I feel really stupid having to ask this question, but I've spent too long beating my head against this brick-wall
I've installed the 4.5.0 VMware (beta, I guess) trial thingy, and I'm trying to replace the self-signed SSL server certificate with one issued by my own CA.
I've created a Java keystore that contains the private key and certificate chain (alias=tomcat, passwords=zimbra), and dropped that in place of /opt/zimbra/tomcat/conf/keystore (also dropped a copy at /opt/zimbra/ssl/ssl/commercial.keystore incase that matters), and I've imported the CA certs into /opt/zimbra/java/jre/lib/security/cacerts
Using 'openssl s_client -connect myserver:7071", I see the correct CA chain, and clients connecting to services do too.
I cannot for the life of me, though, get zmprov to trust this new cert chain - it won't do anything other than complain:
Code:
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)
I've read the wiki pages and the forum posts, and tried everything I can think of, but nothing is making zmprov happy.
Can anyone tell me:
1) What does zmprov connect to? I'm guessing port 7071 - can anyone confirm / correct?
2) What does zmprov use as its "trust store" when verifying the SSL server cert of whatever it's connecting to?
3) What am I missing???
~D..
Bugzilla
Wiki
Source
zmprov certificate chain trust 
Linear Mode
