Zimbra

bibo · #1 (**permalink**) 02-08-2010, 07:18 AM

Dear all,

I made upgrade to zimbra 6.0.5. When I tried to install a new certificate
I received this error.

[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial
commercial_ca.crt commercial.crt commercial.csr commercial.key
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt root.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
[root@mailhost certs]# cat class3.crt root.crt >> commercial_ca.crt
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/comm
ercial/commercial.key ./commercial.crt commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

I saw the same error in another post but I didn´t find the solution.

How do I fix this?

Best regards,
Bibo

bibo · #2 (**permalink**) 02-08-2010, 08:23 AM

I run the zmcertmgr command in debug mode to help me and I found out that my problem was the commercial.crt file. This file finish in that line.
-----END CERTIFICATE-----
Then I added new line (\n) and the script run without problem.

[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mailhost certs]#

Best regards,
Bibo

batfastad · #3 (**permalink**) 04-12-2010, 04:17 PM

bibo I want to say a big THANK YOU for posting this.
Spent 5 hours trying to get this going and that newline character was the problem all along. Thanks!

Cheers, B

PRL · #4 (**permalink**) 04-14-2010, 05:31 PM

bibo - My thanks as well. I've been struggling getting my cert installed and I thought I had it fixed until I started receiving the same error that you wrote in your first post.

itdoug · #5 (**permalink**) 06-24-2010, 12:29 PM

This worked for me. Very simple

First Generate CSR in GUI

Save resulting Cert file as commercial.crt

Download Thawte Root Certs: https://www.thawte.com/roots/index.html

Find Thawte Server CA.pem in folder "Thawte SSL123 Roots" and rename to commercial_ca.crt

Upload commercial.crt and commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial

Verify Certificate

As root run: /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt

Quote:

/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK

Install Certificate

As root run: /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Quote:

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Restart Zimbra services zmcontrol restart as zimbra user.

****
One more Note:

Zimbra recommends that you place those files (Trusted Root and commercial.crt) elsewhere and let the zmcertmgr tool copy them to the proper location and install them into ldap. Like the following:

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
****

terencelhl · #6 (**permalink**) 01-18-2012, 08:37 PM

Dear bibo,

A big thank you to your valuable guides here!!!

Zimbra

Downloads

Product Information

Toolbox

Why Join?