SSL Certificates

[jskains]

I am taking over from an admin that departed and we discovered that our IMAP server appears to be using a different SSL certificate (an expired one) than the one the mail HTTPS (web access) server is using.

I am a seasoned Unix guy, but Zimbra is fairly new to me, so any help would be awesome.

Thanks,
JMS

[LMStone]

Welcome to the forums!

There are several articles in the Zimbra wiki site which cover the peculiarities of Zimbra's use of SSL certificates, how to install commercial and self-signed certs, and how to troubleshoot cert problems.

Since you are a seasoned *NIX admin (and at the risk of coming across as a little "RTFM!"), may I suggest first taking a glance at those wiki articles, comparing what you see there to your own Zimbra system, and coming back here with a few more details?

The reason I suggest this is because I have never seen a Zimbra server where one or more of the certs is different than all of the others. So, I'm guessing that the previous admin may done some hand "craftwork" on your certificate store.

Since there are some bugs associated with the Zimbra certificate manipulation scripts not always dealing well with non-standard cert stores, comparing what you've got with what you see in the wiki articles would be the first step I would take.

Again, apologies if this comes across as RTFM; just trying to help you get a baseline on exactly what you have so we can help you go the next step.

With best regards,
Mark

[jskains]

Yeah, well I have gone several times through those and followed several of the steps left, right, up, down, and sideways.

As you indicated, you yourself have not seen a case where more than one SSL certificate would present itself, so obviously that isn't something I can just read in the "freaking" manual (polite translation :0) ). This is an odd case that I so far, can't resolve.

I even tried to delete the keystore and recreate it, but then suddenly Zimbra Web failed to do anything.

JMS

[LMStone]

So at this point I would do the following:

1. As the Zimbra user, run "zmcontrol -v" and post the output in your Forum Profile so we can see what specific version of Zimbra you are running.
2. If you are running the Network Edition, I would at this point call support and ask for help.
3. If you have the open source edition, I would copy the existing keystore(s) somewhere safe so you have a fallback position, then try using the Zimbra procedure to deploy a self-signed certificate. If this is what you have already tried, please post the log file errors here and that might help us figure out where the problem is (and confirm as well where the problem isn't).

You are right that Zimbra borks without working certs; much of the intra-server, inter-package communication is encrypted using the certs.

Hope that helps,
Mark

[jskains]

Soooooo, while some documents say Tomcat is all that you have to deal with, that appears not to be exactly true. There is the perdition element, and I just found the offending certificate.

*sigh*

JMS

[LMStone]

Still on 4.5.x I see?

Yup, exactly what you say is true. Sounds like you are making good progress!

Once you get that fixed I would strongly suggest migrating to the 5/6 series. Cert management in both the 5 and 6 series is much better. (So are many other things about Zimbra in the later series...)

All the best,
Mark

[jskains]

Quote:

Originally Posted by LMStone

Still on 4.5.x I see?

Yup, exactly what you say is true. Sounds like you are making good progress!

Once you get that fixed I would strongly suggest migrating to the 5/6 series. Cert management in both the 5 and 6 series is much better. (So are many other things about Zimbra in the later series...)

All the best,
Mark

Yeah, well it's in my profile 4.5.9... But unfortunately there are folks that had such bad migration experience that they are too scared to move to anything else right now... Even though Safari blows up on 4.5.x.

[LMStone]

The last installer in the 4.5 series is very good. Not only does it do some 4.5 cleanup but it also checks a bunch of things in preparation for migrating to 5.0.x.

We too were very nervous about upgrading to 5.0.x, but after waiting for the last of the 4.5.x installers and a few updates in the 5.0.x series, our upgrade went flawlessly.

Same for 5 > 6 upgrades. Several sites with long running 5.0.x systems who tried upgrading to 6.0.0 found some issues Zimbra didn't anticipate, but the 5>6 upgrade bugs seem to have all pretty much been squashed by 6.0.3, and 6.0.4 is due out around 12/15.

The original installs in our hosting farm were deployed on 4.0.3, and we'll be upgrading to 6.0.4 from 5.0.18 between Christmas and New Years.

There are of course no guarantees in life, but I would say the likelihood of you being able to complete a successful upgrade of your existing system to the latest release (in several upgrade steps) at this point is quite high.

Hope that helps,
Mark

[jskains]

Ugh, the Wiki documents are possibly dated? I am trying to extract the commercial certificate via this ExtractPriv.java file to the T. Unfortunately, this is the result:

java ExportPriv /opt/zimbra/ssl/ssl/commercial.keystore tomcat zimbra > my.key

Exception in thread "main" java.lang.NullPointerException
at ExportPriv.doit(ExportPriv.java:36)
at ExportPriv.main(ExportPriv.java:21)

Any thoughts?

JMS

[jskains]

Got further, but then got a

[zimbra@/tmp/zimbra_work]$ openssl rsa -in my.key -out my.key.dec
unable to load Private Key
8795:error:0906D064:PEM routines:PEM_read_bio:bad base64 decodeem_lib.c:741: