Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: SSL Problem - No common encryption algorithm

  1. #1
    Daryl Jones is offline Member
    Join Date
    Nov 2005
    Posts
    13
    Rep Power
    9

    Default SSL Problem - No common encryption algorithm

    I've been unsucessfully trying to get a real SSL certificate to work with Zimbra and decided to go back to a self-signed certificate set, however I've apparently broken something so that even the self-signed cert will no longer work.

    zmcreatecert
    cmcertinstall mailbox
    zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key
    zmtlsctl mixed
    tomcat restart

    These commands complete without error and show what I would expect them to show. I tried deleting the tomcat keystore file and letting it be recreated.

    Firefox displays the following message when trying to connect to port 7071. "Firefox and xxx.xxx.com cannot communicate securely because they have no common encryption algorithms."

    Ideas?

  2. #2
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default new ca

    Try recreating the CA before the cert creation and install:
    zmcreateca

    Out of curiousity, what happened with the commercial cert install?

  3. #3
    Daryl Jones is offline Member
    Join Date
    Nov 2005
    Posts
    13
    Rep Power
    9

    Default

    Stiil doesn't work. zmcreateca creates a ca and puts it in '/opt/zimbra/ssl/ssl/ca/ca.key'. zmcreatecert fails the first time after running zmcreateca, but it seems to run without errors if I immediately run it again.

    Here's what happens when I run zmcreatecert the first time.

    Code:
    [zimbra@z1 ~]$ zmcreatecert
    expr: non-numeric argument
    /opt/zimbra/bin/zmcreatecert: line 58: [: -lt: unary operator expected
    ** Importing CA
    
    keytool error: java.lang.Exception: Certificate not imported, alias  already exists
    ** Creating keystore
    
    ** Creating server cert request
    
    Generating a 1024 bit RSA private key
    ...................++++++
    ........++++++
    writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
    -----
    ** Signing cert request
    
    Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
    unable to load number from /opt/zimbra/ssl/ssl/ca/ca.srl
    error while loading serial number
    4182:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=z1.sfo2.smrn.com
    Getting CA Private Key
    unable to load serial number from /opt/zimbra/ssl/ssl/ca/ca.srl
    4183:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
    I got got similar results when trying to install the real certificate.

  4. #4
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default errors

    Ok, let's clean up the certs and start again:

    as root:
    rm -rf /opt/zimbra/ssl
    mkdir /opt/zimbra/ssl
    chown zimbra:zimbra /opt/zimbra/ssl

    su - zimbra
    (all one line here: )
    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
    (again, all one line: )
    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra

    zmcreateca
    zmcreatecert
    zmcertinstall mailbox
    zmcertinstall mta ...

  5. #5
    altimage is offline Active Member
    Join Date
    Nov 2005
    Location
    Daytona Beach, FL
    Posts
    39
    Rep Power
    9

    Default

    Quote Originally Posted by Daryl Jones
    I've been unsucessfully trying to get a real SSL certificate to work with Zimbra and decided to go back to a self-signed certificate set, however I've apparently broken something so that even the self-signed cert will no longer work.
    ....
    Ideas?
    I have a real cert successfully setup from instantSSL. I just edited the main.cf file in postfix. There are 2 lines that point to your ssl files. That doesnt make the cert work with webmail over https (which im not using) and the zimbra admin still gets a warning (which i can live with), but pop clients won't see any issues that way.

    altimage

  6. #6
    Daryl Jones is offline Member
    Join Date
    Nov 2005
    Posts
    13
    Rep Power
    9

    Default

    Thanks for the info on deleting the items from the keystore. I will try this on my test machine later today.

    How do I deal with an intermediate certificate when using zmcertinstall?

    Thanks for the tip on manualling configuring postfix main.cf. I came to the same conclusion and was able to successfully make postfix smtpd work with the real certificate by doing what you suggested. Unfortunately, this doesn't address the problem with POP3 or IMAP since postfix doesn't handle these services.

  7. #7
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default intermdiate certs

    For intermediate certs, you'll have to install them by hand:

    su - zimbra
    keytool -import -alias -trustcacerts -file -storepass zimbra

  8. #8
    mrichman is offline Junior Member
    Join Date
    Jan 2006
    Posts
    5
    Rep Power
    9

    Default keytool password?

    su - zimbra
    (all one line here: )
    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
    (again, all one line: )
    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra

    zmcreateca
    zmcreatecert
    zmcertinstall mailbox
    zmcertinstall mta ...[/QUOTE]

    I have this same issue and as I am following these instruction it asks far a password. Did this happen during install?

    Thank You,
    Michael

  9. #9
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default cert creation

    At what point does it ask for a password? As which user are you running the commands? Which build are you running?

  10. #10
    mrichman is offline Junior Member
    Join Date
    Jan 2006
    Posts
    5
    Rep Power
    9

    Default Keystore Password

    Quote Originally Posted by marcmac
    At what point does it ask for a password? As which user are you running the commands? Which build are you running?
    I am Running M3_436

    as Zimbra user I get:

    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
    Enter keystore password:

    I get the same for the next command:
    [root@mail ~]# su zimbra
    [zimbra@mail root]$ keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
    Enter keystore password:

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 1
    Last Post: 05-15-2009, 08:04 PM
  2. Problem with SSL certificate.
    By flums in forum Zimbra Mobile
    Replies: 0
    Last Post: 05-07-2007, 12:10 AM
  3. SMTP SSL Problem
    By nexus in forum Installation
    Replies: 8
    Last Post: 03-15-2007, 07:26 AM
  4. SSL Cert Problem using SOAP API
    By pbwebguy in forum Developers
    Replies: 1
    Last Post: 06-06-2006, 05:29 PM
  5. external ldap authentication over SSL problem
    By eyablon in forum Administrators
    Replies: 1
    Last Post: 02-16-2006, 04:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •