[SOLVED] StartSSL Certificate deployment problem

[frankchavez]

I'm in the middle of trying to deploy a StartSSL free certificate.
I'm following the instructions from StartSSL (Startcom) SSL Certificates with Zimbra 6.x | Linux tips collection

Everything went fine until I got to the deploycrt (step 8)

Code:

[root@mail ~]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/certs/commercial.crt /opt/zimbra/certs/commercial_ca.crt
** Verifying /opt/zimbra/certs/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/certs/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/certs/commercial.crt: OK
** Copying /opt/zimbra/certs/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/certs/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate.../opt/zimbra/bin/zmcertmgr: line 211: /bin/su: Argument list too long
failed.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mail ~]#

This is the line that has me worried:

Code:

** Saving server config key zimbraSSLCertificate.../opt/zimbra/bin/zmcertmgr: line 211: /bin/su: Argument list too long
failed.

Is everything fine or is there something I have to do to fix this?
I've searched with google and couldn't find any other people who got that error with 'su' on zmcertmgr

I haven't restarted the services yet.

Any help appreciated.

[frankchavez]

I took the same files I was using and put them into the admin console's certificate install and it worked without any errors.
Not sure what exactly was going on with commands I was typing, but as long as it's working I'm happy.

[antolungo]

Hi all,
I have problem with ZCS version open source edition 6.03.
I have multiple server installation.
- zimbramail the first server I have following services: antivirus, ldap, logger, mailbox, mta, snmp, spell, stats.
- zimbraproxy the second server I have proxy, mta, memcache. This is NAT with public IP

A public server mail do relay vs zimbraproxy and i use public smtp to send email.

My issues is about Zimbra SSL Certificate. The certificate on the first server was out of date and I have replace it with a new valid certificate. I follow this guide for regenerating certificate:
Administration Console and CLI Certificate Tools - Zimbra :: Wiki

This operation seems works fine. When I made the same operation on the second server (the proxy zimbra server) when I try to start the services (zmcontrol start) I have this error:Host zimbraproxy.XXXX.XXX Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.
I have tryed to make a new certificate by using GUI of admin console but the problem still stand.
I have tryed to make a fresh re - install of the proxy server but with no results.
Now I have only the zimbramail in function because I can't stop email services in my firm and I have NAT to public IP my zimbramail.

I would like to restore my previous configuration but zimbryproxy still don't work.

I need information about Installing Certificates on my zimbraproxy

Any ideas? Thanks in advance.

Antolungo

[antolungo]

I have a multiply server installation! The problem in on zimbraproxy! My zimbramail works fine.
I solve my problem with installation of StartSSL certificate?
Why my post is in SOLVED!!!!
Please help me with areally solution to my problem

Best regards
Antolungo

[phoenix]

Quote:

Originally Posted by antolungo

Why my post is in SOLVED!!!!

The thread is marked as Solved because the original poster has marked it as solved, he's fixed his problem - see post #2.

[antolungo]

This is not a solution!

[phoenix]

Quote:

Originally Posted by antolungo

This is not a solution!

It is if the original poster thinks it is, it's his thread and his 'solution'.

[bradn]

I had this exact same problem as the thread owner frankchavez including error message, symptoms etc on ZCS 7.1.1 with a StartCom class 1 cert. As was pointed out elsewhere the root of the problem was adding the CA bundle to the java key store. In my case none of the instructions worked, including frankchavez's above. The only thing that did was manually adding the root and intermediate certs to the java key store using instructions I found outside of the forum.

Some quick advice for other StartCom cert owners:

1) none of the instructions in the forum worked for me, including Bill's adding the cert through ZCS admin portal. Even though

Quote:

zmcertmgr verifycrt

worked, the certificate is NOT installed properly.

2) These 2 external links provided the right results for my StartCom cert:

StartSSL with ZCS 6.0 step by step

HOWTO: Java keytool with the StartCom Certificate process

3) DO NOT restart ZCS until you are certain everything associated with your SSL cert has been installed properly. You *will not* be able to restart it until everything is fixed - you will see the dreaded zmcontrol ldap startup errors mentioning that services could not be determined:

Quote:

Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.

root cause is exactly as described by cpiess here but the solution is StartCom specific per (2) above

Hope this saves other StartCom / StartSSL users some grief.