Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators
Reload this Page Certificate Mismatch - generated new self-signed cert

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 11-15-2006, 03:23 PM
Project Contributor
  
Posts: 203
Question Certificate Mismatch - generated new self-signed cert
Hi,

I'm trying to work through creating a new self-signed cert that lasts longer than the default 365 days. In the process, I'm now having trouble with Zimbra Mobile. After mucking around quite a bit, I've found a problem that may be causing it:

So, I've followed the instructions here to rebuild SSL CA/Certs: http://wiki.zimbra.com/index.php?tit...icate_Problems

But I've found that when I run the following to check LDAP stored values:
zmprov gcf zimbraCertAuthorityKeySelfSigned
zmprov gcf zimbraCertAuthorityCertSelfSigned

I get old certificates rather than the new certificates (as compared to /opt/zimbra/ssl/ssl/ca/ca.key and ca.pem). I've restarted zimbra, and rebooted just to make sure zimbra config didn't need to do something but that wasn't it.

I'm trying to use zmprov to 'fix' the values in LDAP to match my new certs but I can't seem to get the right syntax. According to help, this *should* work, but it isn't working:

zmprov -d -f /opt/zimbra/ssl/ssl/ca/ca.key mcf zimbraCertAuthorityKeySelfSigned

Here is output, any help appreciated!

Thanks,
John

zimbra@zimbra->zmprov -d -f /opt/zimbra/ssl/ssl/ca/ca.key mcf zimbraCertAuthorityKeySelfSigned
========== SOAP SEND ==========
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra"/>
</soap:Header>
<soap:Body>
<AuthRequest xmlns="urn:zimbraAdmin">
<name>zimbra</name>
<password>*removed*</password>
</AuthRequest>
</soap:Body>
</soap:Envelope>
===============================
======== SOAP RECEIVE =========
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<sessionId type="admin" id="10">10</sessionId>
</context>
</soap:Header>
<soap:Body>
<AuthResponse xmlns="urn:zimbraAdmin">
<authToken>0_715119902cb65b457bf46532feaafa6e4578f d3b_69643d33363a65306661666438392d313336302d313164 392d383636312d3030306139356439386566323b6578703d31 333a313136333637323432393532333b61646d696e3d313a31 3b</authToken>
<lifetime>43200000</lifetime>
<a n="zimbraIsDomainAdminAccount">false</a>
<sessionId type="admin" id="10">10</sessionId>
</AuthResponse>
</soap:Body>
</soap:Envelope>
=============================== (364 msecs)
usage: modifyConfig(mcf) attr1 value1 [attr2 value2...]

zmprov [args] [cmd] [cmd-args ...]

-h/--help display usage
-f/--file use file as input stream
-s/--server {host}[:{port}] server hostname and optional port
-l/--ldap provision via LDAP instead of SOAP
-a/--account {name} account name to auth as
-p/--password {pass} password for account
-P/--passfile {file} read password from file
-z/--zadmin use zimbra admin name/password from localconfig for admin/password
-v/--verbose verbose mode (dumps full exception stack trace)
-d/--debug debug mode (dumps SOAP messages)

zmprov is used for provisioning. Try:

zmprov help account help on account-related commands
zmprov help calendar help on calendar resource-related commands
zmprov help commands help on all commands
zmprov help config help on config-related commands
zmprov help cos help on COS-related commands
zmprov help domain help on domain-related commands
zmprov help list help on distribution list-related commands
zmprov help misc help on misc commands
zmprov help notebook help on notebook-related commands
zmprov help search help on search-related commands
zmprov help server help on server-related commands
Reply With Quote
  #2 (permalink)  
Old 11-15-2006, 04:29 PM
Project Contributor
  
Posts: 203
Talking Ok, well I don't know if that needed that fixed but I did find my problem...
So, I looked through the zmsetup.log in /tmp, I saw how the installer did it, by quoting the full ca.key or ca.pem string, e.g.

zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY-----
my key stuff
-----END RSA PRIVATE KEY-----"

Paste this into console and run as zimbra user.

By fixing this setting, I now have matching keys between LDAP and /opt/zimbra/ssl/ for whatever that is worth, but I still have the main problem with Zimbra Mobile.

So, the problem was with Zimbra Mobile on my Nokia E62. Loaded lastest Mail for Exchange (v 1.3.1), etc. I did the pre-requisite hoop jumping to get the ca installed on the E62. Google was handy here:

Basically, take the /opt/zimbra/ssl/ssl/ca/ca.pem and convert it to der format:
openssl x509 -outform der -in ca.pem -out ca.der

Then copy the ca.der file to a webserver and set the MIME type so apache serves it properly:
AddType application/x-x509-ca-cert .der

Then using the Nokia E62, browse to the page and download the file. It will prompt to install the cert.

BTW, if you try to beam the file via bluetooth, I always got invalid file format.

Now, run Mail for Exchange sync on E62 and observe same problem, finally read /opt/zimbra/log/sync.log and realize my user account doesn't have Zimbra Mobile enabled in my COS, pound forehead on desk , change setting, and observe that it works exactly as it should....
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com


Home - Blog - Contact Us - Archive - Top


 

SEO by vBSEO ©2011, Crawlability, Inc.