Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: [SOLVED] Zimbra Certificates have expired and I'm having difficulty regenerating them

  1. #1
    adavison17 is offline Junior Member
    Join Date
    Dec 2010
    Posts
    8
    Rep Power
    4

    Unhappy [SOLVED] Zimbra Certificates have expired and I'm having difficulty regenerating them

    Hi all,

    I've posted this in an existing thread, but didn't see the messages show up, so I thought I'd report here (apologies in advance - I know it's probably not considered the "thing to do").

    First, the build info:

    Code:
    [zimbra@rose andy]$ zmcontrol -v
    
    
    Release 6.0.3_GA_1915.F11_20091118105056 F11 FOSS edition.
    
    [zimbra@rose andy]$
    Now, zmcontrol start yields:

    Code:
    [zimbra@rose andy]$ zmcontrol start
    Host xxx.xxx.xxx.xxx
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    [zimbra@rose andy]$
    Now, I've eventually tracked this down to a problem with the certificates having expired yesterday. SO I tried regenerating these using the recommended procedure with the following result (errors highlighted in red):

    Code:
    [root@rose bin]# ./zmcertmgr createca -new
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    [root@rose bin]# ./zmcertmgr createcrt -new -days 365
    Validation days: 365
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220141501
    ** Generating a server csr for download self -new -keysize 1024
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220141501
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    [root@rose bin]# ./zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    [root@rose bin]# ./zmcertmgr deployca self
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    I'm hoping someone can point me in the right direction to get the certificates regenerated, as my users are beating down my door...

    Thanks in advance!

    Andy

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Follow the instructions from this wiki article: Administration Console and CLI Certificate Tools - Zimbra :: Wiki - post back with your results.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    adavison17 is offline Junior Member
    Join Date
    Dec 2010
    Posts
    8
    Rep Power
    4

    Default

    Thanks Bill,

    The third codebox had the results of this procedure, but I've executed it again just in case I missed something. Results below:
    Code:
    
    [root@rose bin]# ./zmcertmgr createca -new
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    [root@rose bin]# ./zmcertmgr  createcrt -new -days 365
    Validation days: 365
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220203916
    ** Generating a server csr for download self -new -keysize 1024
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220203916
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    [root@rose bin]# ./zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    [root@rose bin]# ./zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    [root@rose bin]# ./zmcertmgr viewdeployedcrt
    ::service mta::
    notBefore=Dec 20 09:39:22 2010 GMT
    notAfter=Dec 20 09:39:22 2011 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
    SubjectAltName=
    ::service proxy::
    notBefore=Dec 20 09:39:22 2010 GMT
    notAfter=Dec 20 09:39:22 2011 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
    SubjectAltName=
    ::service mailboxd::
    notBefore=Dec 20 09:39:22 2010 GMT
    notAfter=Dec 20 09:39:22 2011 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
    SubjectAltName=
    ::service ldap::
    notBefore=Dec 20 09:39:22 2010 GMT
    notAfter=Dec 20 09:39:22 2011 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
    SubjectAltName=
    [root@rose bin]#
    Thanks Bill!

    Andy

  4. #4
    tdslot is offline Active Member
    Join Date
    May 2010
    Posts
    46
    Rep Power
    4

    Default

    Hi,

    Here is my solution for regenerating certs.
    Code:
    ################################################################################################################
    # Regenerate SSL Cert
    ################################################################################################################
    su - zimbra -c 'zmcontrol stop'
    rm -rf /opt/zimbra/ssl/*
    rm -rf /opt/zimbra/ssl/.rnd
    /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
    nano /opt/zimbra/bin/zmcertmgr
    
    # Find line 
    # SUBJECT="/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}" 
    # and change to your company name
    # then find and change you want value days expire cert validation_days=365 to validation_days=3650
    # save /opt/zimbra/bin/zmcertmgr
    
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca -localonly
    /opt/zimbra/bin/zmcertmgr createcrt self -new
    /opt/zimbra/bin/zmcertmgr deploycrt self
    
    su - zimbra -c 'zmcontrol start'
    
    /opt/zimbra/bin/zmcertmgr deploycrt self
    /opt/zimbra/bin/zmcertmgr deployca
    
    su - zimbra -c 'zmupdateauthkeys'
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    
    ################################################################################################################

  5. #5
    adavison17 is offline Junior Member
    Join Date
    Dec 2010
    Posts
    8
    Rep Power
    4

    Default

    Thanks for that,

    Unfortunately I get very similar results with this set of operations:

    Code:
    [root@rose bin]# su - zimbra -c 'zmcontrol stop'
    Host host.domain.com
            Stopping stats...Done.
            Stopping mta...Done.
            Stopping spell...Done.
            Stopping snmp...Done.
            Stopping archiving...Done.
            Stopping antivirus...Done.
            Stopping antispam...Done.
            Stopping imapproxy...Done.
            Stopping memcached...Done.
            Stopping mailbox...Done.
            Stopping logger...Done.
            Stopping ldap...Done.
    [root@rose bin]# rm -rf /opt/zimbra/ssl/*
    [root@rose bin]# rm -rf /opt/zimbra/ssl/.rnd
    [root@rose bin]# /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    [root@rose bin]# /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
    vi /opt/zimbra/bin/zmcertmgr
    [root@rose bin]# ./zmcertmgr createca -new
    ** Creating directory /opt/zimbra/ssl/zimbra
    ** Creating directory /opt/zimbra/ssl/zimbra/ca
    ** Creating directory /opt/zimbra/ssl/zimbra/server
    ** Creating directory /opt/zimbra/ssl/zimbra/commercial
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    [root@rose bin]# ./zmcertmgr deployca -localonly
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    [root@rose bin]# ./zmcertmgr createcrt self -new
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220224046
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Generating a server csr for download self -keysize 1024
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220224059
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    [root@rose bin]# ./zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    [root@rose bin]# su - zimbra -c 'zmcontrol start'
    Host rose.davison-family.com
            Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    
    [root@rose bin]# ./zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    [root@rose bin]# ./zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    [root@rose bin]# su - zimbra -c 'zmupdateauthkeys'
    ERROR: service.FAILURE (system failure: unable to list all servers) (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
    Updating /opt/zimbra/.ssh/authorized_keys
    
    [root@rose bin]# ./zmcertmgr viewdeployedcrt
    ::service mta::
    notBefore=Dec 20 11:41:07 2010 GMT
    notAfter=Dec 17 11:41:07 2020 GMT
    subject= /C=US/ST=N/A/O=My Family/OU=My Family/CN=host.domain.com
    issuer= /C=US/ST=N/A/L=N/A/O=My Family/OU=My Family/CN=host.domain.com
    SubjectAltName=
    ::service proxy::
    notBefore=Dec 20 11:41:07 2010 GMT
    notAfter=Dec 17 11:41:07 2020 GMT
    subject= /C=US/ST=N/A/O=My Family/OU=MyFamily/CN=host.domain.com
    issuer= /C=US/ST=N/A/L=N/A/O=My Family/OU=My Family/CN=host.domain.com
    SubjectAltName=
    ::service mailboxd::
    notBefore=Dec 20 11:41:07 2010 GMT
    notAfter=Dec 17 11:41:07 2020 GMT
    subject= /C=US/ST=N/A/O=My Family/OU=My Family/CN=host.domain.com
    issuer= /C=US/ST=N/A/L=N/A/O=My Family/OU=My Family/CN=host.domain.com
    SubjectAltName=
    ::service ldap::
    notBefore=Dec 20 11:41:07 2010 GMT
    notAfter=Dec 17 11:41:07 2020 GMT
    subject= /C=US/ST=N/A/O=My Family/OU=My Family/CN=host.domain.com
    issuer= /C=US/ST=N/A/L=N/A/O=My Family/OU=My Family/CN=host.domain.com
    SubjectAltName=
    [root@rose bin]#
    Last edited by adavison17; 12-20-2010 at 06:57 AM.

  6. #6
    adavison17 is offline Junior Member
    Join Date
    Dec 2010
    Posts
    8
    Rep Power
    4

    Default

    Does anyone have any ideas on this one? It seems like it's a simple one to fix, but I'll be damned if I can figure out how...

    Andy

  7. #7
    adavison17 is offline Junior Member
    Join Date
    Dec 2010
    Posts
    8
    Rep Power
    4

    Default Maybe this won't be fixed...

    At the moment I've appeased my users by putting up a new instance of Zimbra, but now I need to pull their user data from the broken installation, without being able to start up the service.

    Does anyone have a method of extracting mailboxes from a server that's down and not coming back up?

    Thanks,

    Andy

  8. #8
    adavison17 is offline Junior Member
    Join Date
    Dec 2010
    Posts
    8
    Rep Power
    4

    Talking Fixed at last

    Ok. For anyone who may have caught onto this thread because of the certificate problem, the solution is to simply re-install the same version of Zimbra over the top of the existing one. This recreates the certificates appropriately and gets everything working (more or less ... a couple of services have stopped unexpectedly, like spam filtering).

    Take a backup of your zimbra folder first (just copy it somewhere else on the machine) and then run the install.sh script from the distribution you originally used.

    Don't worry about your existing users data - it will all be intact!

    Thanks to everyone for their advice to date.

    Regards,

    Andy

  9. #9
    farrukhndm is offline Special Member
    Join Date
    Aug 2008
    Location
    Pakistan
    Posts
    100
    Rep Power
    6

    Talking Resolved by change following given parameters.

    ################################################## ################################################## ###########
    # Regenerate SSL Cert
    ################################################## ################################################## ############
    su - zimbra -c 'zmcontrol stop'
    rm -rf /opt/zimbra/ssl/*
    rm -rf /opt/zimbra/ssl/.rnd
    /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
    vi /opt/zimbra/bin/zmcertmgr

    # Find line
    # SUBJECT="/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}"
    # and change to your company name

    # then find and change you want value days expire cert validation_days=365 to validation_days=3650
    # save /opt/zimbra/bin/zmcertmgr

    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca -localonly
    /opt/zimbra/bin/zmcertmgr createcrt self -new
    /opt/zimbra/bin/zmcertmgr deploycrt self

    su - zimbra -c 'zmcontrol start'

    /opt/zimbra/bin/zmcertmgr deploycrt self
    /opt/zimbra/bin/zmcertmgr deployca

    su - zimbra -c 'zmupdateauthkeys'
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt

    ################################################## ################################################## ############

  10. #10
    Join Date
    Mar 2011
    Posts
    1
    Rep Power
    0

    Default

    Thanks farrukhndm, that worked a treat!

    However, how would this work with commercial certificates?

    Can you post an alternate version outlining what I need to do _please_

    Many thanks

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Zimbra SSL Certificates Expired
    By madods in forum Administrators
    Replies: 4
    Last Post: 10-04-2010, 02:44 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •