[SOLVED] Argh Commercial Certificates after a 4.10 > 5.0 FOSS upgrade!

[Rich Graves]

I don't understand why copying the appropriate cert (thawte.pem in my case) into the ca directory and running c_rehash doesn't fix it.

The "fix" for comment #10 is to set start_tls = no and chattr +i /opt/zimbra/conf/ldap*, so that zmmtainit can't rewrite those files. You'll get errors from postfix/zmcontrol start, but it runs.

[pmiranda]

goodpm, i encountered the same problem but was fixed by the workaround you posted guys. (thank you so much for that!) i manually did the certificate installation. just wanted to ask if i will be able to encounter the same problem once my certificate is expired? or can i manually set the certificate expiration to a longer number of dates, let's say 5 yrs at least...

thanks guys! kudos.

[Rich Graves]

Still broken for me with 5.0.1 NE.

Cert works for all purposes except postfix.

Code:

# /opt/zimbra/bin/zmcertmgr deploycrt comm
** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=US/ST=Minnesota/L=Northfield/O=Carleton College/OU=Information Te
chnology Services/CN=mail.carleton.edu
error 20 at 0 depth lookup:unable to get local issuer certificate
XXXXX ERROR: provided cert isn't valid.

strace ldapsearch -Z fails seraching for /opt/zimbra/conf/ca/c33a80d4.0, which does not correspond to the CA hash. I would guess that I somehow got two different keypairs for different services, but openssl s_client -connect mail:443 returns exactly the same cert as /opt/zimbra/conf/slapd.crt.

[Rich Graves]

DOH! Resolved. Thawte has several CA certs, and I had the wrong one. All hail The Google for telling me what hashes to c33a80d4.0.