GoDaddy Certs in ZCS 6.0.1

[danubix]

good day!

has anyone tried to install a go-daddy signed commercial cert in zcs6?

whenever i try to do this, all checks go ok (ca-chain and cert + key), however when i restart the system (zmcontrol stop, zmcontrol start) all communication with the system is denied.

when i try to change modes with zmtlsctl i get the following error message:

ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
Setting tls mode to http
Updating /opt/zimbra/mailboxd/etc/jetty.xml.in...done.
Updating /opt/zimbra/mailboxd/etc/service.web.xml.in...done.
Updating /opt/zimbra/jetty/etc/zimbra.web.xml.in...done.
Updating /opt/zimbra/jetty/etc/zimbraAdmin.web.xml.in...done.
Updating PROTOCOL MODE in /opt/zimbra/mailboxd/etc/zimbra.web.xml.in...done.
Updating /opt/zimbra/mailboxd/etc/jetty.xml.in...done.
Updating /opt/zimbra/cyrus-sasl/etc/saslauthd.conf.in...done.
Rewriting config files for cyrus-sasl, webxml and mailboxd...failed.

all help is welcome :-)

greetings

michael

[ewilen]

Please keep us updated on this. My 5.0.18 has a GoDaddy cert and I am looking forward to upgrading to 6.0.1 (or 6.0.2 if available) in the upcoming weeks.

Also, good luck.

[brf]

I just installed a GoDaddy commercial cert on 6.0.1 tonight. Seems to be working just fine, however, you cannot generate the CSR from Zimbra's Admin Console because GoDaddy apparently requires >= 2048-bit CSRs now, and the console only generates 1024-bit CSRs. You have to do it from the command line and use the "-keysize 2048" option.

So basically, generate your CSR like this (as the "zimbra" account):

sudo zmcertmgr createcsr comm -keysize 2048 -new "/C=US/ST=Texas/L=Austin/O=Blah Blah Blah/CN=whatever.company.com" -subjectAltNames "whatever.company.com"

Once you have your actual cert from GoDaddy, you can install that from the Admin Console, you don't have to use command line for that part. Use gd-bundle.crt (it'll come inside your cert's zip file) as your intermediate cert, and gd-class2-root.crt (you can download that from GoDaddy's website) as your CA cert when the Admin Console asks for them.

[rdavisids]

Our upgrade from 5.0.13 to 6.0.1 was marred by problems with the cert. After I had support working on it Sunday night, I still had to change to non self signed certs and had this same problem.

Your solution worked! However, I didn't read the part about which .crt to load where but since I had downloaded certs for Tomcat instead of Apache I had plenty!!


Thanks so much.

[sylvester_0]

I haven't had any problems with my GoDaddy cert after upgrading from 5.0.18 -> 6.0.0 -> 6.0.1. My stats still aren't working properly, but that's another story.

Unrelated, I also had a problem with ISPconfig 3 and the GD 2048 requirement. In that case I just edited a PHP file that's responsible for the cert creation and changed it to 2048.

[kashifali]

Hello There ... could you please tell us which PHP file you are referring?

[rajeshkodali]

Hi,

I am also facing the same problem. I generated csr in the same way mentioned. When I copy this in godaddy it still says that csr should be greater than 2048 ... I generated csr with multiple options like 3000 and 4000 nothing worked when pasted in godaddy. Please help me

[veronica]

You might want to change the value of 1024 in zmcertmgr script. I faced same issue.For me -keysize 2048 didnt work so i modified the tool and changed back after generating CSR

[rajeshkodali]

Hi,

Should the change be made in all the funstions of create csr (), create key () .. etc

Or the change has to be made only in create csr() ?

[veronica]

Change needs to be made at 2 places in /opt/zimbr/bin/zmcertmgr script. Search for 1024 and replace to 2048 .. create CSR and change back to original 1024 values.