Results 1 to 6 of 6

Thread: Cannot get zmcertmgr to accept known good certs

  1. #1
    jon.kibler@aset.com is offline Intermediate Member
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    6

    Unhappy Cannot get zmcertmgr to accept known good certs

    Hello,

    After having given up on the web interface, I have spent most of the afternoon trying to get zmcertmgr to work. I have a known good cert, known good cert chain, and a known matching private key. They work perfectly in Apache 2.x on a web site. (Cert is a wildcard cert.)

    However, zmcertmgr says that it cannot validate the issuer's root. I have tried it with combining all keys into a single file, using a separate temp.crt and temp_ca.crt files, etc. and NOTHING seems to work! Here are some examples:

    zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt
    ** Verifying ./commercial.crt against ./commercial.key
    Certificate (./commercial.crt) and private key (./commercial.key) match.
    XXXXX ERROR: Invalid Certificate: ./commercial.crt: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    error 2 at 2 depth lookup:unable to get issuer certificate

    zmcertmgr verifycrt comm ./commercial.key ./all.crt
    ** Verifying ./all.crt against ./commercial.key
    Certificate (./all.crt) and private key (./commercial.key) match.
    XXXXX ERROR: Invalid Certificate: ./all.crt: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    error 2 at 2 depth lookup:unable to get issuer certificate


    And when I try to install the certs, I get a similar error:
    zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt
    ** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: ./commercial.crt: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    error 2 at 2 depth lookup:unable to get issuer certificate
    XXXXX ERROR: provided cert isn't valid.


    HELP!!!!!!

  2. #2
    irfan is offline Zimbra Employee
    Join Date
    Aug 2007
    Location
    Pune, India
    Posts
    46
    Rep Power
    7

    Default

    It means the certificate path or chain is broken and you are missing certificate chain files. Are you sure you have all the intermediate and root certs with you? Following links might help you:

    Unable to get issuer certificate - Zimbra :: Wiki

    About the zmcertmgr:
    Administration Console and CLI Certificate Tools - Zimbra :: Wiki
    - Irfan




  3. #3
    fab
    fab is offline Active Member
    Join Date
    Oct 2008
    Posts
    35
    Rep Power
    6

    Default

    This is how I did it and it works, but remember to issue the following commands as root:
    - stop zimbra
    su - zimbra -c zmcontrol stop
    - remove old certificate files
    rm -f /opt/zimbra/ssl/zimbra/commercial/*
    rm -f /opt/zimbra/conf/ca/*
    - copy the certificate signing request and private key files in
    /opt/zimbra/ssl/zimbra/commercial/commercial.csr
    /opt/zimbra/ssl/zimbra/commercial/commercial.key
    - copy the commercial certificate in
    /tmp/commercial.crt
    - if needed, create a chain certificate of the root CA and the intemediate CA and put it in /tmp (pay attention to the trailing LF char at the end of each file, it must be present or zmcertmgr will fail)
    cat ca_root.crt ca_intermediate.crt > /tmp/ca.crt
    - if you have not an intermediate CA simply copy your CA cert file in
    /tmp/ca.crt
    - install the commercial certificate with the command
    /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca.crt
    - link ca.pem to commercial_ca.pem (zmcertmgr always generates ca.pem for a self-signed CA and even if you deploy a commercial certificate the zimbra ldap server won't start if ca.pem is not present, so I think it's better to link it to your real CA cert file)
    cd /opt/zimbra/conf/ca/
    rm ca.key ca.pem ; ln -s commercial_ca.pem ca.pem
    - verify the certificate was deployed
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    - fix /opt/zimbra permissions
    /opt/zimbra/libexec/zmfixperms
    - start zimbra
    su - zimbra -c zmcontrol start
    Last edited by fab; 10-25-2008 at 03:41 PM.

  4. #4
    jon.kibler@aset.com is offline Intermediate Member
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    6

    Default

    Sorry for the followup delay, but I have been working other fires...

    I am absolutely certain that all the intermediate certs are present. The exact same cert files are used by Apache without any issue:
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/digicert/blah.crt
    SSLCertificateKeyFile /etc/pki/tls/private/digicert/blah.key
    SSLCertificateChainFile /etc/pki/tls/certs/digicert/blah_ca.crt

    Also, I noticed in the example in the previous message that the CSR is in the commercial directory? Is that a requirement to make all this work?

  5. #5
    jon.kibler@aset.com is offline Intermediate Member
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    6

    Default

    Here is the chain of trust from openssl:

    subject=/C=US/ST=South Carolina/L=Darlington/O=Diamond Hill Plywood Company/OU=Information Technology Department/CN=*.diamondhillplywood.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3


    subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
    issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA


    subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
    issuer=/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority


    To me, this chain of trust looks complete -- unless for some reason Zimbra does not recognize the Entrust Root. (I would think that everyone would recognize the Entrust Root!!)

    Jon Kibler

  6. #6
    jon.kibler@aset.com is offline Intermediate Member
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    6

    Default

    Irfan: Can you please take a look at my latest update? THANKS!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Problem with Mail Server - Need help!
    By joeleo in forum Installation
    Replies: 2
    Last Post: 03-04-2008, 12:03 PM
  2. LDAP auth working only when firewall stopped
    By brousky in forum Installation
    Replies: 1
    Last Post: 09-19-2006, 06:32 AM
  3. Replies: 20
    Last Post: 05-07-2006, 11:34 PM
  4. viewing web mail
    By tawas in forum Installation
    Replies: 5
    Last Post: 04-26-2006, 12:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •