SSL cert install fails (ver 6)

[mahalito]

I am at the end of my rope here.

I just purchased a new cert from Godaddy and I am completely unable to install it on my server.

I have followed every advice/recommendation I found in the wiki, the forums but nothing has worked.

I get the following error

Quote:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair.

Quote:

Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair. Error code: ZaCertWizard.prototype.in...

I have re-keyed the cert so many times by now that I wouldn't be surprised if godaddy calls me to laugh at me.

A little background:
- I changed the hostname of the server (could this affect the commercial.key?)
- I had a self signed cert there for the previous name.
- I generated a request from the GUI
- I got a standard SSL cert from Godaddy
- downloaded it as Apache, Tomcat, Other
- I tried using the gui to upload the crt (got the errors above)
- I tried all the tricks here: Installing_a_GoDaddy_Commercial_Certificate_on_ZCS _5.0.x, 21659-solved-godaddy-certificate.html and many more like this none of them works.


I am open to ANY advice.

Is there a way to totally remove the requests that are pending in Zimbra?
right now I have so many folders under the /opt/zimbra/ssl/ from all the attempts that if I could just format the box and restart from scratch I would be tempted but I have 8 mailboxes for people who would hate to lose their stuff.

Thoughts?

[dmtr.dv]

I've struggeled with the same problem. My suggestin is - try to install the cert using CLI command zmcertmgr. I installed my commercila cert from Verisign. I think it should be similar procdure for godaddy.
1. Backup commercial.csr and commercial.key.
2. Stop zimbra
3. Remove all from /opt/zimbra/ssl/zimbra/ca/* and /opt/zimbra/ssl/zimbra/commercial/*
4. Copy backuped commerccommercial.csr and commercial.key to /opt/zimbra/ssl/zimbra/commercial/
5. Copy cert you'v download from Godaddy to /tmp
$cp godaddy_cert.crt /tmp/commercial.crt
6. Download root cert (CA) and intermediate cert from Godaddy (I found a bunch of the certs on Verisign I hope Godaddy has the same)
7. Copy root CA and Intermediate cert to /tmp as one file:
$cat ca_root.crt ca_intermediate.crt > /tmp/ca_chain.crt
8. Verify the cert chain:
$sudo /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
If chain is OK, you'll get a message like:
"“** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/commercial.crt: OK
”
If you have eror messages, it means the certificate path or chain is broken and you are missing certificate files. In most cases the intermediate cert is the path or chain that is affected. For more info on certificate path verification, please take a look at Cryptography Tutorials - Herong's Tutorial Notes - OpenSSL - Certification Path and Validation
9. Create Self-Sign CA files
$sudo /opt/zimbra/bin/zmcertmgr createca
New files ca.pem, ca.key, zmssl.cnf will be created in /opt/zimbra/ssl/zimbra/ca/ folder
10. Install the commercial certificate with the command
$sudo /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
11. Verify the certificate was deployed
$sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
12. Fix /opt/zimbra permissions
$sudo /opt/zimbra/libexec/zmfixperms
13. Start Zimbra