[SOLVED] Why is installing an SSL cert so hard in 6.0.6?

[supradave]

Release 6.0.6_GA_2330.UBUNTU8 UBUNTU8 FOSS edition.

I have been trying for days now to install a commercial SSL cert. I have followed directions from the manual and all over the web. Nothing works.

For example, these instructions: Administration Console and CLI Certificate Tools - Zimbra :: Wiki

Code:

root@zimbra:~/ssl/comodo# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt 
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
root@zimbra:~/ssl/comodo# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt 
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

This is the first time I got through this without the zimbraSSLPrivateKey failing.

Then I go to restart and I get the following:

Code:

	Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
	Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
zimbra logger service is not enabled!  failed.


	Starting mailbox...Done.
	Starting antispam...Done.
	Starting antivirus...Done.
	Starting snmp...Done.
	Starting spell...Done.
	Starting mta...Done.
	Starting stats...Done.

When I go and list the cacerts from the java keytool, the information is already there.

Code:

zmcontrol status
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Host zimbra.domain.com
	antispam                Running
	antivirus               Running
	ldap                    Running
	logger                  Stopped
		zmlogswatchctl is not running
	mailbox                 Stopped
		zmmailboxdctl is not running.
	mta                     Running
	snmp                    Running
	spell                   Running
	stats                   Running

How do you install a commercial certificate? Is it possible? Which instructions should I use? Is there a link? This is very frustrating that this process is so difficult.

[supradave]

I have figured it out.

While digging and digging, a step needs to be added to add your .crt to the Java ca chain by:

Code:

/opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial.crt