[SOLVED] Installing commercial certificate issue

[rosol]

Hi.
We use community version 6.
When i try to install commercial certificate into Zimbra i get errors:

./zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt
** Verifying /tmp/server.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/server.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /tmp/ca_bundle.crt
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.

I've used this article to install cert: Installing a RapidSSL Commercial Certificate - Zimbra :: Wiki

Someone has similar problem?
Thx.

[tonster]

The text you specified listed the problem. It says it cannot load /tmp/ca_bundle.crt for some reason. Does the file not exist? Does it contain a valid certificate?

[rosol]

I know that ca_bundle.crt is the issue but article Installing a RapidSSL Commercial Certificate - Zimbra :: Wiki says that i need to download that ca_bundle.crt file and copy it to /tmp:

Download the appropriate bundle file from http://www.geotrust.com/resources/ro..._Authority.cer . RapidSSL certificates are always signed by Equifax!! Save this as ca_bundle.crt

So i did it and have this error like above in my first post.

Thx. for replay.

[tonster]

But what does the file look like on the server? Are you running zmcertmgr as root?

[rosol]

I do exactly all steps like in this article, step by step.

[rosol]

Previous i've downloaded http://www.geotrust.com/resources/ro..._Authority.cer by Windows Firefox then copy&paste into zimbra host by putty.
Now i used wget -c http://www.geotrust.com/resources/ro..._Authority.cer and copied this file into /tmp/ca_bundle.crt
Then cd /opt/zimbra/bin
and ./zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt
Now i have other info:

** Verifying /tmp/server.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/server.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/server.crt: OK
** Copying /tmp/server.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /tmp/ca_bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

What does it mean? How to fix it?

Thx.

[rosol]

So, from now i cannot send anything because: thereis no certificate to communicate. I use tsl to communicate with server:

Starting ldap...Done.
Failed.
Failed to start slapd. Attempting debug start to determine error.
TLS: error:0906D066:PEM routines:PEM_read_bio:bad end line pem_lib.c:749
TLS: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib ssl_rsa.c:491
main: TLS init def ctx failed: -1

Any idea?

Thx.

[rosol]

I've created new, signed myself cert and Zimbra works fine.
Ok, someone can help me to install commercial cert on Zimbra?

Thx.

[phoenix]

Quote:

Originally Posted by rosol

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

What does it mean? How to fix it?

There are several threads that cover this issue, do any of them help?

[rosol]

Thank you for replay.
This thread work for me fine:
[SOLVED] Certificate problem with 6.0.5

Again thank you for good advice.