Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: [SOLVED] GoDaddy + ZCS 6 = FAIL

  1. #1
    MaffooClock's Avatar
    MaffooClock is offline Active Member
    Join Date
    Jan 2009
    Location
    Texas
    Posts
    36
    Rep Power
    6

    Default [SOLVED] GoDaddy + ZCS 6 = FAIL

    <rant>
    I've been with Zimba since early 5.0 and I've performed regular upgrades as they come out. During this time, installing GoDaddy certificates has ALWAYS resulted in HOURS and HOURS of headaches. Installing certificates via the Admin Console never works.
    </rant>

    So I successfully performed a migration from 32-bit Debian 5 to 64-bit Ubuntu 8. Everything went perfectly, except I had to install the default self-signed certificates. Since everything's been working fine for a while, now, I decided I should try to get my GoDaddy certificates re-installed. [sigh...]

    Here are the steps I took this time:

    First I created ~/certs, then downloaded zimbra.crt and gd_bundle.crt (in a ZIP from GoDaddy)

    Verified the certificates against the key:
    Code:
    root@zimbra:~/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./zimbra.crt ./gd_bundle.crt
    ** Verifying ./zimbra.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./zimbra.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./zimbra.crt: OK
    Well, yee-haw. So then deployed the certificates:
    Code:
    root@zimbra:~/certs# /opt/zimbra/bin/zmcertmgr deploycrt comm ./zimbra.crt ./gd_bundle.crt
    ** Verifying ./zimbra.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./zimbra.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./zimbra.crt: OK
    ** Copying ./zimbra.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain ./gd_bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Everything seems fine, right? I could even see that the certificates were installed when I visit the Certificates page in the Admin Console (of course, they aren't active, yet). So I restart zimbra:
    Code:
    zimbra@zimbra:~$ zmcontrol stop
    ...
    zimbra@zimbra:~$ zmcontrol start
    Host zimbra.divergentsystems.net
            Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
            Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
    zimbra logger service is not enabled!  failed.
    
    
            Starting mailbox...Done.
            Starting memcached...Done.
            Starting imapproxy...Done.
            Starting antispam...Done.
            Starting antivirus...Done.
            Starting snmp...Done.
            Starting spell...Done.
            Starting mta...Done.
            Starting stats...Done.
    ...and in /var/log/zimbra.log, I see many messages like this:
    Code:
    <snip>
    Jan 18 21:35:43 zimbra zimbramon[16445]: 16445:info: zmmtaconfig: Skipping All Memcached Servers update. 
    Jan 18 21:35:43 zimbra zimbramon[16445]: 16445:info: zmmtaconfig: Skipping getAllMemcachedServers ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)  
    Jan 18 21:35:47 zimbra zimbramon[16445]: 16445:info: zmmtaconfig: Skipping All MTA Authentication Target URLs update. 
    Jan 18 21:35:47 zimbra zimbramon[16445]: 16445:info: zmmtaconfig: Skipping getAllMtaAuthURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)  
    </snip>
    The Wiki either doesn't apply SPECIFICALLY to 6.0, or what is available (for 5.0) are incomplete or incorrect.

    Is there a soul on this planet who can install GoDaddy certificates without breaking a sweat? I would like that person to hook us (the community) up with a new Wiki article.

    I just dread when it comes time for certificate renewal, because this is the garbage I go through every time...

  2. #2
    sergioag is offline Active Member
    Join Date
    Nov 2007
    Location
    Lima-Peru
    Posts
    33
    Rep Power
    7

    Default

    Hi

    I use a Godaddy certificate with my Zimbra server (6.0) and had no problem with it. It installed normally using the web interface. In the Godaddy panel, I selected the "Tomcat" option by the way...

    Best regards,

    Sergio Aguayo

  3. #3
    MaffooClock's Avatar
    MaffooClock is offline Active Member
    Join Date
    Jan 2009
    Location
    Texas
    Posts
    36
    Rep Power
    6

    Default

    That would be the only thing I'd try different: choosing Tomcat instead of Other when downloading my certificate.

    So you use the gd_bundle.crt for the Intermediate, and you download the gd-class2-root.crt for the Root, correct?

  4. #4
    sergioag is offline Active Member
    Join Date
    Nov 2007
    Location
    Lima-Peru
    Posts
    33
    Rep Power
    7

    Default

    Yes, I did it that way.

    Best regards,

    Sergio Aguayo

  5. #5
    MaffooClock's Avatar
    MaffooClock is offline Active Member
    Join Date
    Jan 2009
    Location
    Texas
    Posts
    36
    Rep Power
    6

    Default

    Damn. I followed your tips precisely, and ended up with the same results as before.

  6. #6
    robmc is offline Starter Member
    Join Date
    Jan 2010
    Posts
    2
    Rep Power
    5

    Default

    I'm running into an identical issue - if you find a solution please post! I haven't been able to get the GUI running so a CLI solution would be very handy.

    Cheers,

    Rob

    A few min. after posting I found a solution that fixed my problem.

    /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file ./your_godaddy_cert.crt

    It looks like something went wrong with applying the chain certs (intermediate and CA) to Java. The above just forces Java to accept your purchased cert.

    I'm not sure if this was caused by an actual bug or I did something wrong the first run through - I'm leaning toward the latter but I'll be keeping an eye out.

    Hope that helps.
    Last edited by robmc; 01-20-2010 at 04:38 AM. Reason: Found Solution!

  7. #7
    darryll007 is offline Starter Member
    Join Date
    Mar 2010
    Posts
    1
    Rep Power
    5

    Default Same problem here Thanks MaffooClock

    I have Zimbra 6 on Centos and after buying my ssl from Godaddy and installing it zimbra did not work so after this :
    /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file ./your_godaddy_cert.crt

    it was fine !!
    very good

    David

  8. #8
    MaffooClock's Avatar
    MaffooClock is offline Active Member
    Join Date
    Jan 2009
    Location
    Texas
    Posts
    36
    Rep Power
    6

    Default

    I have yet to try this, but I will soon. Meanwhile, I thought I'd at least acknowledge your suggestion -- thanks!

  9. #9
    MaffooClock's Avatar
    MaffooClock is offline Active Member
    Join Date
    Jan 2009
    Location
    Texas
    Posts
    36
    Rep Power
    6

    Default

    I'm about to re-attempt this, and I wanted to ask: in robmc's and darryll007's replies, you mentioned "./your_godaddy_cert.crt". In the GoDaddy ZIP file, which file is this?

    When I download from GoDaddy, I get a ZIP containing these files:
    gd_bundle.crt
    gd_cross_intermediate.crt
    gd_intermediate.crt
    zimbra.divergentsystems.net.crt

    Which of these certificate files is "./your_godaddy_cert.crt"? (I know what each of those are, by the way.) I assume it's the <zimbra_hostname>.crt, but I want to make damn sure -- I grow rather tired of having to scramble to reinstall the self-issued certs when something goes wrong

  10. #10
    MaffooClock's Avatar
    MaffooClock is offline Active Member
    Join Date
    Jan 2009
    Location
    Texas
    Posts
    36
    Rep Power
    6

    Thumbs up

    Well, shucks, I tried it anyway with the <zimbra_hostname>.crt, and it worked like a charm.

    A BIG thanks to robmc!

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Trouble Sending mail - All Messages deferred!
    By SiteDiscovery in forum Administrators
    Replies: 7
    Last Post: 09-03-2009, 04:52 AM
  2. Mail is being queued, not delivered!
    By icepick94 in forum Administrators
    Replies: 12
    Last Post: 01-22-2009, 07:03 AM
  3. Replies: 41
    Last Post: 10-29-2007, 02:36 PM
  4. ZCS 3.2 Beta Available
    By KevinH in forum Announcements
    Replies: 31
    Last Post: 07-07-2006, 03:46 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •