Results 1 to 2 of 2

Thread: [SOLVED] HELP PLEASE: Frusrations with StartSSL Installation

  1. #1
    kazooless is offline Loyal Member
    Join Date
    Mar 2009
    Posts
    91
    Rep Power
    6

    Default [SOLVED] HELP PLEASE: Frusrations with StartSSL Installation

    I successfully installed a cert from StartSSL on my old Zimbra 6 server last September so I can't figure out why I can't get this right again. I just replaced the old server with a brand new install on new hardware and I can't get this working properly.

    I followed the below instructions as best as I could understand from this link:

    https://www.linuxnet.ch/groups/linuxnet/wiki/f8fce/

    What I am not clear on is what is the "private key?" Everyone talks about it in the instructions as if it is plain to all. But I'm not sure what that is. I 'thought' that when I created the request, maybe that was considered the key. I also 'thought' that Zimbra automatically put it in /opt/zimbra/ssl/zimbra/commercial/commercial.key since it was there with the time stamp from when I generated the CSR.

    1. At this point, the csr and the private key should have been created by Zimbra in /opt/zimbra/ssl/zimbra/commercial directory and name them: commercial.csr and commercial.key.
    2. Make sure the permissions are set to 740 root:root (you can skip this step, I did)
    3. Make a new directory, ex: /root/certs
    4. Place the singed cert and the bundle cert in /root/certs (these are the files you downloaded from your CA)
    5. Verify that the cert and the key match via this command run As ROOT
    # cd /root/certs
    # /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./host.yourdomain.com.crt ./bundle.crt
    6. If the output looks good, you can deploy the certificate via this command:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm ./your.hostname.com.crt ./bundle.crt
    7. The final step would be to restart the zimbra services for the change to take effect (see the end of this post)

    IF step 7 gives you errors such as "logger service cannot start" or "ldap service" can't start.

    Then you need to do the following:

    The commercial certs were deployed fine. However you must also as ROOT run:

    /opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    At first I got ldap and logger errors when restarting Zimbra, but I followed the instructions at the bottom and another restart got rid of the errors.

    Now, I get this e-mail from StartSSL and when I connect via a browser I get a warning message:

    From StartSSL:

    It seems, that the installation of your server certificate with serial number xxxxxx for mymail.mydomain.com is not complete! You should add the intermediate CA certificate to your installation. This is important, because most browsers will issue an error if this is not properly done. Please consult the installation instructions at StartSSLâ„¢ Certificates & Public Key Infrastructure on how to do that. The missing CA certificate sub.class1.server.ca.pem can be obtained from Index of /certs
    Firefox Error:

    Unable to identify the identity of mymail.mydomain.com as a trusted site.
    Also, if I run the following command from this post:

    http://www.zimbra.com/forums/install...ficates-2.html

    /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    I get:

    keytool error: java.lang.Exception: Certificate not imported, alias <new> already exists
    So it seems I did that already.

    I also scoured the forums and the wiki regarding this problem and I can't seem to get any of these instructions to work properly for me. Any help would be appreciated.

    Thanks,

    Kazoo

  2. #2
    kazooless is offline Loyal Member
    Join Date
    Mar 2009
    Posts
    91
    Rep Power
    6

    Default Self Solved

    I spent hours before posting. I hate it when I post and someone points me to a place I should have found that actually fixes it. Anyway, in this case, I just re-did a lot of what I tried already, and sure enough, it's fixed.

    This link fixed the problem ultimately: http://www.zimbra.com/forums/install...html#post75164

    As I was retrying, I got this common error:

    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key
    I added another blank line at the TOP of my certificate and then the error went away when re-deploying. A restart of Zimbra and voila! I'm authentic again.

    kazoo

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Installation Issues - SLES 10_Zimbra 5.0 Beta 3
    By rhartman in forum Installation
    Replies: 3
    Last Post: 01-14-2008, 07:18 AM
  2. Installation Failed
    By freit5 in forum Installation
    Replies: 2
    Last Post: 08-17-2006, 11:38 PM
  3. Installation fails on zimbra-store
    By wyleyrabbit in forum Installation
    Replies: 8
    Last Post: 01-15-2006, 08:19 AM
  4. Replies: 16
    Last Post: 01-05-2006, 09:55 AM
  5. Installation problem
    By sywong70 in forum Installation
    Replies: 5
    Last Post: 11-07-2005, 09:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •