Cannon install commercial ssl cert after upgrade via admin web gui.

[jonl]

Quote:

Originally Posted by brian

Jonl:

The current openssl policy doesn't support changing the Locale, City, ST when generating a self-signed cert. This has been fixed for 5.0.2.

webaj:

This means the cert you are trying to install doesn't match the private key? Did you generate the csr from the zimbra wizard? If not you'll need to install the private key from where ever you generated the csr to send to your commercial cert provider.

Brian:

Thanks for the reply. I will look forward to version 5.0.2 for the self-signed cert...

I had tried a certificate with cacert.org utilizing the web interface for everything. I will look over this thread again and your replies to webaj to see if that will solve my problems on that end. Thanks again.

[webaj]

Quote:

Originally Posted by brian

Jonl:

The current openssl policy doesn't support changing the Locale, City, ST when generating a self-signed cert. This has been fixed for 5.0.2.

webaj:

This means the cert you are trying to install doesn't match the private key? Did you generate the csr from the zimbra wizard? If not you'll need to install the private key from where ever you generated the csr to send to your commercial cert provider.

I generated a new key with the csr from the zimbra wizard and it still does not work.

How do I install the private key?

[Offermann]

Hello,
I tried to install a certificate from StartSSL using the admin interface. I got the same problem. I think StartSSL changes organization and organization unit for the issued certificate. Is that the cause for the problem? Will this be fixed in 5.0.2?
Thanks, regards,
Philipp

[Offermann]

The error in the admin interface when trying to install the certificate let to a break down of the SSL parts of the system. I noticed that only very late because it became apparent only after a Zimbra restart. I managed to get the system back running by installing a new self-signed certificate. In the course of doing so I noticed that SSL Certificate Problems - Zimbra :: Wiki is horribly outdated and the certificate installation program is not documented in the official documentation. So fixing the system was more or less guess work. Not very reassuring!

[mjeanson]

I had the same problem installing a DigiCert chained certificate with the manual procedure that endend with the error :

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

Turns out my certificate files were missing newline character on the last line which caused openssl to not recognise the concatenated file that contained the certificate and the CA.

Hope it helps.

[awbecker]

Quote:

Originally Posted by mjeanson

Turns out my certificate files were missing newline character on the last line which caused openssl to not recognise the concatenated file that contained the certificate and the CA.

If you'll allow me to translate (because it took me an hour to figure out exactly what this comment meant):

Behind the scenes, the process that the admin tool uses to import your certificates is the same as the suggested manual procedure: it puts files into magic places under the webapps directory, then runs zmcertmgr to deploy the certificate.

However, that tool concatenates together whatever your supplied for commercial.crt and whatever you supplied for ca.crt. If there aren't linefeeds at either the end of commercial.crt or the beginning of ca.crt, then the process that makes jetty's pkcs12 file doesn't recognize the merged certs as being valid. So you have to make sure those files that you're uploading do have some extra linefeeds at the top and bottom.

It seems to me that zmcertmgr and/or the admin tool could do this for you. Barring that, there could at least have been a straight answer somewhere on the wiki, or the forums, or in the documentation. I just spent two damned hours fixing this problem.

[tenikiwon]

Upon following the suggesting to ad lines to the top/bottom of the .crt files the Admin UI said the certificate was installed correctly. I can connect and login although the webbrowser appears to be still getting the old, self signed cert. Also, all services appear to be up however I can't send mail. I get either a message that the server is busy/slow or an error message. I'm going to go back and install another self signed and see what happens.

Error Message:

Quote:

A network service error has occurred.
msg: system failure: MessaginException
code: service.FAILURE
method: SendMsgRequest
detail: soap:Receiver

[awbecker]

Quote:

Originally Posted by tenikiwon

Upon following the suggesting to ad lines to the top/bottom of the .crt files the Admin UI said the certificate was installed correctly. I can connect and login although the webbrowser appears to be still getting the old, self signed cert. Also, all services appear to be up however I can't send mail. I get either a message that the server is busy/slow or an error message. I'm going to go back and install another self signed and see what happens.

If you can't send mail, the cert is probably not installed correctly, no matter what message you might have been given.

Looking in /var/log/zimbra.log, /opt/zimbra/log/mailbox.log, and the Admin UI's list of installed certificates are all good sources of info for figuring out what's going on with cert issues.

[brian]

If the Admin console and WebUI are still using a self signed cert you most likely still have a copy of the old cert in the java keystore

This will display the contents of the keystore and delete any unnecessary entries. The 5.0.2 upgrade will also automatically correct this bug.

Code:

keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`

[dehylus]

The; keytool -delete -alias tomcat /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password` ;no work.

keytool error: java.lang.RuntimeException: Usage error, /opt/zimbra/mailboxd/etc/keystore is not a legal command

My version as 5.0.2. Any idea???, thanks.-