Preexisting CA with a self signed root certifcate

[fusillator]

Hi all, we tried the procedure at Preexisting Certifcate Installation for Zimbra 6.0 - Zimbra :: Wiki to use our private ca with selfsigned root certificate:

cd /tmp
cp -a /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts_restored_from_deb /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts
cp -a commercial.key /opt/zimbra/ssl/zimbra
cp -a commercial.key /opt/zimbra/ssl/zimbra/commercial
/opt/zimbra/java/bin/keytool -import -alias ams -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/conf/ca/commercial_ca.pem
zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt
zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
su - zimbra -c zmcontrol restart

where commercial.key, commercial.crt, commercial_ca.crt is our renamed server private key and server public certificate, server ca certificate

getting this output:

Considerare attendibile questo certificato? [no]: si
Il certificato è stato aggiunto al keystore
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Host mail-pri.ams-group.it
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
Host mail-pri.ams-group.it
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s))
zimbra logger service is not enabled! failed.


Starting mailbox...Done.
Starting memcached...Done.
Starting imapproxy...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.


Trying to use zmprov we get

# /opt/zimbra/bin/zmprov
INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused
INFO: Retrying request
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)
# lsof -i :389
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
slapd 1878 zimbra 7u IPv4 703526 TCP mail-pri.ams-group.it:ldap (LISTEN)


Is there any way to deploy our certificate in zimbra collaboration suite 6.0?

Kind regards

[fusillator]

I tried another way to deploy the ca with selft signed certificate:
Before i resetted the enviroment with the advised procedure using zimbra ca:

mail:~# PATH=$PATH:/opt/zimbra/bin;
mail:~# export PATH;
mail:~# cp -a /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts_restored_from_deb /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts
mail:~# zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
mail:~# zmcertmgr createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100817105358
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100817105358
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
mail:~# zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
mail:~# zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
mail:~# zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
mail:~# zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
** Copying CA to /opt/zimbra/conf/ca...done.


On the basis of the preceding commands i make a new attempt to use my own 'selfsigned' certificate:
A little introduction to understand what are the used files:
/root/tmp/100002-key.pem is my server key,
/root/tmp/100002.pem is my server certificate,
/root/tmp/cacert.pem is my ca self signed certificate
/root/tmp/cakey.pem is my ca key
Here is the new steps:

mail:~# content=`cat /root/tmp/100002-key.pem`
mail:~# su - zimbra -c "/opt/zimbra/bin/zmprov -m -l -- ms mail.ams-group.it zimbraSSLPrivateKey \"$content\""
mail:~# content=`cat /root/tmp/100002.pem`
mail:~# su - zimbra -c "/opt/zimbra/bin/zmprov -m -l -- ms mail.ams-group.it zimbraSSLCertificate \"$content\""
mail:~# content=`cat /root/tmp/cacert.pem`
mail:~# su - zimbra -c "/opt/zimbra/bin/zmprov -m -l -- mcf zimbraCertAuthorityCertSelfSigned \"$content\""
mail:~# content=`cat /root/tmp/cakey.pem`
mail:~# su - zimbra -c "/opt/zimbra/bin/zmprov -m -l -- mcf zimbraCertAuthorityKeySelfSigned \"$content\""
mail:~# cp -a /root/zimbra-core-default/opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts
mail:~# cp -a -f /root/tmp/cakey.pem /opt/zimbra/ssl/zimbra/ca/ca.key
mail:~# cp -a -f /root/tmp/cacert.pem /opt/zimbra/ssl/zimbra/ca/ca.pem
mail:~# cp -a -f /root/tmp/cacert.pem /opt/zimbra/ssl/zimbra/ca/ca.pem
mail:~# cp -a -f /root/tmp/100002-key.pem /opt/zimbra/ssl/zimbra/server/server.key
mail:~# cp -a -f /root/tmp/100002-key.pem /opt/zimbra/ssl/zimbra/server.key
mail:~# cp -a -f /root/tmp/100002.pem /opt/zimbra/ssl/zimbra/server/server.crt
mail:~# chmod 644 /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/ssl/zimbra/server/server.crt
mail:~# chmod 640 /opt/zimbra/ssl/zimbra/ca/ca.key /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/ssl/zimbra/server.key
mail:~# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/ca/ca.key /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/ssl/zimbra/server.key
mail:~# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/ssl/zimbra/server/server.crt
mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.crt /opt/zimbra/conf/smtpd.crt
mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/conf/smtpd.key
mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.crt /opt/zimbra/conf/slapd.crt
mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/conf/slapd.key
mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.crt /opt/zimbra/conf/nginx.crt
mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/conf/nginx.key
mail:~# chown zimbra:zimbra /opt/zimbra/conf/smtpd.crt /opt/zimbra/conf/smtpd.key /opt/zimbra/conf/slapd.crt /opt/zimbra/conf/slapd.key /opt/zimbra/conf/nginx.crt /opt/zimbra/conf/nginx.key
mail:~# chmod 640 /opt/zimbra/conf/smtpd.key /opt/zimbra/conf/slapd.key /opt/zimbra/conf/nginx.key
mail:~# chmod 644 /opt/zimbra/conf/smtpd.crt /opt/zimbra/conf/slapd.crt /opt/zimbra/conf/nginx.crt
mail:~# su - zimbra -c "ln -f -s ca.pem /opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/ca.pem`.0"
mail:~# cp -f /opt/zimbra/ssl/zimbra/ca/ca.key /opt/zimbra/conf/ca/ca.key
mail:~# cp -f /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
mail:~# chown 1001:1000 /opt/zimbra/conf/ca/ca.pem
mail:~# chown 1001:1000 /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key
mail:~# chmod 640 /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key
mail:~# /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass GFi7Wqbo
mail:~# /opt/zimbra/openssl/bin/openssl pkcs12 -inkey /opt/zimbra/ssl/zimbra/server/server.key -in /opt/zimbra/ssl/zimbra/server/server.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:GFi7Wqbo
mail:~# chmod 640 /opt/zimbra/ssl/zimbra/jetty.pkcs12
mail:~# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/jetty.pkcs12
mail:~# /opt/zimbra/java/bin/java -XX:ErrorFile=/opt/zimbra/log -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore GFi7Wqbo GFi7Wqbo
Alias 0: jetty
Adding key for alias jetty
mail:~# chmod 644 /opt/zimbra/mailboxd/etc/keystore
mail:~# /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
Errore keytool: java.lang.Exception: L'alias <my_ca> non esiste
(ok i restored it with the original keystore file at the start)
mail:~# /opt/zimbra/java/bin/keytool -import -noprompt -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/zimbra/ca/ca.pem -alias my_ca -storepass changeit
Il certificato è stato aggiunto al keystore

No error until now, so restarting the service i get the usual error:

mail:~# su - zimbra -c "zmcontrol stop"
Host mail.ams-group.it
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
mail:~# su - zimbra -c "zmcontrol start"
Host mail.ams-group.it
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s))
zimbra logger service is not enabled! failed.


Starting mailbox...Done.
Starting memcached...Done.
Starting imapproxy...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.

I also check the matching between the hostname and the server certificate common name

mail:~# hostname --fqdn
mail.ams-group.it
and with dig the mx query return the address of my zimbra server
mail:~# openssl x509 -in /opt/zimbra/ssl/zimbra/server/server.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1048578 (0x100002)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, ST=Italia, L=Milano, O=Asset Management Service S.p.A., OU=AMS Certificate Authority, CN=AMS Certificate Authority/emailAddress=ca@ams-group.it
Validity
Not Before: Oct 31 14:30:06 2008 GMT
Not After : Oct 31 14:30:06 2013 GMT
Subject: C=IT, ST=Italia, L=Milano, O=Asset Management Service S.p.A., O=21232f297a57a5a743894a0e4a801fc3, OU=CA, CN=mail.ams-group.it/emailAddress=sistemi@ams-group.it
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
[cut off]

So i debug the command zmcontrol, stopping me when i found the following java class:

exec `dirname $0`/zmjava com.zimbra.cs.account.ProvUtil "$@"

the class file com/zimbra/cs/account/ProvUtil.class: is into the jar file: /opt/zimbra/lib/jars/zimbrastore.jar
But i've no clue on java programming...
I suppose the class is useful for insert ldap value, but i don't know if i hit the right source of my problem..

Have you any hints about?

Best regards