Results 1 to 10 of 10

Thread: LDAP certificate error

  1. #1
    hellspawn is offline Member
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default Installing self-signed cert from Admin web page breaks server

    I'm running Zimbra 8.0.4 Open Source Edition on CentOS 6.4, and when I login to the Zimbra Administration web page and tell it to create a new self-signed certificate, I get this error:

    Code:
    Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr deploycrt self with {RemoteManager: [domain]->zimbra@[domain]:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr deploycrt self with {RemoteManager: [domain]->zimbra@[domain]:22}
    When I SSH into the server and run the command manually, this is what I get:

    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
    
    XXXXX ERROR: failed to create jetty.pkcs12
    unable to load certificates
    The next time I reboot the server, ldap fails to start with this message:

    Code:
    Host [hostname]
            Starting ldap...Done.
    Failed.
    Failed to start slapd.  Attempting debug start to determine error.
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:703
    TLS: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib ssl_rsa.c:491
    51c3b682 main: TLS init def ctx failed: -1
    After a bit of digging, I came across the following procedure, which seems to have fixed my problem of zimbra not starting:

    Code:
    Source (forum post): http://www.zimbra.com/forums/administrators/23065-solved-problem-install-self-signed-certificate-zimbra-5-0-10_ga_2638-rh.html#post111124
    Source (forum post info was based on): http://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate
    
    As Root:
    rm -rf /opt/zimbra/ssl
    mkdir /opt/zimbra/ssl
    chown zimbra:zimbra /opt/zimbra/ssl
    chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
    chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
    
    As zimbra:
    keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass $(zmlocalconfig -s -m nokey mailboxd_keystore_password)
    
    As root:
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca -localonly
    /opt/zimbra/bin/zmcertmgr createcrt self -new
    /opt/zimbra/bin/zmcertmgr deploycrt self
    
    As zimbra
    zmcontrol start
    But if I try to create a self-signed certificate from the Admin page again, the same thing happens.

    Has anyone else experienced the same problem?
    Last edited by hellspawn; 06-24-2013 at 04:13 PM.

  2. #2
    hellspawn is offline Member
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default

    Any ideas?

  3. #3
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    You fail to note the version of Zimbra you are using, which is generally important information to provide.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  4. #4
    hellspawn is offline Member
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default

    Quote Originally Posted by quanah View Post
    You fail to note the version of Zimbra you are using, which is generally important information to provide.
    Fixed. Thanks

    As an alternative to having the Admin web page generate the self-signed certificate, I had it generated on another system following this procedure (from http://www.akadia.com/services/ssh_t...rtificate.html):

    Code:
    openssl genrsa -aes256 -out server.key 2048
    openssl req -new -key server.key -out server.csr
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    at which point I copied both the server.key and server.crt to zimbra's:

    Code:
    /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    /opt/zimbra/ssl/zimbra/commercial/commercial.key
    The problem here is that this procedure also required a

    /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt, which I didn't have, so all I did was copy commercial.crt to commercial_ca.crt, and ran:

    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
    which seems to have worked. Are there any problems doing it this way? Do I need to generate an actual commercial_ca.crt with openssl or is this fine?

  5. #5
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    I would just go with what you did via the command line. It sounds like there is a bug in the admin console generating and deploying self-signed certs that needs to be filed and fixed. I will contact the responsible individuals and let them know.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  6. #6
    hellspawn is offline Member
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default

    Quote Originally Posted by quanah View Post
    I would just go with what you did via the command line. It sounds like there is a bug in the admin console generating and deploying self-signed certs that needs to be filed and fixed. I will contact the responsible individuals and let them know.
    Awesome

    I'm happy with the command line solution, as long as someone can confirm that the commercial_ca.crt file can just be a copy of the commercial.crt file. Can anyone confirm this please?

  7. #7
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    I meant using zmcertmgr to create the self-signed certs and install them. You shouldn't be trying to install self-signed certs as a commercial cert.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  8. #8
    hellspawn is offline Member
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default

    Quote Originally Posted by hellspawn View Post
    Awesome

    I'm happy with the command line solution, as long as someone can confirm that the commercial_ca.crt file can just be a copy of the commercial.crt file. Can anyone confirm this please?
    After a ton of digging, it looks like commercial_ca.crt is just a list of certificates of the intermediate CAs that signed the commercial.crt - at least that's how I understand it. In my case, the only thing that signed my certificate is itself, so a copy of the certificate is fine. If it wasn't fine, zimbra would have complained, as I have witnessed while experimenting with it.

    Quote Originally Posted by quanah View Post
    I meant using zmcertmgr to create the self-signed certs and install them. You shouldn't be trying to install self-signed certs as a commercial cert.
    It there a technical problem doing that (it seemed to work just fine when I did it), or is in just bad because it doesn't follow conventions?

    Also, since yesterday, I bought and installed an actual certificate from a real CA, and it seems to be working great.

  9. #9
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    zmcertmgr does different bits with self signed certs vs commercial certs in how it stores them on disk, so it is better to do it right. Now that you have actual commercial certs it doesn't matter anymore.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  10. #10
    hellspawn is offline Member
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default

    Cool. Thanks for clearing that up.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. SMIME: LDAP to GAL certificate syncronization.
    By inigoml in forum Administrators
    Replies: 0
    Last Post: 03-12-2013, 04:13 AM
  2. Zimbra LDAP Certificate
    By peter76 in forum Developers
    Replies: 0
    Last Post: 04-20-2010, 03:19 PM
  3. Zimbra LDAP Certificate
    By peter76 in forum Administrators
    Replies: 0
    Last Post: 04-20-2010, 03:19 PM
  4. ldap error after certificate change
    By martinx in forum Installation
    Replies: 9
    Last Post: 10-21-2008, 07:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •