[SOLVED] Network Solutions Certs - certs do not verify

[tribear]

Folks, I tried to install my Network Solutions Certs with mixed results.

=============

I rechecked the certs and ran into this error:
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
31878:error:0906D066:PEM routines:PEM_read_bio:bad end lineem_lib.c:749:
31878:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280:

I is suggested that I add new lines in two of the certs that "AddTrustExternalCARoot.crt" and "NetworkSolutions_CA.crt" files _only_.

How is the best way to make that change? Simply hit return at the end of the file or some other code?

I tried this one other time and must have done something wrong.

Suggestions Please.

Tribear

[tribear]

Hello out there...I guess I am alone on this one...no responses from anyone?

-- It is disappointing that this software is so difficult to work with on such important matters such as security. Installing cerificates from various vendors should be very easy to do. You always seem to have to do some CL magic to get things working. Even then its hit or miss - no clear documentation anywhere.

I have used VM products for years and they all work..... I hope VM can clean up this product so many of us - with start up companies will feel confident in the software when its time to expand and that includes buying Zimbra vs Lotus Notes or others who do a better job.

If I do not get any responses today I will kill off this thread.

Tribear

[tribear]

Ok...

Found some answers that helped.
So far the CAT of certs >> commercial_CA.crt worked out with lines added to certs 1 & 2.
After running the verify on comm certs got the messages I needed to deploy. After running deploy all ran OK until the end.
Creating the pkcs12 file is still an issue.

I need some help on this one... any ideas from anyone would be helpful.

Tribear

[root@mail1 commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm

** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
[root@mail1 commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK

** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file

** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file

** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key
　

[bdial]

maybe try Failed to create jetty.pkcs12 - Zimbra :: Wiki

[tribear]

Ok... After discovering that my commercial.crt also need a CR at the end of the file so the deploy command can properly append the commercial_ca.crt - I reran the verify and deploy commands. Looks good!? - don't be foooled.


On restart the logger gets upset. see below.

bdial - got any other ideas?

[root@mail1 commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
[root@mail1 commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
------------------------------------------------------------
[zimbra@mail1 root]$ zmcontrol start
Host mail1.xxxxxxxxxxx.com
Starting ldap...Done.

Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.

Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)

Quote:

zimbra logger service is not enabled! failed.

　
Starting mailbox...Done.
Starting memcached...Done.
Starting imapproxy...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.

[bdial]

try the solution in this thread

[SOLVED] GoDaddy + ZCS 6 = FAIL

[alam]

Hi, I'm not sure if I should start a new thread or reply to this one, but I'm having a similar issue with my Network Solutions cert. I'm trying to renew my SSL cert. Everything looked like it validated correctly. I download the .crt files and proceed to install it. When I run

/opt/zimbra/bin/zmcertmgr verifycrt comm


I get

** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.


I'm not sure why it's happening. Everything seems correct. I tried it several times. I successfully did this two years ago so I'm just following the same steps. It's based on these instructions Installing a Network Solutions Certificate on ZCS 5.0.x - Zimbra :: Wiki

Any help is appreciated. I'm stumped at this point. Thank you very much!

[tribear]

Well... after all this messing around... I got tired of the certificate issues and asked Network Solutions to reissue mine.

I will start back at this when they arrive.... tune in later... to be continued.

Tribear

[tribear]

I am back.....Network Solutions sent me some new certificates and I started back from where I left off. I Tried the usual steps posted here and gave up. I said, Hmmmm lets retry the Admin Web UI?
I finally got the certificates to install from the Admin Web UI while on the actual server's console.
I had to rub my eyes to believe it. I choose my MAIL1.xxxxxx.crt , AddTrustExternalCARoot.crt, intermediate crts: - NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt. Hit Enter and closed my eyes.

Checking the /opt/zimbra/ssl/zimbra/commercial/ directory I could see how each file was automatically renamed with the commercial prefix and you see the commercial.crt, commercial_ca.crt are there. I will paste them into a reader later to see how they where CAT'd together and share that with you.

Using /opt/zimbra/bin/zmcertmgr viewdeployedcrt I verified the certs are installed.
Next Step - the big one - zmcontrol stop and start. Cross the fingers here.

Failures occur with LDAP and Logger - here's the complaint:
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.

Now I am searching how to fix this - my server is down.... flat dead.

Help would be appreciated - Tribear

[bdial]

did you read the godaddy thread i posted where the guy is getting the exact same error you are.