Results 1 to 2 of 2

Thread: Preexisting CA with a self signed root certifcate

  1. #1
    fusillator is offline Junior Member
    Join Date
    Aug 2010
    Posts
    5
    Rep Power
    5

    Default Preexisting CA with a self signed root certifcate

    Hi all, we tried the procedure at Preexisting Certifcate Installation for Zimbra 6.0 - Zimbra :: Wiki to use our private ca with selfsigned root certificate:

    cd /tmp
    cp -a /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts_restored_from_deb /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts
    cp -a commercial.key /opt/zimbra/ssl/zimbra
    cp -a commercial.key /opt/zimbra/ssl/zimbra/commercial
    /opt/zimbra/java/bin/keytool -import -alias ams -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/conf/ca/commercial_ca.pem
    zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt
    zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    su - zimbra -c zmcontrol restart

    where commercial.key, commercial.crt, commercial_ca.crt is our renamed server private key and server public certificate, server ca certificate

    getting this output:

    Considerare attendibile questo certificato? [no]: si
    Il certificato stato aggiunto al keystore
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Host mail-pri.ams-group.it
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping archiving...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping imapproxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
    Host mail-pri.ams-group.it
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s))
    zimbra logger service is not enabled! failed.


    Starting mailbox...Done.
    Starting memcached...Done.
    Starting imapproxy...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.


    Trying to use zmprov we get

    # /opt/zimbra/bin/zmprov
    INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused
    INFO: Retrying request
    ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)
    # lsof -i :389
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    slapd 1878 zimbra 7u IPv4 703526 TCP mail-pri.ams-group.it:ldap (LISTEN)


    Is there any way to deploy our certificate in zimbra collaboration suite 6.0?

    Kind regards

  2. #2
    fusillator is offline Junior Member
    Join Date
    Aug 2010
    Posts
    5
    Rep Power
    5

    Default

    I tried another way to deploy the ca with selft signed certificate:
    Before i resetted the enviroment with the advised procedure using zimbra ca:

    mail:~# PATH=$PATH:/opt/zimbra/bin;
    mail:~# export PATH;
    mail:~# cp -a /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts_restored_from_deb /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts
    mail:~# zmcertmgr createca -new
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    mail:~# zmcertmgr createcrt -new -days 365
    Validation days: 365
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100817105358
    ** Generating a server csr for download self -new -keysize 1024
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100817105358
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    mail:~# zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    mail:~# zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    mail:~# zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    mail:~# zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...done.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...done.
    ** Copying CA to /opt/zimbra/conf/ca...done.


    On the basis of the preceding commands i make a new attempt to use my own 'selfsigned' certificate:
    A little introduction to understand what are the used files:
    /root/tmp/100002-key.pem is my server key,
    /root/tmp/100002.pem is my server certificate,
    /root/tmp/cacert.pem is my ca self signed certificate
    /root/tmp/cakey.pem is my ca key
    Here is the new steps:

    mail:~# content=`cat /root/tmp/100002-key.pem`
    mail:~# su - zimbra -c "/opt/zimbra/bin/zmprov -m -l -- ms mail.ams-group.it zimbraSSLPrivateKey \"$content\""
    mail:~# content=`cat /root/tmp/100002.pem`
    mail:~# su - zimbra -c "/opt/zimbra/bin/zmprov -m -l -- ms mail.ams-group.it zimbraSSLCertificate \"$content\""
    mail:~# content=`cat /root/tmp/cacert.pem`
    mail:~# su - zimbra -c "/opt/zimbra/bin/zmprov -m -l -- mcf zimbraCertAuthorityCertSelfSigned \"$content\""
    mail:~# content=`cat /root/tmp/cakey.pem`
    mail:~# su - zimbra -c "/opt/zimbra/bin/zmprov -m -l -- mcf zimbraCertAuthorityKeySelfSigned \"$content\""
    mail:~# cp -a /root/zimbra-core-default/opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts /opt/zimbra/jdk1.6.0_16/jre/lib/security/cacerts
    mail:~# cp -a -f /root/tmp/cakey.pem /opt/zimbra/ssl/zimbra/ca/ca.key
    mail:~# cp -a -f /root/tmp/cacert.pem /opt/zimbra/ssl/zimbra/ca/ca.pem
    mail:~# cp -a -f /root/tmp/cacert.pem /opt/zimbra/ssl/zimbra/ca/ca.pem
    mail:~# cp -a -f /root/tmp/100002-key.pem /opt/zimbra/ssl/zimbra/server/server.key
    mail:~# cp -a -f /root/tmp/100002-key.pem /opt/zimbra/ssl/zimbra/server.key
    mail:~# cp -a -f /root/tmp/100002.pem /opt/zimbra/ssl/zimbra/server/server.crt
    mail:~# chmod 644 /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/ssl/zimbra/server/server.crt
    mail:~# chmod 640 /opt/zimbra/ssl/zimbra/ca/ca.key /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/ssl/zimbra/server.key
    mail:~# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/ca/ca.key /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/ssl/zimbra/server.key
    mail:~# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/ssl/zimbra/server/server.crt
    mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.crt /opt/zimbra/conf/smtpd.crt
    mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/conf/smtpd.key
    mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.crt /opt/zimbra/conf/slapd.crt
    mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/conf/slapd.key
    mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.crt /opt/zimbra/conf/nginx.crt
    mail:~# cp -f /opt/zimbra/ssl/zimbra/server/server.key /opt/zimbra/conf/nginx.key
    mail:~# chown zimbra:zimbra /opt/zimbra/conf/smtpd.crt /opt/zimbra/conf/smtpd.key /opt/zimbra/conf/slapd.crt /opt/zimbra/conf/slapd.key /opt/zimbra/conf/nginx.crt /opt/zimbra/conf/nginx.key
    mail:~# chmod 640 /opt/zimbra/conf/smtpd.key /opt/zimbra/conf/slapd.key /opt/zimbra/conf/nginx.key
    mail:~# chmod 644 /opt/zimbra/conf/smtpd.crt /opt/zimbra/conf/slapd.crt /opt/zimbra/conf/nginx.crt
    mail:~# su - zimbra -c "ln -f -s ca.pem /opt/zimbra/conf/ca/`/opt/zimbra/openssl/bin/openssl x509 -hash -noout -in /opt/zimbra/conf/ca/ca.pem`.0"
    mail:~# cp -f /opt/zimbra/ssl/zimbra/ca/ca.key /opt/zimbra/conf/ca/ca.key
    mail:~# cp -f /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
    mail:~# chown 1001:1000 /opt/zimbra/conf/ca/ca.pem
    mail:~# chown 1001:1000 /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key
    mail:~# chmod 640 /opt/zimbra/conf/ca/ca.pem /opt/zimbra/conf/ca/ca.key
    mail:~# /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass GFi7Wqbo
    mail:~# /opt/zimbra/openssl/bin/openssl pkcs12 -inkey /opt/zimbra/ssl/zimbra/server/server.key -in /opt/zimbra/ssl/zimbra/server/server.crt -name jetty -export -out /opt/zimbra/ssl/zimbra/jetty.pkcs12 -passout pass:GFi7Wqbo
    mail:~# chmod 640 /opt/zimbra/ssl/zimbra/jetty.pkcs12
    mail:~# chown zimbra:zimbra /opt/zimbra/ssl/zimbra/jetty.pkcs12
    mail:~# /opt/zimbra/java/bin/java -XX:ErrorFile=/opt/zimbra/log -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl/zimbra/jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore GFi7Wqbo GFi7Wqbo
    Alias 0: jetty
    Adding key for alias jetty
    mail:~# chmod 644 /opt/zimbra/mailboxd/etc/keystore
    mail:~# /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    Errore keytool: java.lang.Exception: L'alias <my_ca> non esiste
    (ok i restored it with the original keystore file at the start)
    mail:~# /opt/zimbra/java/bin/keytool -import -noprompt -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/zimbra/ca/ca.pem -alias my_ca -storepass changeit
    Il certificato stato aggiunto al keystore

    No error until now, so restarting the service i get the usual error:

    mail:~# su - zimbra -c "zmcontrol stop"
    Host mail.ams-group.it
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping archiving...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping imapproxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
    mail:~# su - zimbra -c "zmcontrol start"
    Host mail.ams-group.it
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s))
    zimbra logger service is not enabled! failed.


    Starting mailbox...Done.
    Starting memcached...Done.
    Starting imapproxy...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.

    I also check the matching between the hostname and the server certificate common name

    mail:~# hostname --fqdn
    mail.ams-group.it
    and with dig the mx query return the address of my zimbra server
    mail:~# openssl x509 -in /opt/zimbra/ssl/zimbra/server/server.crt -text
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 1048578 (0x100002)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=IT, ST=Italia, L=Milano, O=Asset Management Service S.p.A., OU=AMS Certificate Authority, CN=AMS Certificate Authority/emailAddress=ca@ams-group.it
    Validity
    Not Before: Oct 31 14:30:06 2008 GMT
    Not After : Oct 31 14:30:06 2013 GMT
    Subject: C=IT, ST=Italia, L=Milano, O=Asset Management Service S.p.A., O=21232f297a57a5a743894a0e4a801fc3, OU=CA, CN=mail.ams-group.it/emailAddress=sistemi@ams-group.it
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    [cut off]

    So i debug the command zmcontrol, stopping me when i found the following java class:

    exec `dirname $0`/zmjava com.zimbra.cs.account.ProvUtil "$@"

    the class file com/zimbra/cs/account/ProvUtil.class: is into the jar file: /opt/zimbra/lib/jars/zimbrastore.jar
    But i've no clue on java programming...
    I suppose the class is useful for insert ldap value, but i don't know if i hit the right source of my problem..

    Have you any hints about?

    Best regards

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Fine tunning on 2 GB RAM with no swap
    By adrian15 in forum Installation
    Replies: 8
    Last Post: 05-29-2010, 01:24 AM
  2. ZCS 6.0.2 Admin Interface Missing Features and/or Broken
    By Guenther983 in forum Installation
    Replies: 7
    Last Post: 02-23-2010, 05:46 PM
  3. Replies: 7
    Last Post: 03-27-2008, 08:03 AM
  4. [SOLVED] Not able to receive or send mail
    By joeleo in forum Installation
    Replies: 22
    Last Post: 10-12-2007, 02:25 PM
  5. Login does not appear
    By alexz in forum Administrators
    Replies: 10
    Last Post: 04-18-2006, 06:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •