Results 1 to 9 of 9

Thread: Severe problems when creating self-signed certificate from CLI

  1. #1
    mmenaz is offline Intermediate Member
    Join Date
    May 2009
    Location
    Italy
    Posts
    17
    Rep Power
    6

    Default Severe problems when creating self-signed certificate from CLI

    Hi, Zimbra 6.0.7 OSE 64 bit debian 5.
    I need to do it from a script, so I can't use ZWC (where it works flawlessy).
    I've been followed these instructions:
    Administration Console and CLI Certificate Tools - Zimbra :: Wiki
    but I got 2 errors when deploying the CA and then zimbra becomes severe broken. Is not a problem since is a test environment in a VM, but I have to find a reliable solution for "the real stuff".
    I've googled for many hours, and found a pair of semi-functional solutions to the problem, but no idea about how to create the certificate from CLI without these troubles at all (I repeat, if done from ZWC works fine, but I need to do from script).
    Note the 2 "failed" lines at the end:
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    and then I got a tons of "(system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)" in the logs.

    The sequence I've used, that seem to be the same of the wiki, is this one (yes, 3650 days=10years, but I have the same problems with just 365):
    mxz:~# /opt/zimbra/bin/zmcertmgr createca -new
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    mxz:~# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
    Validation days: 3650
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100822174536
    ** Generating a server csr for download self -new -keysize 1024
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100822174536
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    mxz:~# /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    mxz:~# /opt/zimbra/bin/zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    mxz:~#

    Where am I (or the wiki) wrong?
    Thanks a lot!

  2. #2
    fusillator is offline Junior Member
    Join Date
    Aug 2010
    Posts
    5
    Rep Power
    4

    Default

    After the commands:
    zmcertmgr createca -new
    zmcertmgr createcrt -new -days 365
    zmcertmgr deploycrt self
    zmcertmgr deployca

    Restart the services:

    su - zimbra -c "zmcontrol stop"
    su - zimbra -c "zmcontrol start"

    and reenter the command to deploy the certificate on ldap:

    zmcertmgr deploycrt self
    zmcertmgr deployca


    I'm not sure if the first (failed) deploy commands can be leave out at all.
    Regards.

  3. #3
    mmenaz is offline Intermediate Member
    Join Date
    May 2009
    Location
    Italy
    Posts
    17
    Rep Power
    6

    Default

    Ok, first I've tried avoiding the first, failing, zmcertmgr deployca.
    The server failed to restart with error like this:
    Host mxz.mytesthost.it
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    zimbra logger service is not enabled! failed.

    Starting mailbox...Done.
    etc.

    The I started again from scratch including that command (so with the sequence you suggested) and it worked fine, at least as far as I can tell so far (seems I've no more errors in the logs).
    The "problem" is: ZWC does not restart itself, tells the admin to do, so I dubt it will re-deploy certificate and ca after the manual restart.
    So what you suggested (thanks a lot anyway) is a workaround, or the right way to procede?
    In the latter case, someone better fix the wiki!
    I will consider this "solved" after some more investigations

  4. #4
    fusillator is offline Junior Member
    Join Date
    Aug 2010
    Posts
    5
    Rep Power
    4

    Default

    It's a workaround... I'm a new user.. and i had your same problem a week ago.

    Best regards

  5. #5
    mmenaz is offline Intermediate Member
    Join Date
    May 2009
    Location
    Italy
    Posts
    17
    Rep Power
    6

    Default

    Well, with 6.0.8 things seem to have worsened a little, with random behaviour. Still error, even if different message, but sometime everything seems OK after a restart, sometime everything is blocked due to wrong certificate

    mxz:~# /opt/zimbra/bin/zmcertmgr createca -new
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    mxz:~# /opt/zimbra/bin/zmcertmgr createcsr self -new
    ** Generating a server csr for download self -new
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235107
    ** Retrieving Commercial CA cert from ldap...done.
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    mxz:~# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
    Validation days: 3650
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235136
    ** Generating a server csr for download self -new -keysize 1024
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235136
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    mxz:~# /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...unable to load certificate
    19889:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:650:Expecting: TRUSTED CERTIFICATE
    done.
    mxz:~# /opt/zimbra/bin/zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    unable to load certificate
    21323:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:650:Expecting: TRUSTED CERTIFICATE
    #
    Hope a kind Zimbra developer is willing to have a look at this mess

  6. #6
    dgcurtis is offline Trained Alumni
    Join Date
    Jun 2008
    Posts
    13
    Rep Power
    7

    Default

    I too am having this problem in 6.0.8 and have filed a support case to try and get it resolved.

    Doug

  7. #7
    auanton is offline Intermediate Member
    Join Date
    Mar 2007
    Location
    bz italy
    Posts
    23
    Rep Power
    8

    Default

    ... i had the same problem while migrating from 6.0.8-32bit/debian4 to 6.0.8-64bit/debiian5.
    after hours ( and after repeating iwith growing desperation all recipes in the wiki ) the sequence mentioned by fusillator solved the problem:
    zmcertmgr deploycrt self
    zmcertmgr deployca

    Restart the services:

    su - zimbra -c "zmcontrol stop"
    su - zimbra -c "zmcontrol start"

    and reenter the command to deploy the certificate on ldap:

    zmcertmgr deploycrt self
    zmcertmgr deployca
    the good side of it: it was the only one problem in the migration process


    anton

  8. #8
    dgcurtis is offline Trained Alumni
    Join Date
    Jun 2008
    Posts
    13
    Rep Power
    7

    Default

    Yeah. The workaround does work even though I still get the "Expecting: TRUSTED CERTIFICATE" error message.

    Doug

  9. #9
    todd_dsm's Avatar
    todd_dsm is offline Loyal Member
    Join Date
    May 2008
    Location
    Des Moines, IA
    Posts
    89
    Rep Power
    7

    Default scripted work-around

    I'll throw my 2 cents in...

    I've automated the install and configuration of the zimbra/samba solution. Moving to ZCS6 I've found most everything is the same except ldap and generating a self-signed certificate. Running the same script from ZCS5 on ZCS6 - it still works on 5 does not work on 6. When deploying:

    Code:
    ** Installing CA to /opt/zimbra/conf/ca...unable to load certificate
    28551:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
    done.
    By default the The Global zimbraSmtpHostname resolves to:
    zimbraSmtpHostname: localhost

    The Server zimbraSmtpHostname resolves to:
    zimbraSmtpHostname: mail.domain.tld

    When making both the Global and Server settings mail.domain.tld there are many problems and ldap will not restart. It wouldn't be a big deal but the first time I showed it to the client, he a) loved it, and b) clicked on the yellow highlighted button next to SERVER > MTA > Hostname (make same as Global). he didn't even think about it - just did it.

    This is somewhat problematic, after that:
    ldap wouldn't restart
    when reloading the Admin UI there was an error "Failed to initialize the posix zimlet".

    I can imagine the eyes rolling now but from a design stand-point a users eye shouldn't be drawn to the only thing on the screen that will cripple the server. And, the server shouldn't be so inflexible that it breaks so easily.

    Q1: is there a bug for this?

    Q2: is there a work-around that can be scripted?

    My ZCS5 installs will generate a self-signed cert automatically every year till the drives go out. I can't think of one plausible reason ZCS6 shouldn't be able to do the same thing.

    Please throw us a bone. You know how we all get a big rubbery one deploying a server without any cost at all - even certificates

    Thanks in advance,
    todd_dsm

    Don't forget to Vote for this bug:
    RFE: A place To Display the contents of 'My Documents'
    Reasoning: It's new, bold, and cool.
    Last edited by todd_dsm; 10-08-2010 at 09:19 AM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 2
    Last Post: 11-03-2009, 03:12 AM
  2. 4.0.4 to 4.5.6 upgrade failed in network edition
    By chenthil in forum Administrators
    Replies: 1
    Last Post: 08-27-2007, 09:36 AM
  3. [SOLVED] Simple backup question...
    By dameron in forum Administrators
    Replies: 3
    Last Post: 08-25-2007, 09:36 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •