Results 1 to 9 of 9

Thread: zmprov ERROR: zclient.IO_ERROR

  1. #1
    DVan is offline Active Member
    Join Date
    Mar 2007
    Posts
    44
    Rep Power
    8

    Default zmprov ERROR: zclient.IO_ERROR

    I was using a free commercial certificate without issue. Now I purchased a real commercial cert and zmprov now cannot run.

    zmprov
    ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)

    I really need it to run as I have a domain catchall for another domain that I need to migrate off of the zimbra server and cannot remove this as zmprov cannot run.

    All of my clients, browsers, Outlooks, Mobile phones, etc. work with the new cert, but poor little zmprov fails to work.

    Using Network edition version 4.5.3 on Ubuntu.

    Any help is certainly appreciated. I have tried multiple imports and keystores thinking I have installed my cert wrong, but nothing seems to work. The cert chain looks intact and correct using either openssl or keytool.

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    http://wiki.zimbra.com/index.php?tit...l_Certificates

    You need to import ALL of the certs that come with it. Not just the ones listed in the wiki.

    The names won't matter.

    keytool -import -alias intermed -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file gd_intermediate.crt

    For example, you can change the alias to intermed2 if you have more than one intermediary.

  3. #3
    DVan is offline Active Member
    Join Date
    Mar 2007
    Posts
    44
    Rep Power
    8

    Default

    I appreciate the help

    That would make sense, but even after adding the single intermediate using the command you suggest zmprov still has the same error.

    Now in my keytool I have

    the certificate root
    the certificate intermediate
    Both listed as trustedCertEntry

    and in between those I have tomcat which is listed as keyentry
    and that is a certificate chain with a length of 3
    starting with my CN then intermediate then root

    unfortunately I'm stuck with the same zmprov error though.

    Any other ideas?

  4. #4
    DVan is offline Active Member
    Join Date
    Mar 2007
    Posts
    44
    Rep Power
    8

    Default

    Even using simple ldap commands to remove the catchall would be appreciated.

    Unfortunately, I cannot use the standard ldap-utils due to incompatibilities between them and the zimbra libraries, and slapcat installed by zimbra isn't actually installed, its just has a invalid symlink.

  5. #5
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Have you tried starting from scratch?
    When I first did this, it took me generating my CSR 12 times before I figured it out.

    Once you start importing into the keystore, it can be difficult keeping track of what you did, and did not do.

  6. #6
    DVan is offline Active Member
    Join Date
    Mar 2007
    Posts
    44
    Rep Power
    8

    Default

    I have tried building the keystore from scratch multiple times.

    Unfortunately, I'm having to do it from a private key and csr that was generated from openssl, which convolutes the matter even more. Luckily there is at least the post here in the forums regarding using a pkcs12 importfor this process, but I'm also worried that is causing some of the issues.

    I'm also waiting on my SSL provider, in hopes they can reissue my cert with a new CSR directly from a new keystore in Zimbra, but that will probably take awhile. Perhaps they may also have some other information on using their certificates properly in tomcat, but again I'm still waiting on them. It is still bizarre since the original free certificate went in without an issue or problem, when it wasn't even trusted by tomcat, nor had a root installed in the keystore.

    I now know more than I wanted to know about openssl, and java's keytool. As mentioned everything checks out with those tools, and all of the clients, which makes this all the more frustrating as the last thing I want to do is break the clients in order to get the admin tool working.

    I just wish the only admin option for zimbra wasn't this seemingly fragile tool (at least as far as certificates go). I have to admit I haven't completely rebooted the server yet to avoid unscheduled downtime, could it possibly be caching the old cert for some reason?

    Would an upgrade to 4.5.4 help? And more importantly is there a way to get not have Zimbra lite, and get Zimbra full that includes the actual ldap utilities like ldapmodify, slapcat, etc.

  7. #7
    DVan is offline Active Member
    Join Date
    Mar 2007
    Posts
    44
    Rep Power
    8

    Default

    So I started from scratch with a new keystore, a new generated key for the tomcat alias, and a new csr from the tomcat alias. I then got a whole new cert from Verisign, installed their root and intermediate, and then imported the Verisign cert. At the end of the process I received a nice satisfactory:

    Certificate reply was installed in keystore

    Letting me know everything was done correctly.

    So I replaced the /opt/zimbra/apache-tomcat-5.5.15/conf/keystore with the new one and restarted Zimbra via zmcontrol, all of the clients worked, but when I run zmprov, I still get:

    ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)

    So what's the deal with zmprov? How can I reset the cert it seems to be expecting?

  8. #8
    DVan is offline Active Member
    Join Date
    Mar 2007
    Posts
    44
    Rep Power
    8

    Default

    So I ended up finding the config option to disable the broken java portion of zmprov.

    The command I ran was:

    zmlocalconfig -e zimbra_zmprov_default_to_ldap=true

    This at least works around the problem.

  9. #9
    DVan is offline Active Member
    Join Date
    Mar 2007
    Posts
    44
    Rep Power
    8

    Default

    so it turns out zmprov has many java/SOAP only commands, which means this breaks all of those SOAP only commands. Even though I've rebooted and reinstalled the server and upgraded it I still have the same error.

    Anybody have a working commercial cert that zmprov trusts?

    What does your keytool output look like?

    keytool -list -keystore /opt/zimbra/apache-tomcat-5.5.15/conf/keystore

    ANy difference between yours and mine (fingerprints removed for security reasons)?

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 3 entries

    root, Apr 18, 2007, trustedCertEntry,
    Certificate fingerprint (MD5):
    tomcat, Apr 13, 2007, keyEntry,
    Certificate fingerprint (MD5):
    intermed, Apr 18, 2007, trustedCertEntry,
    Certificate fingerprint (MD5):

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 9
    Last Post: 04-14-2007, 08:31 AM
  2. Alias Problems
    By Netsample in forum Administrators
    Replies: 8
    Last Post: 03-23-2007, 02:10 AM
  3. zmprov authentication error
    By WhiplashFunk in forum Installation
    Replies: 6
    Last Post: 03-11-2007, 10:22 AM
  4. Replies: 1
    Last Post: 11-15-2006, 04:29 PM
  5. EVERYTHING works, except for zmprov!!
    By GadgetGuru in forum Installation
    Replies: 3
    Last Post: 09-21-2006, 04:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •