[SOLVED] [zmcertmgr] error deploying comm startcom sslcert
Hi there,
i'm running Release 6.0.7_GA_2473 on a Debian Testing.
I tried to install a commerial startcom ssl cert as described in the zimbra wiki and here. Everything went fine until i tried to deploy the cert:
Code:
server:~# /opt/zimbra/bin/zmcertmgr deploycrt comm /root/.ssl/commercial.crt /root/.ssl/commercial_ca.pem
** Verifying /root/.ssl/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/.ssl/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/.ssl/commercial.crt: OK
** Copying /root/.ssl/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /root/.ssl/commercial_ca.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate.../opt/zimbra/bin/zmcertmgr: Zeile 210: /bin/su: Die Argumentliste ist zu lang
failed.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key
Apparently, the bash script zmcertmgr tries to pass the ca-bunde (this one) as a string over the command line:
Code:
local content=`cat ${file}`
...
echo -n "** Saving $location config key $key..."
su - zimbra -c "${zimbra_home}/bin/zmprov -m -l -- ${zmprov_opts} ${key} \"$content\" 2> /dev/null"
The bundles filesize is 132903 bytes, probably hitting some limit for command line argument length in my kernel:
Code:
uname -r
2.6.28.7
getconf ARG_MAX
2097152
cat /usr/src/linux/include/linux/binfmts.h | grep MAX_ARG_STRLEN
#define MAX_ARG_STRLEN (PAGE_SIZE * 32)
getconf PAGE_SIZE
4096
Reffering to this article
Quote:
And as additional limit, one argument must not be longer than MAX_ARG_STRLEN (131072).
i guess that the maximum length for that particular argument is slightly exceed, even though the ARG_MAX is big enough.
I'd be happy to get some feedback on that.
Thanks, Hawkeye.
[SOLVED] [zmcertmgr] error deploying comm startcom sslcert
Hi,
Startcom included about 100k crls to the ca-bundle. Removing every single
Code:
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----
from ca-bundle.pem avoids the problem with the maximum command line argument length.
Additionally, i had to add a <CR> (newline) to the end of my personal certificate to bypass this.
Hawkeye.
