Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page [SOLVED] Deploy Zimbra Certificate error

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 04-06-2011, 03:39 AM
Senior Member
  
Posts: 63
Default [SOLVED] Deploy Zimbra Certificate error
Hi all !

I'm trying to deploy a "commercial" certificate in zimbra, but with no sucess.

I've used Zimbra Administration Console to generate the server CSR.
After sending it to the authority, they've sent the certificate.
Until here, no problem.

The problem is, the authority is not some commercial per say...

My email server is inside a private network and these guys are the responsible entity for the private network. If i want to have a server visible in the outside world, they must create the certificate and then i deploy it in the server i want.

I've generated the CSR and send it to them.

They sent me two files - the CER file of my Zimbra server (the one generated against my CSR file) and another one from them, as an authority.

How do i deploy them in zimbra ?

Every time i go to the zimbra administration console and try to deploy the certificate, this is how i do it:

Install Certificate -> Select Server -> Install the Commercially Signed Certificate -> (I review the CSR) ->
Now, i have 3 options :
The Certificate
The Root CA
Intermediate CA

I try to use the certificate with the one sent to me, but i don't have anything like Root CA and Intermediate CA.

The Intermediate CA i remove it because i don't think i need it.
I use their certificate has the Root CA and press NEXT and i get the following error:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX ERROR: Invalid Certificate Chain:

Am I missing the root CA or am i doing something wrong ?

They have an ISA server and probably they think we have Exchange server...

How can i solve this ?

Cheers,

Bruno Santos
Reply With Quote
  #2 (permalink)  
Old 04-15-2011, 04:13 AM
Senior Member
  
Posts: 63
Default
No answer?

Well, i'm doing this over CLI now.

I've made some progress, but now i have zimbra complaining about the comercial_ca.crt file.

I don't have this one... I only have a .cer file given me by the authority who created my certificate. This is the output of zmcertmgr:

Code:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/<my_certificate_after_sent_to_authority>.cer 
** Verifying /root/<my_certificate_after_sent_to_authority>.cer against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/<my_certificate_after_sent_to_authority>.cer) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
25681:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt','r')
25681:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:
25681:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
    sslclient     SSL client
    sslserver     SSL server
    nssslserver    Netscape SSL server
    smimesign     S/MIME signing
    smimeencrypt    S/MIME encryption
    crlsign       CRL signing
    any           Any Purpose
    ocsphelper    OCSP helper
XXXXX ERROR: Invalid Certificate:
How can i convert my .cer file from my authority into the .crt file requested by zimbra?

I know that cer and crt are interchangeable, but this cer file is binary....should it?
Reply With Quote
  #3 (permalink)  
Old 04-21-2011, 02:42 AM
Senior Member
  
Posts: 63
Default
Well, i solved it !

i've converted the authority .cer file to pem using openssl:
Code:
openssl x509          -inform der          -in MYCERT.cer          -out MYCERT.pem
In /opt/zimbra/ssl/zimbra/commercial i've renamed the .pem to commercial_ca.crt and executed the following commands:

Code:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/<my_certificate_signed_by_authority>.cer
They matched and next i deployed it:
Code:
/opt/zimbra/bin/zmcertmgr deploycrt comm /root/<my_certificate_signed_by_authority>.cer /root/<the_authority_certificate_in_pem_format>.pem
Restarted mailboxd (as zimbra user).

Working fine !

Cheers,

Hope it helps someone

I've used the this page in zimbra wiki as reference
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.