I successfully installed a cert from StartSSL on my old Zimbra 6 server last September so I can't figure out why I can't get this right again. I just replaced the old server with a brand new install on new hardware and I can't get this working properly.
I followed the below instructions as best as I could understand from this link:
https://www.linuxnet.ch/groups/linuxnet/wiki/f8fce/
What I am not clear on is what is the "private key?" Everyone talks about it in the instructions as if it is plain to all. But I'm not sure what that is. I 'thought' that when I created the request, maybe that was considered the key. I also 'thought' that Zimbra automatically put it in /opt/zimbra/ssl/zimbra/commercial/commercial.key since it was there with the time stamp from when I generated the CSR.
Quote:
1. At this point, the csr and the private key should have been created by Zimbra in /opt/zimbra/ssl/zimbra/commercial directory and name them: commercial.csr and commercial.key.
2. Make sure the permissions are set to 740 root:root (you can skip this step, I did)
3. Make a new directory, ex: /root/certs
4. Place the singed cert and the bundle cert in /root/certs (these are the files you downloaded from your CA)
5. Verify that the cert and the key match via this command run As ROOT
# cd /root/certs
# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./host.yourdomain.com.crt ./bundle.crt
6. If the output looks good, you can deploy the certificate via this command:
# /opt/zimbra/bin/zmcertmgr deploycrt comm ./your.hostname.com.crt ./bundle.crt
7. The final step would be to restart the zimbra services for the change to take effect (see the end of this post)
IF step 7 gives you errors such as "logger service cannot start" or "ldap service" can't start.
Then you need to do the following:
The commercial certs were deployed fine. However you must also as ROOT run:
/opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt
|
At first I got ldap and logger errors when restarting Zimbra, but I followed the instructions at the bottom and another restart got rid of the errors.
Now, I get this e-mail from StartSSL and when I connect via a browser I get a warning message:
From StartSSL:
Quote:
|
It seems, that the installation of your server certificate with serial number xxxxxx for mymail.mydomain.com is not complete! You should add the intermediate CA certificate to your installation. This is important, because most browsers will issue an error if this is not properly done. Please consult the installation instructions at StartSSLâ„¢ Certificates & Public Key Infrastructure on how to do that. The missing CA certificate sub.class1.server.ca.pem can be obtained from Index of /certs |
Firefox Error:
Quote:
|
Unable to identify the identity of mymail.mydomain.com as a trusted site.
|
Also, if I run the following command from this post:
http://www.zimbra.com/forums/install...ficates-2.html Quote:
|
/opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
|
I get:
Quote:
|
keytool error: java.lang.Exception: Certificate not imported, alias <new> already exists
|
So it seems I did that already.
I also scoured the forums and the wiki regarding this problem and I can't seem to get any of these instructions to work properly for me. Any help would be appreciated.
Thanks,
Kazoo
Bugzilla
Wiki
Source
[SOLVED] HELP PLEASE: Frusrations with StartSSL Installation 
Linear Mode
