zmprov certificate chain trust

[dseven]

I feel really stupid having to ask this question, but I've spent too long beating my head against this brick-wall

I've installed the 4.5.0 VMware (beta, I guess) trial thingy, and I'm trying to replace the self-signed SSL server certificate with one issued by my own CA.

I've created a Java keystore that contains the private key and certificate chain (alias=tomcat, passwords=zimbra), and dropped that in place of /opt/zimbra/tomcat/conf/keystore (also dropped a copy at /opt/zimbra/ssl/ssl/commercial.keystore incase that matters), and I've imported the CA certs into /opt/zimbra/java/jre/lib/security/cacerts

Using 'openssl s_client -connect myserver:7071", I see the correct CA chain, and clients connecting to services do too.

I cannot for the life of me, though, get zmprov to trust this new cert chain - it won't do anything other than complain:

Code:

ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)

I've read the wiki pages and the forum posts, and tried everything I can think of, but nothing is making zmprov happy.

Can anyone tell me:

1) What does zmprov connect to? I'm guessing port 7071 - can anyone confirm / correct?

2) What does zmprov use as its "trust store" when verifying the SSL server cert of whatever it's connecting to?

3) What am I missing???



~D..

[dseven]

For the record, I tried this again this morning. I did the same thing that I'm sure I tried many times last week, and today it decided to work just fine. I have no idea what I did differently - I don't think anything, so I've decided to blame last week's problems on solar flares.

~D..