Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page [SOLVED] Commercial SSL Cert Install Zimbra 5.x -- again

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 12-04-2008, 09:34 AM
Active Member
  
Posts: 48
Default [SOLVED] Commercial SSL Cert Install Zimbra 5.x -- again
First off, I've looked at about 10% of the 900 hits I received searching on this issue. Most were pre-5 which I'm 99% sure has nothing to do with the current version.

When we deployed last December getting the SSL cert installed was little short of multiple root canals sans anesthesia. Installing our renewed cert (or trying too) has been equally painful. I'm expressing my frustration first because I feel you guys really need to work on making this process simpler, the the documentation errors cleaned up.

I have compared our new cert against the current installed one physically on the disk drive and it looks like it's ready to go. Here is a diff of them:

Code:
>
# openssl x509 -in main_ffddee_com.cert -noout -text > cert1.info
># openssl x509 -in ./zimbra/commercial/commercial.crt -noout -text > cert2.info
[root@mail ssl]# diff cert1.info cert2.info
4c4
<         Serial Number: xxxxxxx (0x------)
---
>         Serial Number: xxxxxxx (0x------)
8,10c8,10
<             Not Before: Nov 25 23:51:31 2008 GMT
<             Not After : Jan 25 23:51:31 2012 GMT
<         Subject: C=US, O=mail.ffddee.com, OU=GT04133245, OU=See www.geotrust.com/resources/cps (c)08, OU=Domain Control Validated - QuickSSL(R), CN=mail.ffddee.com
---
>             Not Before: Dec 11 00:46:39 2007 GMT
>             Not After : Dec 11 00:46:39 2008 GMT
>         Subject: C=US, O=mail.ffddee.com, OU=GT04733245, OU=See www.geotrust.com/resources/cps (c)07, OU=Domain Control Validated - QuickSSL(R), CN=mail.ffddee.com
41,48c41,48
This looks pretty straight forward.

I tried to install from the UI, and it's asking for 3 certs. I only have one physical PEM encoded file. So that became a dead-end rapidly. After some reading it would seem the UI install process is not reliable anyway, so off to the CLI.

Using this Wiki page I moved to the last two steps 6 and 7

Administration Console and CLI Certificate Tools - Zimbra :: Wiki

Ran step 6 and validated the cert (of course I have change the md5 strings before posting):
Code:
># /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key main_ffddee_com.cert
key_md5=0822598----b32e6d623------------
crt_md5=0822598----b32e6d623------------
Matched: valid certificate (main_ffddee_com.cert) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) matching pair
Step 7 for the deployment is where my bloodpressure went up. First off the command suggested does not seem to be valid on my machine. This does not inspire confidence. The option 'deploycrt' does not seem to be part of zmcertmgr.

Code:
> # /opt/zimbra/bin/zmcertmgr deploycrt comm. main_ffddee_com.cert 

Usage: 
  /opt/zimbra/bin/zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
  /opt/zimbra/bin/zmcertmgr viewstagedcrt <self|comm> [certfile]
  /opt/zimbra/bin/zmcertmgr gencsr  <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
  /opt/zimbra/bin/zmcertmgr install <self|comm> [-new] [validation_days]
  /opt/zimbra/bin/zmcertmgr viewcsr <self|comm> [csr_file]
  /opt/zimbra/bin/zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
The only thing I could assume at this point is the program was changed or the doc author meant 'install' so I tried that and it failed with an error I do not understand how to fix (oh and the XXXXX is not something I obfuscated, that's the actual error number? )

Code:
># /opt/zimbra/bin/zmcertmgr install comm main_ffddee_com.cert
XXXXX ERROR: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt does not exist.
Usage: 
  /opt/zimbra/bin/zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
  /opt/zimbra/bin/zmcertmgr viewstagedcrt <self|comm> [certfile]
  /opt/zimbra/bin/zmcertmgr gencsr  <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
  /opt/zimbra/bin/zmcertmgr install <self|comm> [-new] [validation_days]
  /opt/zimbra/bin/zmcertmgr viewcsr <self|comm> [csr_file]
  /opt/zimbra/bin/zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
Thinking that perhaps this was a spurious error, I checked the command to deploy the cert (a little suggestion here about the Wiki page.. if you are going to FQ the path to the command in the docs, do it for ALL of the commands.. step 8 is not FQ. It's a nit pick compared to the other issues I have with the docs, but if you are going to fix one thing, why not fix them all, right?)

So.. I checked the deployed cert and it has not changed.

How am to to install this cert? HELP, PLEASE!!

If I lose my ability to use TLS on this machine I'm going to have some serious repercussions from my clients.
Last edited by PhishKiller; 12-04-2008 at 09:45 AM..
Reply With Quote
  #2 (permalink)  
Old 12-04-2008, 09:41 AM
Active Member
  
Posts: 48
Default
Followup up question:

Is there any reason I just can't drop the new .crt in place the the current one.. like you can with Apache?
Reply With Quote
  #3 (permalink)  
Old 12-10-2008, 05:03 PM
Active Member
  
Posts: 48
Thumbs down This Is Really Making Me Unhappy!!!!!!!
Can someone PLEASE help me out here???

Look at this 'deployed' cert yet all the mail clients are saying it's expired!!!

Code:
::service mta::
notBefore=Nov 25 23:51:31 2008 GMT
notAfter=Jan 25 23:51:31 2012 GMT
subject= /C=US/O=mail.ffddyy.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ffddyy.com
issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
SubjectAltName= 
::service proxy::
notBefore=Nov 25 23:51:31 2008 GMT
notAfter=Jan 25 23:51:31 2012 GMT
subject= /C=US/O=mail.ffddyy.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ffddyy.com
issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
SubjectAltName= 
::service mailboxd::
notBefore=Nov 25 23:51:31 2008 GMT
notAfter=Jan 25 23:51:31 2012 GMT
subject= /C=US/O=mail.ffddyy.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ffddyy.com
issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
SubjectAltName= 
::service ldap::
notBefore=Nov 25 23:51:31 2008 GMT
notAfter=Jan 25 23:51:31 2012 GMT
subject= /C=US/O=mail.ffddyy.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ffddyy.com
issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
SubjectAltName=
UPDATE: -- Don't forget to restart the server after installing the cert! Once that completed, I was once again in a nice happy, shiny Zimbra world.
Last edited by PhishKiller; 12-10-2008 at 05:42 PM..
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.