Results 1 to 8 of 8

Thread: Installing Entrust Certs...

  1. #1
    sanford is offline Trained Alumni
    Join Date
    Feb 2009
    Posts
    12
    Rep Power
    6

    Default Installing Entrust Certs...

    Hello all.

    Having an issue installing commercial Certs from Entrust.

    I generated the request from the Zimbra admin web UI.

    Sent it to Entrust.

    Received the server crt and Entrust Root CA crt

    Went back to the Zimbra admin web UI and selected install commercially signed cert.

    Located the certs and pressed "install"

    Installation failed with:

    Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair.

    I'm fairly new to SSL certs so I am unsure what this means.

    Any advise would be greatly appreciated!

  2. #2
    sanford is offline Trained Alumni
    Join Date
    Feb 2009
    Posts
    12
    Rep Power
    6

    Default

    Trying to deploy from the cli as root yields:


    /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
    ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: /tmp/commercial.crt: /C=US/ST=CALIFORNIA/L=Culver City/O=Media Temple/CN=xxx.xxxxx.net
    error 20 at 0 depth lookup:unable to get local issuer certificate
    XXXXX ERROR: provided cert isn't valid.

  3. #3
    nphase is offline New Member
    Join Date
    Oct 2009
    Posts
    4
    Rep Power
    5

    Default

    I've hit the same problem, and symptoms.
    Also using Entrust certificate.

    I followed the steps here:
    AndyB Zimbra SSL Certificate

    Essentially:
    Use zmcertmgr to create csr
    Get CSR signed
    Copy CRT + Root CA to ../commercial/
    Use zmcertmgr to deploy crt gives:
    ./zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    error 20 at 0 depth lookup:unable to get local issuer certificate

    Using the Entrust l1B chain certificate:
    ./zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/entrust_l1b-chain_cross_certificate.crt
    gives:
    error 2 at 1 depth lookup:unable to get issuer certificate

    I've tried using:
    /zmcertmgr deployca /opt/zimbra/ssl/zimbra/commercial/entrust_root.crt
    to get the root CA defined. It creates the entries in /opt/zimbra/conf/ca, but still won't deploy the certificate.

    Running openssl verify on the zimbra machine fails:
    openssl verify -CAfile entrust_chain.crt commercial.crt
    commercial.crt: /C=US/O=Entrust, Inc./OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE/OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY/OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2008 Entrust, Inc.
    error 2 at 1 depth lookup:unable to get issuer certificate

    But running openssl verify on my workstation succeeds:
    openssl verify -CAfile entrust_chain.crt commercial.crt
    commercial.crt: OK

    It appears that Zimbra (6.0) isn't finding the root CA for entrust.

    Any thoughts on how to make its search successful?

    Thanks!

  4. #4
    brian is offline Project Contributor
    Join Date
    Jul 2006
    Posts
    623
    Rep Power
    10

    Default

    Don't deploy these from the /opt/zimbra/ssl/zimbra/commercial directory. Only deploy them from another directory.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  5. #5
    nphase is offline New Member
    Join Date
    Oct 2009
    Posts
    4
    Rep Power
    5

    Default

    Thanks for the reply.

    I moved all but the commercial.key from ../commercial so it contains:
    pwd
    /opt/zimbra/ssl/zimbra/commercial
    [root@zimbra commercial]# ls -la
    total 24
    drwxr----- 2 root root 4096 Oct 9 14:44 .
    drwxr----- 5 root root 4096 Sep 25 15:28 ..
    -rw-r--r-- 1 root root 887 Oct 8 12:17 commercial.key

    Then tried:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm /root/zimbra_ssl/commercial.crt /root/zimbra_ssl/entrust_chain.crt

    Same result:
    ** Verifying /root/zimbra_ssl/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/zimbra_ssl/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: /root/zimbra_ssl/commercial.crt: /C=US/O=Entrust, Inc./OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE/OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY/OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2008 Entrust, Inc.
    error 2 at 1 depth lookup:unable to get issuer certificate
    XXXXX ERROR: provided cert isn't valid.

    What am I missing?

  6. #6
    brian is offline Project Contributor
    Join Date
    Jul 2006
    Posts
    623
    Rep Power
    10

    Default

    if it can't find the issuer certificate you need to make sure you have the correct and full cert chain.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  7. #7
    nphase is offline New Member
    Join Date
    Oct 2009
    Posts
    4
    Rep Power
    5

    Default

    (deleted double-post)

    Agree. I'm trying to figure out why the openssl verify fails in the zimbra box, succeeds on my workstation, but fails on another RHEL4 box.

    I noticed that the zcertmgr script uses openssl verify to validate the cert. I'm hoping that if I can find why openssl verify fails, the zcertmgr script will succeed.
    Last edited by nphase; 10-12-2009 at 12:35 PM.

  8. #8
    nphase is offline New Member
    Join Date
    Oct 2009
    Posts
    4
    Rep Power
    5

    Default

    Success!

    The trust chain was the cause. The trick was including the root-CA AND the chain certificate in the CA_chain_file.

    I copied only the Entrust root CA entries from /usr/share/ssl/certs/ca-bundle.crt to a new bundle.crt file, added the Entrust l1b chain certificate to the bundle.crt file, then used zmcertmgr deploycrt comm commercial.crt bundle.crt.

    Thanks for the pointer to the trust chain.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Commercial Certs for Multi-Server Install
    By jterhune in forum Administrators
    Replies: 5
    Last Post: 09-08-2009, 02:21 PM
  2. zimbra 6.0b1 not installing on Mac OS X 10.5.6
    By funkahdafi in forum Installation
    Replies: 5
    Last Post: 05-13-2009, 09:51 PM
  3. Error installing GoDaddy SSL certs on 5.0.10
    By rajeshkodali in forum Administrators
    Replies: 2
    Last Post: 11-08-2008, 12:57 PM
  4. [SOLVED] GoDaddy certs on 5.0.6
    By ScottChapman in forum Administrators
    Replies: 34
    Last Post: 09-30-2008, 08:02 AM
  5. Installing Zimbra on a Slicehost VPS
    By kindus in forum Installation
    Replies: 3
    Last Post: 03-10-2008, 09:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •