Severe problems when creating self-signed certificate from CLI

[mmenaz]

Hi, Zimbra 6.0.7 OSE 64 bit debian 5.
I need to do it from a script, so I can't use ZWC (where it works flawlessy).
I've been followed these instructions:
Administration Console and CLI Certificate Tools - Zimbra :: Wiki
but I got 2 errors when deploying the CA and then zimbra becomes severe broken. Is not a problem since is a test environment in a VM, but I have to find a reliable solution for "the real stuff".
I've googled for many hours, and found a pair of semi-functional solutions to the problem, but no idea about how to create the certificate from CLI without these troubles at all (I repeat, if done from ZWC works fine, but I need to do from script).
Note the 2 "failed" lines at the end:
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
and then I got a tons of "(system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)" in the logs.

The sequence I've used, that seem to be the same of the wiki, is this one (yes, 3650 days=10years, but I have the same problems with just 365):
mxz:~# /opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
mxz:~# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
Validation days: 3650
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100822174536
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100822174536
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
mxz:~# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
mxz:~# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
mxz:~#

Where am I (or the wiki) wrong?
Thanks a lot!

[fusillator]

After the commands:
zmcertmgr createca -new
zmcertmgr createcrt -new -days 365
zmcertmgr deploycrt self
zmcertmgr deployca

Restart the services:

su - zimbra -c "zmcontrol stop"
su - zimbra -c "zmcontrol start"

and reenter the command to deploy the certificate on ldap:

zmcertmgr deploycrt self
zmcertmgr deployca


I'm not sure if the first (failed) deploy commands can be leave out at all.
Regards.

[mmenaz]

Ok, first I've tried avoiding the first, failing, zmcertmgr deployca.
The server failed to restart with error like this:
Host mxz.mytesthost.it
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
zimbra logger service is not enabled! failed.

Starting mailbox...Done.
etc.

The I started again from scratch including that command (so with the sequence you suggested) and it worked fine, at least as far as I can tell so far (seems I've no more errors in the logs).
The "problem" is: ZWC does not restart itself, tells the admin to do, so I dubt it will re-deploy certificate and ca after the manual restart.
So what you suggested (thanks a lot anyway) is a workaround, or the right way to procede?
In the latter case, someone better fix the wiki!
I will consider this "solved" after some more investigations

[fusillator]

It's a workaround... I'm a new user.. and i had your same problem a week ago.

Best regards

[mmenaz]

Well, with 6.0.8 things seem to have worsened a little, with random behaviour. Still error, even if different message, but sometime everything seems OK after a restart, sometime everything is blocked due to wrong certificate

mxz:~# /opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
mxz:~# /opt/zimbra/bin/zmcertmgr createcsr self -new
** Generating a server csr for download self -new
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235107
** Retrieving Commercial CA cert from ldap...done.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
mxz:~# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
Validation days: 3650
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235136
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235136
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
mxz:~# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...unable to load certificate
19889:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:650:Expecting: TRUSTED CERTIFICATE
done.
mxz:~# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
unable to load certificate
21323:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:650:Expecting: TRUSTED CERTIFICATE
#
Hope a kind Zimbra developer is willing to have a look at this mess

[dgcurtis]

I too am having this problem in 6.0.8 and have filed a support case to try and get it resolved.

Doug

[auanton]

... i had the same problem while migrating from 6.0.8-32bit/debian4 to 6.0.8-64bit/debiian5.
after hours ( and after repeating iwith growing desperation all recipes in the wiki ) the sequence mentioned by fusillator solved the problem:

zmcertmgr deploycrt self
zmcertmgr deployca

Restart the services:

su - zimbra -c "zmcontrol stop"
su - zimbra -c "zmcontrol start"

and reenter the command to deploy the certificate on ldap:

zmcertmgr deploycrt self
zmcertmgr deployca

the good side of it: it was the only one problem in the migration process


anton

[dgcurtis]

Yeah. The workaround does work even though I still get the "Expecting: TRUSTED CERTIFICATE" error message.

Doug

[todd_dsm]

I'll throw my 2 cents in...

I've automated the install and configuration of the zimbra/samba solution. Moving to ZCS6 I've found most everything is the same except ldap and generating a self-signed certificate. Running the same script from ZCS5 on ZCS6 - it still works on 5 does not work on 6. When deploying:

Code:

** Installing CA to /opt/zimbra/conf/ca...unable to load certificate
28551:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
done.

By default the The Global zimbraSmtpHostname resolves to:
zimbraSmtpHostname: localhost

The Server zimbraSmtpHostname resolves to:
zimbraSmtpHostname: mail.domain.tld

When making both the Global and Server settings mail.domain.tld there are many problems and ldap will not restart. It wouldn't be a big deal but the first time I showed it to the client, he a) loved it, and b) clicked on the yellow highlighted button next to SERVER > MTA > Hostname (make same as Global). he didn't even think about it - just did it.

This is somewhat problematic, after that:
ldap wouldn't restart
when reloading the Admin UI there was an error "Failed to initialize the posix zimlet".

I can imagine the eyes rolling now but from a design stand-point a users eye shouldn't be drawn to the only thing on the screen that will cripple the server. And, the server shouldn't be so inflexible that it breaks so easily.

Q1: is there a bug for this?

Q2: is there a work-around that can be scripted?

My ZCS5 installs will generate a self-signed cert automatically every year till the drives go out. I can't think of one plausible reason ZCS6 shouldn't be able to do the same thing.

Please throw us a bone. You know how we all get a big rubbery one deploying a server without any cost at all - even certificates

Thanks in advance,
todd_dsm

Don't forget to Vote for this bug:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.