[SOLVED] Can't install my commercial certificate

[ecobrazim]

Hi all,

I am running zcs-6.0.6_GA_2330.DEBIAN5_64.20100505212715 on Debian 5.0

After the installation was successful, I had the zimbra admin consile generate a csr file that I gave to StartCom.

I got a crt file back and I went on to installing it via the gui.

I got the following error:

Code:

Message: 
Your certificate was not installed due to the error : invalid request: missing required element: keysize 
Error code: ZaCertWizard.prototype.installCallback 
Method: AjxException.UNKNOWN_ERROR Details:invalid request: missing required element: keysize

After a bit of reading I copied my copied and renamed my crt file to '/opt/zimbra/ssl/zimbra/commercial/commecrial.crt'.

I checked that the csr file was still the same I used to request the crt file.

As root, I then ran the following command and got the error:

Code:

# wget --no-check-certificate https://www.startssl.com/certs/ca.pem
# wget --no-check-certificate https://www.startssl.com/certs/sub.class2.server.ca.pem
# cat ca.pem sub.class2.server.ca.pem > commercial_ca.crt

# ls -l
total 24
-rw-r--r-- 1 root root 4972 2010-05-25 00:28 commercial_ca.crt
-rw-r--r-- 1 root root 5662 2010-05-25 00:27 commercial.crt
-rw-r--r-- 1 root root 1086 2010-05-24 23:33 commercial.csr
-rw-r----- 1 root root 1679 2010-05-24 23:33 commercial.key

# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
** Verifying commercial.crt against commercial.key
unable to load certificate
12564:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:749:
XXXXX ERROR: Unmatching certificate (commercial.crt) and private key (commercial.key) pair.

I read that adding a space at the end of the crt might help but I got the same error.

Cany anyone help me solve this one?

Thanks
-Ed

[Krishopper]

1. Place the csr and the private key in /opt/zimbra/ssl/zimbra/commercial directory and name them: commercial.csr and commercial.key.
2. Make sure the permissions are set to 740 root:root
3. Make a new directory, ex: /root/certs
4. Place the singed cert and the bundle cert in /root/certs
5. Verify that the cert and the key match via this command run As ROOT
   # cd /root/certs
   # /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./<crt_file> ./<bundle_file>
6. If the output looks good, you can deploy the certificate via this command:
   # /opt/zimbra/bin/zmcertmgr deploycrt comm ./<crt_file> ./<bundle_file>
7. The final step would be to restart the zimbra services for the change to take effect

[ecobrazim]

Hi Krishopper,

The installation of the key worked beautifully, thanks but I am now getting the following errors when restarting the service.

Code:

# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt 
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

# su - zimbra

$ zmcontrol stop && sleep 5 && zmcontrol start
Host mail.precognet.com
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping archiving...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping imapproxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping ldap...Done.
Host mail.precognet.com
        Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
        Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
zimbra logger service is not enabled!  failed.
        Starting mailbox...Done.
        Starting antispam...Done.
        Starting antivirus...Done.
        Starting snmp...Done.
        Starting spell...Done.
        Starting mta...Done.
        Starting stats...Done.

I admit I am rushing of to work and did not take the time to check the net for this problem. I will do so this evening unless you have a quick fix to my problem

Anyway, the cert is installed so I'm one step further. Thanks!
-Ed

[Krishopper]

I didn't encounter any such issue, but from a quick search, check the forums for "Enabled services read from cache" and see if you can find some answers.

Quick searching shows that /etc/hosts didn't contain "localhost.localdomain localhost" for 127.0.0.1 in a few cases, possibly an expired certificate, bad DNS?

[ecobrazim]

OK, so I did do some reading and I did find the solution

First of all, I checked the hosts file to get rid of the error as mentioned here:

Code:

Enabled services read from cache. Service list may be inaccurate.

Now to fix the following error and the error above:

Code:

ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

... I did (as root) with zimbra still running:

Code:

# /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /root/certs/commercial.crt

Thanks robmc

I then restarted the zimbra services and shazam, all is working!

Thank you all for your help.
-Ed

[jggonz]

Here's a lengthy write up I made using information from several threads:

IT Bang Bang: Installing $12.99 GoDaddy SSL Certificate on Zimbra versions 5 and 6

I hope it helps people get their Certificates properly set up.

Leave me comments if it worked.