Commercial cert : where to store passphrase ? SMTP related

[breverend]

Hello,

I'm trying to get secure SMTP work on Zimbra 5.0.13 with a geotrust commercial cert.
With the default self-signed cert :

Code:

220 testserver.mydomain.com ESMTP Postfix
ehlo xyz
250-testserver.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
220 Ready to start TLS

After installing the commercial cert (following Administration_Console_and_CLI_Certificate_Tools :

Code:

220 testserver.mydomain.com ESMTP Postfix
ehlo xyz
250-testserver.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
454 4.3.0 TLS not available due to local problem

From zimbra.log, I see that there's a problem getting the password for the private key :

Code:

Aug  4 23:11:17 testserver postfix/smtpd[10653]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
Aug  4 23:11:17 testserver postfix/smtpd[10653]: warning: TLS library problem: 10653:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:105:
Aug  4 23:11:17 testserver postfix/smtpd[10653]: warning: TLS library problem: 10653:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:403:
Aug  4 23:11:17 testserver postfix/smtpd[10653]: warning: TLS library problem: 10653:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
Aug  4 23:11:17 testserver postfix/smtpd[10653]: cannot load RSA certificate and key data

My question is :
How to store the PEM passphrase for my geotrust certificate (which is the same for the private key) in zimbra ?

I'm also getting a request when starting zimbra :

Code:

zimbra@testserver:~$ zmcontrol start
Host testserver.mydomain.com
	Starting ldap...Enter PEM pass phrase:
Done.

I tried to remove the passphrase from the commercial.key file, (openssl rsa -in commercial.key -out new.key, then rename the key and redeploy). Starttls work, but my certificate is not viewed as a valid one anymore.

Thanks for your help.

Ben

[breverend]

No one uses a commercial cert with a passphrase ?

[gbr]

Sorry to kick an old thread, bad protocol.

I just installed a commercial cert, and I have the same issue. I have to manually start Zimbra after a reboot to type in the passphrase.

Gerald

Code:

zimbra@mail:~$ zmcontrol start
Host mail.norscan.com
	Starting ldap...Enter PEM pass phrase:
Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
	Starting logger...Done.
	Starting convertd...Done.
	Starting mailbox...Done.
	Starting antispam...Done.
	Starting antivirus...Done.
	Starting snmp...Done.
	Starting spell...Done.
	Starting mta...Done.
	Starting stats...Done.

[Saturdays]

Quote:

Originally Posted by gbr

Sorry to kick an old thread, bad protocol.

I just installed a commercial cert, and I have the same issue. I have to manually start Zimbra after a reboot to type in the passphrase.

Gerald

Code:

zimbra@mail:~$ zmcontrol start
Host mail.norscan.com
	Starting ldap...Enter PEM pass phrase:
Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
	Starting logger...Done.
	Starting convertd...Done.
	Starting mailbox...Done.
	Starting antispam...Done.
	Starting antivirus...Done.
	Starting snmp...Done.
	Starting spell...Done.
	Starting mta...Done.
	Starting stats...Done.

guess, you have to remove the passphrase.

[breverend]

Removing a passphrase from an SSL Key

Remove the passphrase, and put the new key in your zimbra directory.