[SOLVED] SSL Installation Error

[MTecknology]

I've looked around a lot to find the answer to this issue and have yet to find a single thing to solve my issue.

I recovered from a backup copy of /opt/zimbra. Aside from a few stupid mistakes (like forgetting to rename the directory from current to zimbra) it went pretty well.

During my installation, my ssl certificate from godaddy was revoked. There's a fun story behind that.

I tried to install a new certificate by first making a new csr, going out to godaddy, rekeying the thing, and then going to the web interface. I've previously had issues installing certificates from godaddy onto zimbra so I already had a bookmark to a comment. [SOLVED] GoDaddy certs on 5.0.6

I remember that working perfectly in the past, but not this go around. After trying to install, I got this error.

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair.

Now, this makes sense that a non-existing file wouldn't match up with the existing file....

zimbra@vindico:~$ file /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: ASCII text

zimbra@vindico:~$ file /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key: ERROR: cannot open `/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key' (No such file or directory)

zimbra@vindico:~$ ls -l /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/
total 12
-rw-r----- 1 zimbra zimbra 1785 Apr 11 02:10 current.crt
-rw-r----- 1 zimbra zimbra 8144 Apr 11 02:10 current_chain.crt

On a side note: I wish I understood why ls -l grabbed a number for .. instead of just .

I'm not really sure how this can make a .crt w/o a .key so I'm assuming something must have been missed.

I've been fighting this for 20+hr and I've had it with trying to figure it out myself.

I realize I probably have about a week to wait until I can get an answer, but I do hope for a quick response. I know that once you guys get to me you'll be able to take care of me right well.

Thanks,

[Ramadan Mansoura]

You can use the zmcertmgr utility to deploy the certificate.
run these commands As ROOT

PHP Code:

 1) mkdir /root/certs and place the cert files in there
 2)  cat gd_cross_intermediate.crt gd_intermediate.crt gd-class2-root.crt >> /root/certs/commercial_ca.crt
 3) verify the certificate
     cd /root/certs
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt./commercial_ca.crt
 4) deploy the cert
    cd /root/certs
    /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt./commercial_ca.crt
 5) restart the zimbra services
  su - zimbra
  zmcontrol stop
  zmcontrol start 


[MTecknology]

This is as far as I can get... Thanks for the really fast reply.

root@vindico:/root/certs# ls
commercial_ca.crt gd-class2-root.crt gd_intermediate.crt
gd_bundle.crt gd_cross_intermediate.crt vindico.crt

root@vindico:/root/certs# cat gd_cross_intermediate.crt gd_intermediate.crt gd-class2-root.crt > /root/certs/commercial_ca.crt

root@vindico:/root/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key ./commercial.crt./commercial_ca.crt
** Verifying ./commercial.crt./commercial_ca.crt against /opt/zimbra/ssl/zimbra/commercial.key
XXXXX ERROR: Can't find private key /opt/zimbra/ssl/zimbra/commercial.key

[MTecknology]

There's an error on that wiki page.

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt./commercial_ca.crt

Right here -> ./commercial.crt./commercial_ca.crt <- shold have a space in there.


root@vindico:/root/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./vindico.crt ./commercial_ca.crt
** Verifying ./vindico.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./vindico.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file ./commercial_ca.crt
4595:error:0906D066:PEM routines:PEM_read_bio:bad end lineem_lib.c:746:
4595:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
XXXXX ERROR: Invalid Certificate:
root@vindico:/root/certs#

[MTecknology]

Apparently there's something funky with the second file.

I went into the file and replaced
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
With this
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

Now I get the following error. I don't like that an error is still occurring, but I'm happy that I'm at least making progress. I guess sleep does help things.


root@vindico:/root/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./vindico.crt ./commercial_ca.crt
** Verifying ./vindico.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./vindico.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: ./vindico.crt: /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
error 2 at 2 depth lookup:unable to get issuer certificate

I'm not really sure how it can be freaking out that my certificate is invalid when the private key matches up with it. and that cert came from a download.

[MTecknology]

That space thing happens with the deploycrt command too.

I used this instead:
cat gd_cross_intermediate.crt gd_intermediate.crt gd_bundle.crt > commercial_ca.crt

Went in and fixed that line break thing.

And things finally work.

Now to go try it out.