Cannot get zmcertmgr to accept known good certs

[jon.kibler@aset.com]

Hello,

After having given up on the web interface, I have spent most of the afternoon trying to get zmcertmgr to work. I have a known good cert, known good cert chain, and a known matching private key. They work perfectly in Apache 2.x on a web site. (Cert is a wildcard cert.)

However, zmcertmgr says that it cannot validate the issuer's root. I have tried it with combining all keys into a single file, using a separate temp.crt and temp_ca.crt files, etc. and NOTHING seems to work! Here are some examples:

zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt
** Verifying ./commercial.crt against ./commercial.key
Certificate (./commercial.crt) and private key (./commercial.key) match.
XXXXX ERROR: Invalid Certificate: ./commercial.crt: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
error 2 at 2 depth lookup:unable to get issuer certificate

zmcertmgr verifycrt comm ./commercial.key ./all.crt
** Verifying ./all.crt against ./commercial.key
Certificate (./all.crt) and private key (./commercial.key) match.
XXXXX ERROR: Invalid Certificate: ./all.crt: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
error 2 at 2 depth lookup:unable to get issuer certificate


And when I try to install the certs, I get a similar error:
zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: ./commercial.crt: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
error 2 at 2 depth lookup:unable to get issuer certificate
XXXXX ERROR: provided cert isn't valid.


HELP!!!!!!

[irfan]

It means the certificate path or chain is broken and you are missing certificate chain files. Are you sure you have all the intermediate and root certs with you? Following links might help you:

Unable to get issuer certificate - Zimbra :: Wiki

About the zmcertmgr:
Administration Console and CLI Certificate Tools - Zimbra :: Wiki

[fab]

This is how I did it and it works, but remember to issue the following commands as root:
- stop zimbra
su - zimbra -c zmcontrol stop
- remove old certificate files
rm -f /opt/zimbra/ssl/zimbra/commercial/*
rm -f /opt/zimbra/conf/ca/*
- copy the certificate signing request and private key files in
/opt/zimbra/ssl/zimbra/commercial/commercial.csr
/opt/zimbra/ssl/zimbra/commercial/commercial.key
- copy the commercial certificate in
/tmp/commercial.crt
- if needed, create a chain certificate of the root CA and the intemediate CA and put it in /tmp (pay attention to the trailing LF char at the end of each file, it must be present or zmcertmgr will fail)
cat ca_root.crt ca_intermediate.crt > /tmp/ca.crt
- if you have not an intermediate CA simply copy your CA cert file in
/tmp/ca.crt
- install the commercial certificate with the command
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca.crt
- link ca.pem to commercial_ca.pem (zmcertmgr always generates ca.pem for a self-signed CA and even if you deploy a commercial certificate the zimbra ldap server won't start if ca.pem is not present, so I think it's better to link it to your real CA cert file)
cd /opt/zimbra/conf/ca/
rm ca.key ca.pem ; ln -s commercial_ca.pem ca.pem
- verify the certificate was deployed
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
- fix /opt/zimbra permissions
/opt/zimbra/libexec/zmfixperms
- start zimbra
su - zimbra -c zmcontrol start

[jon.kibler@aset.com]

Sorry for the followup delay, but I have been working other fires...

I am absolutely certain that all the intermediate certs are present. The exact same cert files are used by Apache without any issue:
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/digicert/blah.crt
SSLCertificateKeyFile /etc/pki/tls/private/digicert/blah.key
SSLCertificateChainFile /etc/pki/tls/certs/digicert/blah_ca.crt

Also, I noticed in the example in the previous message that the CSR is in the commercial directory? Is that a requirement to make all this work?

[jon.kibler@aset.com]

Here is the chain of trust from openssl:

subject=/C=US/ST=South Carolina/L=Darlington/O=Diamond Hill Plywood Company/OU=Information Technology Department/CN=*.diamondhillplywood.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3


subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA


subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
issuer=/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority


To me, this chain of trust looks complete -- unless for some reason Zimbra does not recognize the Entrust Root. (I would think that everyone would recognize the Entrust Root!!)

Jon Kibler

[jon.kibler@aset.com]

Irfan: Can you please take a look at my latest update? THANKS!