Howto: GoDaddy UCC cert renewal

[ewilen]

A lot of people seem to have trouble with GoDaddy certs, especially when renewing. I did, too--tried to use the Admin GUI, fail. Looked through the forums and tried a few things others suggested, without luck. Finally I combined two ideas I'd seen on the forum and it was easy as pie. So I thought I'd share.

It's all done through the CLI. ZCS in this case is 6.0.6.1.

Step 1: Generate CSR as root.

# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 "/C=$country/ST=$state/L=$city/O=$organization/OU=$unit/CN=$FQDN1/CN=$FQDN2"

The $items are for you to fill in, without the dollar signs of course. In this case I had an organizational unit (OU). If you don't have one, leave out the "/OU=$unit". Also the first $FQDN1 is the primary name on the cert; any Subject Alternative Name(s) go in the second $FQDN2 (and any subsequent ones).

The output should look something like this:

Code:

** Generating a server csr for download comm -new -keysize 2048 /C=$country/ST=$state/L=$city/O=$organization/OU=$unit/CN=zimbra.company.com/CN=zimbra.company2.com
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100605164109 
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.

If all goes well, the CSR will be in opt/zimbra/ssl/zimbra/commercial/commercial.csr

Step 2: Submit CSR to GoDaddy and download the cert.

# cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr

Copy & paste the output into the GoDaddy form. For server type, use "Other". Then download the cert zipfile, unzip it, and put the contents somewhere on your zimbra server. E.g. we'll assume they're in /root/certs/ and that the site cert is called zimbra.company.com.crt. The only other cert in the zip is gd_bundle.crt. (I haven't found any need for GoDaddy's intermediate cert bundle, which is apparently included in the downloads for certain servers.)

Step 3: Verify the cert chain.

cd /root/certs/
# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./zimbra.company.com.crt ./gd_bundle.crt

The output should be

Code:

** Verifying ./zimbra.company.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./zimbra.company.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./zimbra.company.com.crt: OK

Step 4: Install the cert

# /opt/zimbra/bin/zmcertmgr deploycrt comm ./zimbra.company.com.crt ./gd_bundle.crt

And the output

Code:

** Verifying ./zimbra.company.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./zimbra.company.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./zimbra.company.com.crt: OK
** Copying ./zimbra.company.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./gd_bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Step 4: Check the cert.

I didn't want to reboot the whole server right away, so I just did
# su zimbra
# zmmailboxdctl restart

Once mailboxd had restarted, I opened the login page with a web browser and inspected the certificate.

Since I'm not sure if other services (such as mta) need to load the cert independently, I scheduled a full restart (zmcontrol stop && zmcontrol start) for later, after notifying the users.

(Here's where I found the answers: Manual certificate / installation for Godaddy 2048 requirement and [SOLVED] Renew GoDaddy SSL Cert.)

[bofh]

thanks ewilen. very helpfull, works like charm
to bad that teh gui dont have those options..

[Maja]

Worked like a charm. Thanks for the steps.

[MyBrooklyn]

@ Elliot Wilen...Thank you so much for your step by step intructions on how to generate a CSR code and installing a certificate from GoDaddy provider.

Release 6.0.5_GA_2213.UBUNTU8 UBUNTU8 FOSS edition.

[warmbowski]

Much thanks for the recipe. Made my day.

[ferra]

I'm running Release 6.0.2_GA_1912.F7_20091020145320 F7 FOSS edition.
Try to install a new godaddy certificate without success. I follow this steps but still the same error:
"zmcontrol start
Host server_name.FQDN
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed."

The only difference was that I created the csr file from the GUI, should I create the CSR file from the command line?

Thanks

[ferra]

gave up, I cannot install the certificate. The only difference, I can note, is instead of zimbra.company.com.crt I get company.com.crt

Everything is OK until I restart the server.