Problem with Commercial Certificate in 5.0.9 GA

[bibo]

Hi All,

I have read the wiki page about Commercial Certificate
(Commercial Certificate in 5.x - Zimbra :: Wiki) and
I have installed my certificate created by CACert. But when I restarted zimbra I had problem with ldap. Bellow I show the commands and tests during the installation.

++++
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key

/root/certs/commercial.crt /root/certs/commercial_ca.crt
** Verifying /root/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/certs/commercial.crt: OK

[root@mailhost certs]# sudo /opt/zimbra/bin/zmcertmgr deploycrt comm /root/certs/commercial.crt /root/certs/commercial_ca.crt
** Verifying /root/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/certs/commercial.crt: OK
** Copying /root/certs/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /root/certs/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mailhost certs]#

[root@mailhost ~]# su - zimbra
[zimbra@mailhost ~]$ zmcontrol stop
Host mailhost.coc.ufrj.br
Stopping stats...Done
Stopping mta...Done
Stopping spell...Done
Stopping snmp...Done
Stopping archiving...Done
Stopping antivirus...Done
Stopping antispam...Done
Stopping imapproxy...Done
Stopping mailbox...Done
Stopping logger...Done
Stopping ldap...Done
[zimbra@mailhost ~]$ zmcontrol start
Host mailhost.coc.ufrj.br
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Done.
Starting mailbox...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
[zimbra@mailhost ~]$

[root@mailhost commercial]# cd /opt/zimbra/ssl/zimbra/commercial
[root@mailhost commercial]# diff commercial.key /opt/zimbra/conf/slapd.key
[root@mailhost commercial]# diff commercial.key /opt/zimbra/conf/nginx.key
[root@mailhost commercial]# diff commercial.crt /opt/zimbra/conf/nginx.crt
[root@mailhost commercial]# diff commercial.crt /opt/zimbra/conf/slapd.crt
[root@mailhost commercial]#
++++

What´s the problem? What do I do wrong? How do I fix this?

Best regards,
Bibo

[bibo]

Hi All,

I think that I found my problem in log bellow.

zmmtaconfig.log:Tue Sep 16 13:40:19 2008 Skipping getAllMemcachedServers ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLPeerUnverifiedException hostname of the server 'mailhost.mydomain.br' does not match the hostname in the server's certificate.)

Then, I run the command bellow and I can start my server.
[zimbra@mailhost]$ zmlocalconfig -e ssl_allow_mismatched_certs=true

But I have another problem. I have two names to my server:
1- mailhost.mydomain.br (for general purpouse)
2- webmail.mydomain.br (for web clients)

When I used the "Certificate Installation Wizard" I fill out with:
Common Name: webmail.mydomain.br
Subject Alternative Name: mailhost.mydomain.br

But the Wizard didn´t write this information in csr file. I have only discovered this when I checked the "View Certificate" In "Manage Certificates".
Subject: /CN=webmail.mydomain.br
Subject Alternative Name: webmail.mydomain.br, othername:

Why is the othername empty?
How do I generate my certificate with two names to resolv this problem?
Or there is another solution?

Best regards,
Bibo

[bibo]

Hi All,

I tried to create a csr with subjectAltNames but it doesn´t work. Look
bellow.

[root@mailhost commercial]# /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=webmail.mydomain.br" -subjectAltNames "mailhost.mydomain.br"
** Generating a server csr for download comm -new /C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=webmail.mydomain.br -subjectAltNames mailhost.mydomain.br
subj=/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=webmail.mydomain.br
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080916150833
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.

[root@mailhost commercial]# /opt/zimbra/bin/zmcertmgr viewcsr comm commercial.csr
subject=/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=PEC-COPPE/CN=webmail.mydomain.br
SubjectAltName=

Why is my SubjectAltName empty?
Do I do anything wrong?

Best regards,
Bibo

[bibo]

Hi All,

I figure out the command syntax, but I don´t know if I should use "common name" with webmail.mydomain.br and "othername" with mailhost.mydomain.br or vice-versa.
Bellow I show the command syntaxe.

[root@mailhost ~]# /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=webmail.mydomain.br" -subjectAltNames "otherName:mailhost.mydomain.br"

or

[root@mailhost ~]# /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=BR/ST=Rio de Janeiro/L=Rio de Janeiro/O=My Company/OU=My Depart/CN=mailhost.mydomain.br" -subjectAltNames "otherName:webmail.mydomain.br"

Best regards,
Bibo