[SOLVED] 5.0.9 -> 6.0.2 Migration problems

[jrefl5]

Upgrade this AM, the upgrade wiped out my Go Daddy cert for the server.

I have the 5.0.x versions on a backedup system.

Any ideas on how to get them into the 6.0.2 system???


I have a support contact opened but still no response.

!!! Why is it that EVERY time we do an upgrade something goes bad????

[phoenix]

[SOLVED] ZCS 6.0 GoDaddy cert install issue

[LMStone]

That's unfortunate for sure, but if you have the GoDaddy certs why not just reinstall them?

The wiki lists the techniques for doing this via both the Admin Console and the commandline. We have seen this before ourselves, and while I am not trying to be an apologist for Zimbra, "it is what it is".

Post again if you have problems reinstalling the cert.

Also, when you categorized your support request, if you use the redirect method for users to log in, you are effectively down and IMHO would be entitled to U2 level support.

Hope that helps,
Mark

[jrefl5]

Phoenix, and LMStone

I have access to the 5.0.x files to try your suggestions, problem is "Where did 5.0.x save the files needed?"

Are you saying I need to go through the create csr , get cert, install cert again?

I would like to reset the certs back from the 5.0 system.

I also have copies of the certs i.e. *.crt files from Go Daddy, and the original *.csr file. but what about the keys used to generate those files.

[LMStone]

Quote:

Originally Posted by jrefl5

Phoenix, and LMStone

I have access to the 5.0.x files to try your suggestions, problem is "Where did 5.0.x save the files needed?"

Are you saying I need to go through the create csr , get cert, install cert again?

I would like to reset the certs back from the 5.0 system.

I also have copies of the certs i.e. *.crt files from Go Daddy, and the original *.csr file. but what about the keys used to generate those files.

If you have the *.crt files from GoDaddy, I'd just review the forum thread, the wiki article, and then after manually copying those files up to the Zimbra server, run the commandline tools to install the certs.

In my experience, the only annoyingly tricky bit is concatenating in an editor the intermediate cert with the other cert; you can't do this on a Windows machine because the end-of-line CR/LF is different (carriage return/line feed).

If you follow the wiki slavishly and then open up the new file in a editor to make sure the line breaks are correct, you will have no problems. (And you can guess how I found that one out...)

Holler if you need help!

All the best,
Mark

[jrefl5]

The way I was reading things it appeared that I need to get a NEW cert.

The steps Phoenix pointed to in his link did work using the existing *.crt files.



I just wish that I did not hit a different problem every release, its why we sat on 5.0.9 (with the security patch) for so long.

[LMStone]

Quote:

Originally Posted by jrefl5

The way I was reading things it appeared that I need to get a NEW cert.

Sorry if you read my suggestions that way! If you paid for a valid commercial cert and it hasn't expired yet of course you should be able to continue to use it; no need to get a new one.

The Zimbra upgrade/cert gone issue has hit us as well, and while it would be nice if Zimbra could fix this (there are some bug reports out there I have seen), reinstalling the existing certs is pretty quick and easy once you have done it once.

There are other bugs and RFEs I'd rather see Zimbra developers work on ahead of this, so when we do a Zimbra upgrade we keep the cert files handy "just in case".

All the best,
Mark

[jrefl5]

Mark,
It was a result of what I read in the link provided by Phoenix that cause me to make the wrong assumption. your second post set me straight and allowed me to follow the provided steps.
Yes I'll defenatly be keeping all certs in a backup location, and having been burned I should be able to remember the solution.

Thanks

[jrefl5]

Again zimbra upgrade trashed my Go Daddy cirts!!!!!

How do I recover them????

Code:

./zmcertmgr deploycrt comm /opt/zimbra/certs/commercial.crt /opt/zimbra/certs/commercial_ca.crt
** Verifying /opt/zimbra/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/certs/commercial.crt: /O=sb.state.az.us/OU=Domain Control Validated/CN=sb.state.az.us
error 10 at 0 depth lookup:certificate has expired
OK
XXXXX ERROR: provided cert isn't valid.

[jrefl5]

Code:

cd /opt/zimbra/ssl/zimbra/commercial/
cp commercial.crt /opt/zimbra/certs/
cp commercial_ca.crt /opt/zimbra/certs/
./zmcertmgr deploycrt comm /opt/zimbra/certs/commercial.crt /opt/zimbra/certs/commercial_ca.crt
** Verifying /opt/zimbra/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/certs/commercial.crt: OK
** Copying /opt/zimbra/certs/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/certs/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

stop and restart zimbra

Why can't the upgrade see the com certs, and just use them, instead of creating a new self signed every ___ time!

I'm not going to mark this solved as it's a reoccurring problem.