LinkBack URL
About LinkBacks
Active Member
Thawte SSL123 (Did not Use Admin Panel)
That's right my client went ahead and purchased a Thawte ssl123 cert without consulting me first and did not know about the admin panel and having to use it to create the CSR first. So we have an SSL123 created the standard way from the linux command prompt. Is there any way to get this sucker working in Zimbra?
5.0.7_GA_2444.RHEL5_64_20080626020449 RHEL5_64 FOSS edition
OpenSource Builder & Moderator
well i've just spent 3 hours wiki'ing, forum'ing and googl'ing and eventually found the answer to this - it's pretty cryptic (no pun intended)
request the cert in tomcat format, download the signed cert in x.509 format (you have to cut and paste into a file, call it commercial.crt).
download the root ca cert from here:
https://search.thawte.com/support/ss...INK&id=AR1470#
again, cut and paste into a file, call it ca.root
download the ssl intermediate bundle cert from here:
https://search.thawte.com/support/ss...LINK&id=AR1372
you'll want to choose the 'Apache, Plesk & CPanel' option 1, ie 'Download the Bundled CA version' - save it to ca.inter
now concatenate the two:
cat ca.root ca.inter >commercial_ca.crt
edit the newly created commercial_ca.crt and make sure that the ---BEGIN and ---END lines are all on their own line, and there are no empty gap lines anywhere.
then verify:
/opt/zimbra/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt
hopefully this goes ok - if you get any wierd errors you either have requested the cert wrong or have not quite got the above steps 100% correct.
then install:
/opt/zimbra/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
then restart zimbra
Active Member
Thanks for your post but I am just so frustrated by this process. I've created a new CSR and got a new SSL123 cert from thawte. Here is what I did:
1. Backup/remove 2009's key/crt/csr in /opt/zimbra/ssl/zimbra/commercial
2. Zimbra Admin panel - generate CSR - verified they created in /opt/zimbra/ssl/zimbra/commercial on server
3. Issued/received new certificate from Thawte with new CSR
4. Uploaded it to /opt/zimbra/ssl/zimbra/commercial.crt
5. Ran /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt thawte-bundle.ca
Error:
I am pretty sure I have the wrong "thawte-bundle". There are like a thousand different bundles on thawte's site I can't figure out what in the world to download for this. Anyone know?Code:** Verifying commercial.crt against commercial.key Certificate (commercial.crt) and private key (commercial.key) match. XXXXX ERROR: Invalid Certificate: commercial.crt: /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA error 2 at 2 depth lookup:unable to get issuer certificate
Also, should I be using the admin panel for this? It asks me for the certificate, the root ca and the intermeidate ca. I don't know what to upload for the root and intermediate.
Could someone please explain what I need to do to renew this certificate? What thawte root CAs I need to download? Should I be using the command line or the admin panel? Please help I am so exhausted from this. Thanks.
5.0.7_GA_2444.RHEL5_64_20080626020449 RHEL5_64 FOSS edition
OpenSource Builder & Moderator
you've got the wrong ca bundle. i gave you precise links and instructions above to get the right ones!
Active Member
Thank you so much. Those two bundles were my entire problem. There are all kinds of bundles on Thawte's site and how you figured out which ones to use is beyond my mere mortal knowledge. I never could have figured that out on my own. Thankfully we purchased a 2 year cert and I don't have to deal with this crap for a while.
5.0.7_GA_2444.RHEL5_64_20080626020449 RHEL5_64 FOSS edition
Junior Member
I did pretty much exactly this but with a GeoTrust DV (not EV "extended verification") cert from Tucows/OpenSRS. This actually works, mind the carriagereturns and no linefeeds in the cert files. You need to download the GeoTrust root (and guess which one of 15 of them is the right one, in this case it's http://www.geotrust.com/resources/ro..._Global_CA.pem )Originally Posted by dijichi2
Cat the cert files together (after editing them to insert newlines, dont mess up any of the alphanum text data in the cert!), save, cat them as per above, verify, and install.
Works fine. So just another confirmation that this works/still works. Am on Zimbra 7.0whatever is current as of July 5 2012.
New Member
Hi, I am having the same problems. I got a GeoTrust DV QuickSSL cert through OpenSRS. I have pasted the CA and intermediate files into one file, but I am still getting:
I chose "other" in the certificate type when I got it, but it came emailed as x.205 with the intermediate so I guess thats fine?Code:# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. XXXXX ERROR: Invalid Certificate: /tmp/commercial.crt: serialNumber = /wJqvrIOj1IlanTxsmgW7M7Z5rdcHpx3, OU = GT24244572, OU = See www.geotrust.com/resources/cps (c)12, OU = Domain Control Validated - QuickSSL(R), CN = mail.tcp.net error 20 at 0 depth lookup:unable to get local issuer certificate
Also I created the CSR through the webUI, but when I try and do this through the browser I get the error:
Anyone have any pointers? I have tried loads of things I found on Google and on here with no luck...Code:Your certificate was not installed due to the following error: system failure: exception executing command: zmcertmgr deploy comm /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt . . .
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
