Zimbra on Debian - keytool issues

[shohamlevy]

I am trying to build Zimbra on Debian (sarge/sid). I run on a AMD64 machine. I use Zimbra CVS.

I installed basic Debian, with no server application. Then before going to build ThirdParty tools, I did the following:

Code:

# DEBIAN
#========
# get for Debian:
# ant ant-optional
# libxml2 libxml2-dev
# libcurl3-openssl-dev
#
# Links:
# ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.5 
# ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so.5
# ln -s /usr/lib/libpcre.so.3.12.0 /usr/lib/libpcre.so.0

I also upgraded MySQL version to 4.1.15, and fooled Zimbra to think I am on BUILD_PLATFORM:=DEBIAN3.1 - with this, the ThirdParty builds went on quite well.

In the CVS there is a missmatch regarding the PostFix version: 2.2.3 (old) or 2.2.5 - I resolved it to 2.2.5 in all relevant files.

Also, after managing version numbers, ZimbraBuild also went quite well. the "make dev-install" MAkefiles are very fragile. Here are some points:
* You better replace all instances of "ln -s" with "ln -s -i" (or something similar) so failing makes won't force you to restart everything. Currently, whenever the Makefile encounters an already existing link, it quits. One has to manually remove all links (or allclean).
* In some occasions, when you copy whole directories (like to /opt/zimbra/bin), the Makefile fails because it tries to copy the "CVS" directory.
* There is a wrong source file for $(ZIMBRA_BIN_DIR)/../../conf/zmlogrotate

... Now come the problems

Following a tip I got from Marc, I am trying to crate authentications (before running zmmyinit and zmldapinit). It always fails. It used to fail in the same way when I was trying to build on FC4 (same AMD64 machine). Needless to say that zmldapinit also fails afterwards.

Here is the output:

Code:

shohaml@aio:/opt/zimbra$ ./bin/zmcreateca
** Creating CA private key

Generating a 1024 bit RSA private key
...................................++++++
..........................................................++++++
writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
-----
** Creating CA cert

Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=aio.shoham.com
Getting Private key

================

shohaml@aio:/opt/zimbra$ ./bin/zmcreatecert
** Importing CA

keytool error: java.lang.Exception: Certificate not imported, alias  already exists
** Creating keystore

** Creating server cert request

Generating a 1024 bit RSA private key
.......++++++
.......++++++
writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
-----
** Signing cert request

Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Dec 16 01:05:56 2005 GMT
            Not After : Dec 16 01:05:56 2006 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = N/A
            organizationName          = Zimbra Collaboration Suite
            commonName                = aio.shoham.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                82:F2:5B:C5:FC:2A:C8:0F:18:24:CA:03:2C:D7:C9:37:FD:20:5D:79
            X509v3 Authority Key Identifier:
                DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=aio.shoham.com
                serial:80:91:0E:F8:5F:3D:8E:CE

Certificate is to be certified until Dec 16 01:05:56 2006 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=aio.shoham.com
Getting CA Private Key

================

shohaml@aio:/opt/zimbra$ ./bin/zmcertinstall mailbox
./bin/zmcertinstall: line 57: /opt/zimbra/bin/get_plat_tag.sh: No such file or directory
** Importing server cert

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

What can I do to fix the keytool problems?

[marcmac]

SSL Problem - No common encryption algorithm

[shohamlevy]

Hi.

I tried everything that you said. I did it as my user (this is dev install), and also as the zimbra user.
First of all, the keytool requires that the user invoking the commands has write permissions to:
keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
Why is it so - that I need write permissions in the JAVA library?

Code:

zimbra@aio:~$ ./bin/zmcreatecert
** Importing CA

Certificate was added to keystore
keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
** Creating keystore

** Creating server cert request
...

Then I keep getting the error:

Code:

zimbra@aio:~$ ./bin/zmcertinstall mailbox
** Importing server cert

keytool error: java.lang.Exception: Public keys in reply and keystore don't match

[marcmac]

You need write access in order to install the CA in the java library's CA file. Change permissions on the file, and it should work.

[shohamlevy]

I figured out, and changed, the write access on the file "java/jre/lib/security/cacerts". I am still not sure why Zimbra's script point to the Java release, and don't create a separate "cacerts", but I am not a keytool expers, so I don't mind.

I still get the error "keytool error: java.lang.Exception: Public keys in reply and keystore don't match". I tried to google this error, but there is no relevant data available. Am I the only one with keytool problems?

I though it had something to do with AMD64, but I can't find any reference to that either. Maybe it is somthing in the way I work?
* as root: "make dev-install"
* as root: chown -R shohaml:shohaml /opt/zimbra
* as root: chown shohaml:shohaml java/jre/lib/security/cacerts
* as root: chmod 544 java/jre/lib/security/cacerts (in the clean Java instalation it is 444)
* as shohaml: bin/zmcreateca (OK)
* as shohaml: bin/zmcreatecert (OK)
* as shohaml: bin/zmcertinstall mailbox (keys don't match)

Any idea?

[marcmac]

Clean up the my_ca alias from cacerts again, and also delete tomcat/conf/keystore - that may be the problem.

[shohamlevy]

It worked, thanks!

I am not sure why, but after numerous reinstaling the certificates - it worked.

Thanks for your help - I will see if everything else works now on Debian.

[shohamlevy]

I think I have found some bugs/issues in the source setup (from CVS) and in the certificating process.

point 1
In the script "zmcreatecert" you generate the tomcat alias (in function createKeyStore). You later create a certificate for that alias, which you import back into the Tomcat keystore - in the certinsatll script (function importCert). It is always in that stage that I get the error: "Public keys in reply and keystore don't match".

I don't really care about that error, because I can easily remove the tomcat alias "keytool -delete", and manually re-add it as certified. But isn't there a security problem in the flow to begin with? The purpose of certificates is to get a 3rd party approval - and your script's flow simply "self-approves" itself. I don't know if this should cause issues to others, because I am not that proficient in keytool and certificates, but maybe this is what was causing my problems to start with?

point 2
In dev-install you miss copying a script:
cp ZimbraBuild/rpmconf/Build/get_plat_tag.sh /opt/zimbra/bin
This script is needed for other Zimbra scripts.

point 3
When I finaly run LDAP (zmldapinit) - it fails to find the database:
bdb(): /opt/zimbra/openldap-data/__db.001: No such file or directory
Of course, I don't have this directory. I fail to find the DB initialization script in the CVS tree. How should I initialize the LDAP database?

Thanks,
Shoham.

[marcmac]

Quote:

Originally Posted by shohamlevy

I think I have found some bugs/issues in the source setup (from CVS) and in the certificating process.

point 1
In the script "zmcreatecert" you generate the tomcat alias (in function createKeyStore). You later create a certificate for that alias, which you import back into the Tomcat keystore - in the certinsatll script (function importCert). It is always in that stage that I get the error: "Public keys in reply and keystore don't match".

I don't really care about that error, because I can easily remove the tomcat alias "keytool -delete", and manually re-add it as certified. But isn't there a security problem in the flow to begin with? The purpose of certificates is to get a 3rd party approval - and your script's flow simply "self-approves" itself. I don't know if this should cause issues to others, because I am not that proficient in keytool and certificates, but maybe this is what was causing my problems to start with?

The whole point of the createcert script is to create a self-signed certificate, to make it easier to get zimbra up and running with ssl - we don't cover 3rdparty certs.

Self signed certs work fine, though they will generate a warning to clients.

Quote:

Originally Posted by shohamlevy

point 2
In dev-install you miss copying a script:
cp ZimbraBuild/rpmconf/Build/get_plat_tag.sh /opt/zimbra/bin
This script is needed for other Zimbra scripts.

I'll take a look at this.

Quote:

Originally Posted by shohamlevy

point 3
When I finaly run LDAP (zmldapinit) - it fails to find the database:
bdb(): /opt/zimbra/openldap-data/__db.001: No such file or directory
Of course, I don't have this directory. I fail to find the DB initialization script in the CVS tree. How should I initialize the LDAP database?

Thanks,
Shoham.

Initialize the db with zmldapinit - if it's failing with that error, you'll need to pre-create the openldap-data directory before running it.

[shohamlevy]

The LDAP DB is created successfully when the "/opt/zimbra/open-ldap" directory is manually created. Can you modify the zmldapinit script to also create the directory, or at least warn of it does not exist?