Results 1 to 5 of 5

Thread: Re-keyed SSL Certificate successfully installed but not working

  1. #1
    garg65 is offline Member
    Join Date
    Jan 2014
    Posts
    12
    Rep Power
    1

    Default Re-keyed SSL Certificate successfully installed but not working

    A re-keyed SSL Certificate installs correctly (the following is a reinstall just to verify that it's working. that's why the cp warning shows up):

    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
    ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
    ** NOTE: mailboxd must be restarted in order to use the imported certificate.
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Next, I restart the services with zmcontrol restart, and zmmailboxdctl restart,

    When I viewinstalledcerts, I get the correct certificates and issue and expiration dates. When I view the web GUI certificates page, I see the correct certificate information with the valid issue, and expiration dates. However, when I go to my webmail using google chrome, I see the OLD certificate information. Firefox doesn't even let me in any more and gives (Error code: sec_error_revoked_certificate). I have cleared my cache, and all sessions.

    Everything looks like it installed properly but it does not get applied. I am using zimbra 8.0.6 with the heartbleed fix applied using a godaddy wildcard cert.

    Please assist.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Try removing the certificate in chrome then connect to the Web UI again this is not a ZCS problem.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    garg65 is offline Member
    Join Date
    Jan 2014
    Posts
    12
    Rep Power
    1

    Default

    I'm also seeing the following in /opt/zimbra/log/mailbox.log:

    2014-04-14 08:29:53,831 ERROR [ImapSSLServer-0] [ip=IP ADDRESS;] imap - Error detected by SSL subsystem, dropping connection:javax.net.ssl.SSLException: Received fatal alert: certificate_revoked
    And I tried a different browser on a different system and I got the same certificate revoked issue. It's quite confusing.

  4. #4
    garg65 is offline Member
    Join Date
    Jan 2014
    Posts
    12
    Rep Power
    1

    Default

    How can I remove certificate in chrome? I don't see an option for removing a certificate. Only to import a new one.

  5. #5
    garg65 is offline Member
    Join Date
    Jan 2014
    Posts
    12
    Rep Power
    1

    Default

    The keystore ( /opt/zimbra/mailboxd/etc/keystore ) somehow had two entries in it. When using viewinstalledcerts, it would show the certificate with the label jetty, and everything looked good. However, zimbra was using the first entry in the keystore instead of the entry labeled jetty.

    Clearing the keystore manually using keytools, and then rerunning zmcertmgr resolved the issue.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 2
    Last Post: 03-29-2011, 08:52 PM
  2. Replies: 2
    Last Post: 12-03-2009, 02:09 AM
  3. Zimbra installed successfully. The last question.
    By walkon in forum Administrators
    Replies: 4
    Last Post: 10-19-2009, 08:59 AM
  4. Replies: 5
    Last Post: 01-28-2007, 09:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •