Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: SSL problems

  1. #1
    dcm
    dcm is offline Member
    Join Date
    Aug 2006
    Posts
    11
    Rep Power
    8

    Default SSL problems

    For a couple of reasons, I decided to use a commercial SSL certificate from godaddy instead of the self-signed certificate that was created during the install.

    I found this page: http://wiki.zimbra.com/index.php?tit...l_Certificates and followed the instructions for godaddy certificate at the bottom of the page. Everything seemed to be going fine all the way up until I restarted tomcat. I ran 'tomcat restart' and it took awhile but didn't give me any errors. 'zmcontrol status', however, is showing that tomcat is down. I tried 'zmcontrol stop' and 'zmcontrol start' and got the same results.

    I copied the old /opt/zimbra/apache-tomcat-5.5.15/conf/keystore back into place and it started back up fine.

    I then found a couple of posts that said that I needed to run this:

    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    Both said they had an error running the second command. One said the error was "Alias my_ca does not exist", which is the same error I saw when I ran the command. A couple of questions about this:
    1. Am I supposed to be replacing my_ca with something else? If so, what?
    2. Are these commands just modifying something in the file /opt/zimbra/tomcat/conf/keystore? If so and I am replacing that file with a new one, is it even necessary to run those commands?

    Finally, since tomcat is failing to start up, what log file do I look in to see what errors are causing the problem. I didn't see anything obvious in /opt/zimbra/tomcat/logs/

    Any help or suggestions would be greatly appreciated.

    dcm

  2. #2
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default

    Quote Originally Posted by dcm
    I then found a couple of posts that said that I needed to run this:

    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    Both said they had an error running the second command. One said the error was "Alias my_ca does not exist", which is the same error I saw when I ran the command. A couple of questions about this:
    1. Am I supposed to be replacing my_ca with something else? If so, what?
    2. Are these commands just modifying something in the file /opt/zimbra/tomcat/conf/keystore? If so and I am replacing that file with a new one, is it even necessary to run those commands?
    The second command should read
    keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

    but you shouldn't need to run it.
    Finally, since tomcat is failing to start up, what log file do I look in to see what errors are causing the problem. I didn't see anything obvious in /opt/zimbra/tomcat/logs/

    Any help or suggestions would be greatly appreciated.

    dcm
    /opt/zimbra/tomcat/logs/catalina.out

    Chances are that your keypass or storepass is wrong (both should be zimbra) or your keystore is just fubar - did you import the godaddy cert into the same keystore you used to create the cert request? DId you import the godaddy root and intermediate certs?
    Bugzilla - Wiki - Downloads - Before posting... Search!

  3. #3
    dcm
    dcm is offline Member
    Join Date
    Aug 2006
    Posts
    11
    Rep Power
    8

    Default

    OK, I see an error in catalina.out. It does look like it is a password problem. When I was going through the steps to create the csr, etc., I did use a different password. Does that mean that I have to go back and have godaddy reisue the certificate or can I change that stuff after the fact?

    Thanks,

    dcm

  4. #4
    kechols is offline Senior Member
    Join Date
    Jun 2006
    Posts
    72
    Rep Power
    8

    Default

    I think I'm going to have the same problem, I generated my ssl cert with

    openssl req -new -newkey rsa:1024 -nodes -subj '/CN=myhost.domain.com/O=My Company/C=US/ST=Alabama/L=Birmingham' -keyout webmail1.pem -out webmail1.pem

    If this is going to cause a problem, is there a way to fix this so that I can use the already generated (and submitted) certificate?

    Thanks,
    Kyle

  5. #5
    dcm
    dcm is offline Member
    Join Date
    Aug 2006
    Posts
    11
    Rep Power
    8

    Default

    I re-keyed mine and everything is fine now.

    dcm

  6. #6
    kechols is offline Senior Member
    Join Date
    Jun 2006
    Posts
    72
    Rep Power
    8

    Default

    Will I need to run
    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    before generating my new certificate? I get
    keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists

    When I try to generate it without running that, I just want to be sure I'm not going to break the existing self-signed ssl cert.

    Thanks,
    kyle
    Last edited by kechols; 09-13-2006 at 12:58 PM. Reason: had the wrong command in my clipboard Ooops ! :D

  7. #7
    dcm
    dcm is offline Member
    Join Date
    Aug 2006
    Posts
    11
    Rep Power
    8

    Default

    I think I just renamed my current commercial.csr and commercial.keystore files and my .crt file and then stated over.

    dcm

  8. #8
    merrill is offline Junior Member
    Join Date
    Jul 2007
    Location
    Columbus, OH
    Posts
    9
    Rep Power
    7

    Default

    I'm trying to get a GeoTrust certificate installed onto my Zimbra server.

    In my haste to acquire the cert, I generated the CSR using openssl, rather than keytool, as kechols seems to have done. I have now a CSR, key, and certificate.

    I backed up and then deleted tomcat/conf/keystore. I successfully executed:
    Code:
    keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file my.crt -storepass zimbra
    `tomcat restart` does not produce any errors, but HTTPS communication to the Zimbra server is not functional.

    I tried using the java tool provided in this thread to generate a new keystore, but I got the following error:
    [root@mail zimbra]# ./java/bin/java -cp /opt/zimbra/java/lib/tools.jar:. AddCertToKeystore
    Exception in thread "main" java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
    at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engine Load(PKCS12KeyStore.java:1275)
    at java.security.KeyStore.load(KeyStore.java:1150)
    at AddCertToKeystore.main(AddCertToKeystore.java:18)
    Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
    at com.sun.crypto.provider.SunJCE_h.b(DashoA12275)
    at com.sun.crypto.provider.SunJCE_h.b(DashoA12275)
    at com.sun.crypto.provider.SunJCE_ac.b(DashoA12275)
    at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWit hSHA1AndRC2_40.engineDoFinal(DashoA12275)
    at javax.crypto.Cipher.doFinal(DashoA12275)
    at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engine Load(PKCS12KeyStore.java:1272)
    ... 2 more
    How can I make use of the certificate we have purchased?

  9. #9
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Take a look at this thread:
    SSL Certificate Problems - ZimbraWiki

    and see if that helps.

  10. #10
    merrill is offline Junior Member
    Join Date
    Jul 2007
    Location
    Columbus, OH
    Posts
    9
    Rep Power
    7

    Default

    Thanks for the link, jholder. Unfortunately, none of the information in that wiki page is relevant to the problem I described. I'm not using a self-signed certificate.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 04:16 PM
  2. Disable SSL on the Admin Port 7071
    By rasputin in forum Installation
    Replies: 2
    Last Post: 04-06-2008, 03:29 AM
  3. SSL certificate format problems
    By didde in forum Installation
    Replies: 0
    Last Post: 07-02-2007, 11:03 AM
  4. Help with tomcat ssl errors...
    By sgtstadanko in forum Administrators
    Replies: 4
    Last Post: 03-19-2007, 09:13 PM
  5. Smartphone preference for zimbra?
    By jonnyRo in forum Zimbra Mobile
    Replies: 5
    Last Post: 10-27-2006, 08:04 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •