Results 1 to 2 of 2

Thread: Certificate Mismatch - generated new self-signed cert

  1. #1
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Question Certificate Mismatch - generated new self-signed cert

    Hi,

    I'm trying to work through creating a new self-signed cert that lasts longer than the default 365 days. In the process, I'm now having trouble with Zimbra Mobile. After mucking around quite a bit, I've found a problem that may be causing it:

    So, I've followed the instructions here to rebuild SSL CA/Certs: http://wiki.zimbra.com/index.php?tit...icate_Problems

    But I've found that when I run the following to check LDAP stored values:
    zmprov gcf zimbraCertAuthorityKeySelfSigned
    zmprov gcf zimbraCertAuthorityCertSelfSigned

    I get old certificates rather than the new certificates (as compared to /opt/zimbra/ssl/ssl/ca/ca.key and ca.pem). I've restarted zimbra, and rebooted just to make sure zimbra config didn't need to do something but that wasn't it.

    I'm trying to use zmprov to 'fix' the values in LDAP to match my new certs but I can't seem to get the right syntax. According to help, this *should* work, but it isn't working:

    zmprov -d -f /opt/zimbra/ssl/ssl/ca/ca.key mcf zimbraCertAuthorityKeySelfSigned

    Here is output, any help appreciated!

    Thanks,
    John

    zimbra@zimbra->zmprov -d -f /opt/zimbra/ssl/ssl/ca/ca.key mcf zimbraCertAuthorityKeySelfSigned
    ========== SOAP SEND ==========
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
    <context xmlns="urn:zimbra"/>
    </soap:Header>
    <soap:Body>
    <AuthRequest xmlns="urn:zimbraAdmin">
    <name>zimbra</name>
    <password>*removed*</password>
    </AuthRequest>
    </soap:Body>
    </soap:Envelope>
    ===============================
    ======== SOAP RECEIVE =========
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
    <context xmlns="urn:zimbra">
    <sessionId type="admin" id="10">10</sessionId>
    </context>
    </soap:Header>
    <soap:Body>
    <AuthResponse xmlns="urn:zimbraAdmin">
    <authToken>0_715119902cb65b457bf46532feaafa6e4578f d3b_69643d33363a65306661666438392d313336302d313164 392d383636312d3030306139356439386566323b6578703d31 333a313136333637323432393532333b61646d696e3d313a31 3b</authToken>
    <lifetime>43200000</lifetime>
    <a n="zimbraIsDomainAdminAccount">false</a>
    <sessionId type="admin" id="10">10</sessionId>
    </AuthResponse>
    </soap:Body>
    </soap:Envelope>
    =============================== (364 msecs)
    usage: modifyConfig(mcf) attr1 value1 [attr2 value2...]

    zmprov [args] [cmd] [cmd-args ...]

    -h/--help display usage
    -f/--file use file as input stream
    -s/--server {host}[:{port}] server hostname and optional port
    -l/--ldap provision via LDAP instead of SOAP
    -a/--account {name} account name to auth as
    -p/--password {pass} password for account
    -P/--passfile {file} read password from file
    -z/--zadmin use zimbra admin name/password from localconfig for admin/password
    -v/--verbose verbose mode (dumps full exception stack trace)
    -d/--debug debug mode (dumps SOAP messages)

    zmprov is used for provisioning. Try:

    zmprov help account help on account-related commands
    zmprov help calendar help on calendar resource-related commands
    zmprov help commands help on all commands
    zmprov help config help on config-related commands
    zmprov help cos help on COS-related commands
    zmprov help domain help on domain-related commands
    zmprov help list help on distribution list-related commands
    zmprov help misc help on misc commands
    zmprov help notebook help on notebook-related commands
    zmprov help search help on search-related commands
    zmprov help server help on server-related commands

  2. #2
    jdell is offline Project Contributor
    Join Date
    Jul 2006
    Location
    Reno, NV, USA
    Posts
    203
    Rep Power
    9

    Talking Ok, well I don't know if that needed that fixed but I did find my problem...

    So, I looked through the zmsetup.log in /tmp, I saw how the installer did it, by quoting the full ca.key or ca.pem string, e.g.

    zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY-----
    my key stuff
    -----END RSA PRIVATE KEY-----"

    Paste this into console and run as zimbra user.

    By fixing this setting, I now have matching keys between LDAP and /opt/zimbra/ssl/ for whatever that is worth, but I still have the main problem with Zimbra Mobile.

    So, the problem was with Zimbra Mobile on my Nokia E62. Loaded lastest Mail for Exchange (v 1.3.1), etc. I did the pre-requisite hoop jumping to get the ca installed on the E62. Google was handy here:

    Basically, take the /opt/zimbra/ssl/ssl/ca/ca.pem and convert it to der format:
    openssl x509 -outform der -in ca.pem -out ca.der

    Then copy the ca.der file to a webserver and set the MIME type so apache serves it properly:
    AddType application/x-x509-ca-cert .der

    Then using the Nokia E62, browse to the page and download the file. It will prompt to install the cert.

    BTW, if you try to beam the file via bluetooth, I always got invalid file format.

    Now, run Mail for Exchange sync on E62 and observe same problem, finally read /opt/zimbra/log/sync.log and realize my user account doesn't have Zimbra Mobile enabled in my COS, pound forehead on desk , change setting, and observe that it works exactly as it should....

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 03:08 AM
  2. Replies: 2
    Last Post: 03-25-2007, 09:40 PM
  3. Certificate problem following 3.1.0 -> 4.0 upgrade
    By simonellistonball in forum Migration
    Replies: 5
    Last Post: 09-26-2006, 01:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •