Results 1 to 3 of 3

Thread: [SOLVED] Commercial SSL Cert Install Zimbra 5.x -- again

  1. #1
    PhishKiller is offline Active Member
    Join Date
    Nov 2007
    Posts
    48
    Rep Power
    7

    Default [SOLVED] Commercial SSL Cert Install Zimbra 5.x -- again

    First off, I've looked at about 10% of the 900 hits I received searching on this issue. Most were pre-5 which I'm 99% sure has nothing to do with the current version.

    When we deployed last December getting the SSL cert installed was little short of multiple root canals sans anesthesia. Installing our renewed cert (or trying too) has been equally painful. I'm expressing my frustration first because I feel you guys really need to work on making this process simpler, the the documentation errors cleaned up.

    I have compared our new cert against the current installed one physically on the disk drive and it looks like it's ready to go. Here is a diff of them:

    Code:
    >
    # openssl x509 -in main_ffddee_com.cert -noout -text > cert1.info
    ># openssl x509 -in ./zimbra/commercial/commercial.crt -noout -text > cert2.info
    [root@mail ssl]# diff cert1.info cert2.info
    4c4
    <         Serial Number: xxxxxxx (0x------)
    ---
    >         Serial Number: xxxxxxx (0x------)
    8,10c8,10
    <             Not Before: Nov 25 23:51:31 2008 GMT
    <             Not After : Jan 25 23:51:31 2012 GMT
    <         Subject: C=US, O=mail.ffddee.com, OU=GT04133245, OU=See www.geotrust.com/resources/cps (c)08, OU=Domain Control Validated - QuickSSL(R), CN=mail.ffddee.com
    ---
    >             Not Before: Dec 11 00:46:39 2007 GMT
    >             Not After : Dec 11 00:46:39 2008 GMT
    >         Subject: C=US, O=mail.ffddee.com, OU=GT04733245, OU=See www.geotrust.com/resources/cps (c)07, OU=Domain Control Validated - QuickSSL(R), CN=mail.ffddee.com
    41,48c41,48
    This looks pretty straight forward.

    I tried to install from the UI, and it's asking for 3 certs. I only have one physical PEM encoded file. So that became a dead-end rapidly. After some reading it would seem the UI install process is not reliable anyway, so off to the CLI.

    Using this Wiki page I moved to the last two steps 6 and 7

    Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    Ran step 6 and validated the cert (of course I have change the md5 strings before posting):
    Code:
    ># /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key main_ffddee_com.cert
    key_md5=0822598----b32e6d623------------
    crt_md5=0822598----b32e6d623------------
    Matched: valid certificate (main_ffddee_com.cert) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) matching pair
    Step 7 for the deployment is where my bloodpressure went up. First off the command suggested does not seem to be valid on my machine. This does not inspire confidence. The option 'deploycrt' does not seem to be part of zmcertmgr.

    Code:
    > # /opt/zimbra/bin/zmcertmgr deploycrt comm. main_ffddee_com.cert 
    
    Usage: 
      /opt/zimbra/bin/zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
      /opt/zimbra/bin/zmcertmgr viewstagedcrt <self|comm> [certfile]
      /opt/zimbra/bin/zmcertmgr gencsr  <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
      /opt/zimbra/bin/zmcertmgr install <self|comm> [-new] [validation_days]
      /opt/zimbra/bin/zmcertmgr viewcsr <self|comm> [csr_file]
      /opt/zimbra/bin/zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
    The only thing I could assume at this point is the program was changed or the doc author meant 'install' so I tried that and it failed with an error I do not understand how to fix (oh and the XXXXX is not something I obfuscated, that's the actual error number? )

    Code:
    ># /opt/zimbra/bin/zmcertmgr install comm main_ffddee_com.cert
    XXXXX ERROR: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt does not exist.
    Usage: 
      /opt/zimbra/bin/zmcertmgr viewdeployedcrt [all|ldap|mta|proxy|mailboxd]
      /opt/zimbra/bin/zmcertmgr viewstagedcrt <self|comm> [certfile]
      /opt/zimbra/bin/zmcertmgr gencsr  <self|comm> [-new] [subject] [-subjectAltNames "host1,host2"]
      /opt/zimbra/bin/zmcertmgr install <self|comm> [-new] [validation_days]
      /opt/zimbra/bin/zmcertmgr viewcsr <self|comm> [csr_file]
      /opt/zimbra/bin/zmcertmgr verifycrt <self|comm> [priv_key] [certfile]
    Thinking that perhaps this was a spurious error, I checked the command to deploy the cert (a little suggestion here about the Wiki page.. if you are going to FQ the path to the command in the docs, do it for ALL of the commands.. step 8 is not FQ. It's a nit pick compared to the other issues I have with the docs, but if you are going to fix one thing, why not fix them all, right?)

    So.. I checked the deployed cert and it has not changed.

    How am to to install this cert? HELP, PLEASE!!

    If I lose my ability to use TLS on this machine I'm going to have some serious repercussions from my clients.
    Last edited by PhishKiller; 12-04-2008 at 10:45 AM.

  2. #2
    PhishKiller is offline Active Member
    Join Date
    Nov 2007
    Posts
    48
    Rep Power
    7

    Default

    Followup up question:

    Is there any reason I just can't drop the new .crt in place the the current one.. like you can with Apache?

  3. #3
    PhishKiller is offline Active Member
    Join Date
    Nov 2007
    Posts
    48
    Rep Power
    7

    Thumbs down This Is Really Making Me Unhappy!!!!!!!

    Can someone PLEASE help me out here???

    Look at this 'deployed' cert yet all the mail clients are saying it's expired!!!

    Code:
    ::service mta::
    notBefore=Nov 25 23:51:31 2008 GMT
    notAfter=Jan 25 23:51:31 2012 GMT
    subject= /C=US/O=mail.ffddyy.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ffddyy.com
    issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
    SubjectAltName= 
    ::service proxy::
    notBefore=Nov 25 23:51:31 2008 GMT
    notAfter=Jan 25 23:51:31 2012 GMT
    subject= /C=US/O=mail.ffddyy.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ffddyy.com
    issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
    SubjectAltName= 
    ::service mailboxd::
    notBefore=Nov 25 23:51:31 2008 GMT
    notAfter=Jan 25 23:51:31 2012 GMT
    subject= /C=US/O=mail.ffddyy.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ffddyy.com
    issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
    SubjectAltName= 
    ::service ldap::
    notBefore=Nov 25 23:51:31 2008 GMT
    notAfter=Jan 25 23:51:31 2012 GMT
    subject= /C=US/O=mail.ffddyy.com/OU=GT04757745/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.ffddyy.com
    issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
    SubjectAltName=
    UPDATE: -- Don't forget to restart the server after installing the cert! Once that completed, I was once again in a nice happy, shiny Zimbra world.
    Last edited by PhishKiller; 12-10-2008 at 06:42 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  2. admin consol blank after 5.0.3 upgarde
    By maumar in forum Administrators
    Replies: 6
    Last Post: 03-21-2008, 05:16 AM
  3. Cleanup after many upgrades
    By tobru in forum Installation
    Replies: 1
    Last Post: 12-23-2007, 09:21 AM
  4. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  5. Replies: 8
    Last Post: 02-27-2007, 04:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •