Results 1 to 7 of 7

Thread: [SOLVED] Verisign cert fails on 5.0.18 NE

  1. #1
    swrightsls is offline Senior Member
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Exclamation [SOLVED] Verisign cert fails on 5.0.18 NE

    I have read several posts here, and the wiki here Installing a Verisign Test Certificate - Zimbra :: Wiki

    but still cannot get my verisign cert to install.

    I have supplied the X.509 cert from verisign (also tried the PK... version), along with the root and intermediates from verisign using the wizard, but get this error in the wizard.

    Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=xx/ST=xxxxxx/L=xxxxxxxxxxxx/O=xxxxxxxxxxxx/OU=xxxxxxxxxx/OU=Terms of use at VeriSign, Inc. - Redirect (c)05/CN=xxx.domain.com

    I was also unable to generate a CSR from the wizard, and followed a post here on using the command line to do this. I am really not comfortable going further with the command line install on a production server unless I understand the process more. The troubleshooting tips at the bottom of this page

    5.x Commercial Certificates Guide - Zimbra :: Wiki

    don't really explain much. This is a fresh install of 5.0.18 with the self-signed cert installed only at the moment.

    Thanks

  2. #2
    swrightsls is offline Senior Member
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Default

    A bit more info. I ran this command:

    zmcertmgr verifycrt /opt/zimbra/ssl/zimbra/commercial/commercial.key verisign.crt

    and got this:

    error 20 at 0 depth lookup:unable to get local issuer certificate

    Which seems to lead to the broken chain message I got in the wizard. I'm not sure where the intermediate cert comes in when using this verifycrt command.

  3. #3
    swrightsls is offline Senior Member
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Default Still broken.

    I have found yet another document describing this procedure, but it doesn't work either.

    The Admin guide suggests using zmcertmgr, although the command line options are horribly out of date. After sorting that out, I tried this:

    /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject/C='CA'/ST='British Columbia'/L='Shawnigan Lake'/O='Shawnigan Lake School'/OU='IT Department'/CN=mail.shawnigan.ca

    which told me this:
    ** Generating a server csr for download comm -new -subject/C=CA/ST=British Columbia/L=Shawnigan Lake/O=Shawnigan Lake School/OU=IT Department/CN=mail.shawnigan.ca
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20090729144212
    ** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...done.

    I then viewed the CSR:
    /opt/zimbra/bin/zmcertmgr viewcsr comm /opt/zimbra/ssl/zimbra/commercial/commercial.csr

    which shows this:
    subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.shawnigan.ca
    SubjectAltName=

    So the web GUI is broken. The zmcertmgr is broken (and the docs out of date).

    Surely someone has an idea on how to install a Verisign cert on 5.0.18?

  4. #4
    veronica is offline Outstanding Member
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    7

    Default

    Recommandation would be to follow command line for cert install. You can download intermediate cert from verisign website.

  5. #5
    swrightsls is offline Senior Member
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Default Finally fixed. (I hope)

    Ok, after some time on the phone with Verisign yesterday, I got a new cert issued and installed, but I have not yet done a zimbra restart; I am waiting for a downtime window to do this.

    Verisign was able to confirm a few things - first the int. cert I had was incorrect, which explains the failure to install via the GUI or command line. I fixed this.

    But I was never able to generate a new CSR from the web console, and the docs for the command line tool are incorrect at this page:

    Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    Both the above "official" wiki, and the help presented by the zmcertmgr tool are incorrect, and the example given at the wiki does not work, at least on 5.0.18 and 6.0 b2.

    Once I found this out, I was able to generate a CSR using this command line:

    (not that the '-subject' parameter must *not* be specified - the actual subject goes in its place.)

    /opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=CA/ST=British Columbia/L=Shawnigan Lake/O=Shawnigan Lake School/OU=IT Department/CN=mail.shawnigan.ca"
    ** Generating a server csr for download comm -new /C=CA/ST=British Columbia/L=Shawnigan Lake/O=Shawnigan Lake School/OU=IT Department/CN=mail.shawnigan.ca
    subj=/C=CA/ST=British Columbia/L=Shawnigan Lake/O=Shawnigan Lake School/OU=IT Department/CN=mail.shawnigan.ca
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20090729150609
    ** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...done.

    I was able to finally install the cert using the web gui.

    IMHO, Zimbra really needs to clean up their docs on this issue - I have no problem using command line tools, and often prefer them, but these multiple sources of incorrect information need to be fixed. I have yet to find a document on generating a CSR with zmcertmgr that actually shows the correct syntax.

  6. #6
    swrightsls is offline Senior Member
    Join Date
    Feb 2009
    Location
    Shawnigan Lake, BC, Canada
    Posts
    66
    Rep Power
    6

    Default

    Update - I was able to install the cert using the admin web UI, and a restart successfully enabled the certificate.

  7. #7
    gracedman is offline Special Member
    Join Date
    May 2009
    Posts
    134
    Rep Power
    5

    Default

    Thanks very much for this; it saved me no end of grief today. In fact, it poined us to solving another problem. We use a separate Zimbra Internet MTA. In the past, the GUI completely mangled certificate handling for it - in fact, when providing the CSR for the MTA it actually provided the CSR for the main server!

    Using the zmcertmgr syntax, we generated the CSR correctly and locally on the MTA. We then edited the request in the CA to add back the missing SubjAltNames and then imported it back in from the command line with:

    zmcertmgr deploycrt comm ~/cert.pem ~/CAcert.pem
    www.spiritualoutreach.com
    Making Christianity intelligible to secular society

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  2. self signed cert manager fails in 5.0GA foss
    By tachijuan in forum Administrators
    Replies: 7
    Last Post: 01-06-2008, 01:15 PM
  3. [SOLVED] Tomcat ignoring new SSL cert?
    By gkra in forum Administrators
    Replies: 1
    Last Post: 09-07-2007, 10:44 AM
  4. Replies: 2
    Last Post: 03-25-2007, 09:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •