Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: [SOLVED] Argh Commercial Certificates after a 4.10 > 5.0 FOSS upgrade!

  1. #11
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    I don't understand why copying the appropriate cert (thawte.pem in my case) into the ca directory and running c_rehash doesn't fix it.

    The "fix" for comment #10 is to set start_tls = no and chattr +i /opt/zimbra/conf/ldap*, so that zmmtainit can't rewrite those files. You'll get errors from postfix/zmcontrol start, but it runs.

  2. #12
    pmiranda's Avatar
    pmiranda is offline Starter Member
    Join Date
    Jan 2008
    Posts
    1
    Rep Power
    7

    Default

    goodpm, i encountered the same problem but was fixed by the workaround you posted guys. (thank you so much for that!) i manually did the certificate installation. just wanted to ask if i will be able to encounter the same problem once my certificate is expired? or can i manually set the certificate expiration to a longer number of dates, let's say 5 yrs at least...

    thanks guys! kudos.
    NovaKartel Monopoly Inc.
    Earn by visiting my site...

  3. #13
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    Still broken for me with 5.0.1 NE.

    Cert works for all purposes except postfix.

    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm
    ** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=US/ST=Minnesota/L=Northfield/O=Carleton College/OU=Information Te
    chnology Services/CN=mail.carleton.edu
    error 20 at 0 depth lookup:unable to get local issuer certificate
    XXXXX ERROR: provided cert isn't valid.
    strace ldapsearch -Z fails seraching for /opt/zimbra/conf/ca/c33a80d4.0, which does not correspond to the CA hash. I would guess that I somehow got two different keypairs for different services, but openssl s_client -connect mail:443 returns exactly the same cert as /opt/zimbra/conf/slapd.crt.

  4. #14
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    DOH! Resolved. Thawte has several CA certs, and I had the wrong one. All hail The Google for telling me what hashes to c33a80d4.0.

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade from ZCS 5.0 GA FOSS to ZCA 5.0 NE
    By fcolpron in forum Installation
    Replies: 7
    Last Post: 01-22-2008, 12:44 PM
  2. [SOLVED] Upgrade 4.5.7 > 5.0 GA Failed
    By jimbo in forum Installation
    Replies: 11
    Last Post: 01-13-2008, 05:21 PM
  3. ZCS 5.0 FOSS is Released!!!
    By jholder in forum Announcements
    Replies: 1
    Last Post: 12-21-2007, 12:21 PM
  4. Replies: 2
    Last Post: 07-01-2007, 11:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •