'mailhost.mydomain.br' does not match the hostname in the server's certificate.)

    Then, I run the command bellow and I can start my server.
    [zimbra@mailhost]$ zmlocalconfig -e ssl_allow_mismatched_certs=true

    But I have another problem. I have two names to my server:
    1- mailhost.mydomain.br (for general purpouse)
    2- webmail.mydomain.br (for web clients)

    When I used the "Certificate Installation Wizard" I fill out with:
    Common Name: webmail.mydomain.br
    Subject Alternative Name: mailhost.mydomain.br

    But the Wizard didnīt write this information in csr file. I have only discovered this when I checked the "View Certificate" In "Manage Certificates".
    Subject: /CN=webmail.mydomain.br
    Subject Alternative Name: webmail.mydomain.br, othername:

    Why is the othername empty?
    How do I generate my certificate with two names to resolv this problem?
    Or there is another solution?

    Best regards,
    Bibo

  3. #3
    bibo is offline Senior Member
    Join Date
    Jul 2007
    Location
    Brazil
    Posts
    55
    Rep Power
    8

    Default

    Hi All,

    I tried to create a csr with subjectAltNames but it doesnīt work. Look
    bellow.

    [root@mailhost commercial]# /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=webmail.mydomain.br" -subjectAltNames "mailhost.mydomain.br"
    ** Generating a server csr for download comm -new /C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=webmail.mydomain.br -subjectAltNames mailhost.mydomain.br
    subj=/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=webmail.mydomain.br
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080916150833
    ** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...done.

    [root@mailhost commercial]# /opt/zimbra/bin/zmcertmgr viewcsr comm commercial.csr
    subject=/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=PEC-COPPE/CN=webmail.mydomain.br
    SubjectAltName=

    Why is my SubjectAltName empty?
    Do I do anything wrong?

    Best regards,
    Bibo

  4. #4
    bibo is offline Senior Member
    Join Date
    Jul 2007
    Location
    Brazil
    Posts
    55
    Rep Power
    8

    Default

    Hi All,

    I figure out the command syntax, but I donīt know if I should use "common name" with webmail.mydomain.br and "othername" with mailhost.mydomain.br or vice-versa.
    Bellow I show the command syntaxe.

    [root@mailhost ~]# /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=webmail.mydomain.br" -subjectAltNames "otherName:mailhost.mydomain.br"

    or

    [root@mailhost ~]# /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=mailhost.mydomain.br" -subjectAltNames "otherName:webmail.mydomain.br"

    Best regards,
    Bibo

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 03:08 AM
  2. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM
  3. Certificate problem following 3.1.0 -> 4.0 upgrade
    By simonellistonball in forum Migration
    Replies: 5
    Last Post: 09-26-2006, 01:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •