SSL problems

[dcm]

For a couple of reasons, I decided to use a commercial SSL certificate from godaddy instead of the self-signed certificate that was created during the install.

I found this page: http://wiki.zimbra.com/index.php?tit...l_Certificates and followed the instructions for godaddy certificate at the bottom of the page. Everything seemed to be going fine all the way up until I restarted tomcat. I ran 'tomcat restart' and it took awhile but didn't give me any errors. 'zmcontrol status', however, is showing that tomcat is down. I tried 'zmcontrol stop' and 'zmcontrol start' and got the same results.

I copied the old /opt/zimbra/apache-tomcat-5.5.15/conf/keystore back into place and it started back up fine.

I then found a couple of posts that said that I needed to run this:

keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

Both said they had an error running the second command. One said the error was "Alias my_ca does not exist", which is the same error I saw when I ran the command. A couple of questions about this:
1. Am I supposed to be replacing my_ca with something else? If so, what?
2. Are these commands just modifying something in the file /opt/zimbra/tomcat/conf/keystore? If so and I am replacing that file with a new one, is it even necessary to run those commands?

Finally, since tomcat is failing to start up, what log file do I look in to see what errors are causing the problem. I didn't see anything obvious in /opt/zimbra/tomcat/logs/

Any help or suggestions would be greatly appreciated.

dcm

[marcmac]

I then found a couple of posts that said that I needed to run this:

keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

Both said they had an error running the second command. One said the error was "Alias my_ca does not exist", which is the same error I saw when I ran the command. A couple of questions about this:
1. Am I supposed to be replacing my_ca with something else? If so, what?
2. Are these commands just modifying something in the file /opt/zimbra/tomcat/conf/keystore? If so and I am replacing that file with a new one, is it even necessary to run those commands?

The second command should read
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

but you shouldn't need to run it.

Finally, since tomcat is failing to start up, what log file do I look in to see what errors are causing the problem. I didn't see anything obvious in /opt/zimbra/tomcat/logs/

Any help or suggestions would be greatly appreciated.

dcm

/opt/zimbra/tomcat/logs/catalina.out

Chances are that your keypass or storepass is wrong (both should be zimbra) or your keystore is just fubar - did you import the godaddy cert into the same keystore you used to create the cert request? DId you import the godaddy root and intermediate certs?

[dcm]

OK, I see an error in catalina.out. It does look like it is a password problem. When I was going through the steps to create the csr, etc., I did use a different password. Does that mean that I have to go back and have godaddy reisue the certificate or can I change that stuff after the fact?

Thanks,

dcm

[kechols]

I think I'm going to have the same problem, I generated my ssl cert with

openssl req -new -newkey rsa:1024 -nodes -subj '/CN=myhost.domain.com/O=My Company/C=US/ST=Alabama/L=Birmingham' -keyout webmail1.pem -out webmail1.pem

If this is going to cause a problem, is there a way to fix this so that I can use the already generated (and submitted) certificate?

Thanks,
Kyle

[dcm]

I re-keyed mine and everything is fine now.

dcm

[kechols]

Will I need to run
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

before generating my new certificate? I get
keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists

When I try to generate it without running that, I just want to be sure I'm not going to break the existing self-signed ssl cert.

Thanks,
kyle

[dcm]

I think I just renamed my current commercial.csr and commercial.keystore files and my .crt file and then stated over.

dcm

[merrill]

I'm trying to get a GeoTrust certificate installed onto my Zimbra server.

In my haste to acquire the cert, I generated the CSR using openssl, rather than keytool, as kechols seems to have done. I have now a CSR, key, and certificate.

I backed up and then deleted tomcat/conf/keystore. I successfully executed:

Code:

keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -trustcacerts -file my.crt -storepass zimbra

`tomcat restart` does not produce any errors, but HTTPS communication to the Zimbra server is not functional.

I tried using the java tool provided in this thread to generate a new keystore, but I got the following error:

[root@mail zimbra]# ./java/bin/java -cp /opt/zimbra/java/lib/tools.jar:. AddCertToKeystore
Exception in thread "main" java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engine Load(PKCS12KeyStore.java:1275)
at java.security.KeyStore.load(KeyStore.java:1150)
at AddCertToKeystore.main(AddCertToKeystore.java:18)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.SunJCE_h.b(DashoA12275)
at com.sun.crypto.provider.SunJCE_h.b(DashoA12275)
at com.sun.crypto.provider.SunJCE_ac.b(DashoA12275)
at com.sun.crypto.provider.PKCS12PBECipherCore$PBEWit hSHA1AndRC2_40.engineDoFinal(DashoA12275)
at javax.crypto.Cipher.doFinal(DashoA12275)
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engine Load(PKCS12KeyStore.java:1272)
... 2 more

How can I make use of the certificate we have purchased?

[jholder]

Take a look at this thread:
SSL Certificate Problems - ZimbraWiki

and see if that helps.

[merrill]

Thanks for the link, jholder. Unfortunately, none of the information in that wiki page is relevant to the problem I described. I'm not using a self-signed certificate.