Zimbra

sanford · #1 (**permalink**) 09-08-2009, 12:49 PM

Hello all.

Having an issue installing commercial Certs from Entrust.

I generated the request from the Zimbra admin web UI.

Sent it to Entrust.

Received the server crt and Entrust Root CA crt

Went back to the Zimbra admin web UI and selected install commercially signed cert.

Located the certs and pressed "install"

Installation failed with:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair.

I'm fairly new to SSL certs so I am unsure what this means.

Any advise would be greatly appreciated!

sanford · #2 (**permalink**) 09-08-2009, 06:59 PM

Trying to deploy from the cli as root yields:

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /tmp/commercial.crt: /C=US/ST=CALIFORNIA/L=Culver City/O=Media Temple/CN=xxx.xxxxx.net
error 20 at 0 depth lookup:unable to get local issuer certificate
XXXXX ERROR: provided cert isn't valid.

nphase · #3 (**permalink**) 10-09-2009, 12:58 PM

I've hit the same problem, and symptoms.
Also using Entrust certificate.

I followed the steps here:
AndyB Zimbra SSL Certificate

Essentially:
Use zmcertmgr to create csr
Get CSR signed
Copy CRT + Root CA to ../commercial/
Use zmcertmgr to deploy crt gives:
./zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
error 20 at 0 depth lookup:unable to get local issuer certificate

Using the Entrust l1B chain certificate:
./zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/entrust_l1b-chain_cross_certificate.crt
gives:
error 2 at 1 depth lookup:unable to get issuer certificate

I've tried using:
/zmcertmgr deployca /opt/zimbra/ssl/zimbra/commercial/entrust_root.crt
to get the root CA defined. It creates the entries in /opt/zimbra/conf/ca, but still won't deploy the certificate.

Running openssl verify on the zimbra machine fails:
openssl verify -CAfile entrust_chain.crt commercial.crt
commercial.crt: /C=US/O=Entrust, Inc./OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE/OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY/OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2008 Entrust, Inc.
error 2 at 1 depth lookup:unable to get issuer certificate

But running openssl verify on my workstation succeeds:
openssl verify -CAfile entrust_chain.crt commercial.crt
commercial.crt: OK

It appears that Zimbra (6.0) isn't finding the root CA for entrust.

Any thoughts on how to make its search successful?

Thanks!

brian · #4 (**permalink**) 10-09-2009, 01:34 PM

Don't deploy these from the /opt/zimbra/ssl/zimbra/commercial directory. Only deploy them from another directory.

nphase · #5 (**permalink**) 10-09-2009, 02:12 PM

Thanks for the reply.

I moved all but the commercial.key from ../commercial so it contains:
pwd
/opt/zimbra/ssl/zimbra/commercial
[root@zimbra commercial]# ls -la
total 24
drwxr----- 2 root root 4096 Oct 9 14:44 .
drwxr----- 5 root root 4096 Sep 25 15:28 ..
-rw-r--r-- 1 root root 887 Oct 8 12:17 commercial.key

Then tried:
# /opt/zimbra/bin/zmcertmgr deploycrt comm /root/zimbra_ssl/commercial.crt /root/zimbra_ssl/entrust_chain.crt

Same result:
** Verifying /root/zimbra_ssl/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/zimbra_ssl/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /root/zimbra_ssl/commercial.crt: /C=US/O=Entrust, Inc./OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE/OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY/OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2008 Entrust, Inc.
error 2 at 1 depth lookup:unable to get issuer certificate
XXXXX ERROR: provided cert isn't valid.

What am I missing?

brian · #6 (**permalink**) 10-09-2009, 02:14 PM

if it can't find the issuer certificate you need to make sure you have the correct and full cert chain.

nphase · #7 (**permalink**) 10-09-2009, 03:31 PM

(deleted double-post)

Agree. I'm trying to figure out why the openssl verify fails in the zimbra box, succeeds on my workstation, but fails on another RHEL4 box.

I noticed that the zcertmgr script uses openssl verify to validate the cert. I'm hoping that if I can find why openssl verify fails, the zcertmgr script will succeed.

nphase · #8 (**permalink**) 10-12-2009, 09:42 PM

Success!

The trust chain was the cause. The trick was including the root-CA AND the chain certificate in the CA_chain_file.

I copied only the Entrust root CA entries from /usr/share/ssl/certs/ca-bundle.crt to a new bundle.crt file, added the Entrust l1b chain certificate to the bundle.crt file, then used zmcertmgr deploycrt comm commercial.crt bundle.crt.

Thanks for the pointer to the trust chain.

Zimbra

Downloads

Product Information

Toolbox

Why Join?