Cannon install commercial ssl cert after upgrade via admin web gui.

[webaj]

I upgraded to 5 today and was very happy to see a gui for installing ssl certs.

I already have a wild card cert from digicert so I went to the wizard.

No problems until the very end after selecting finish i get the following.

Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX ERROR: failed to create jetty.pkcs12

[jholder]

Out of curiosity, are you not in the US?

[jholder]

We suggest waiting until 5.0.1 is out for Commercial Cert use/installation. There are several fixes for Commercial Certs that you'll need.

[webaj]

Quote:

Originally Posted by jholder

Out of curiosity, are you not in the US?

Out of curiosity, why do you ask?

Anyway I am in the US.

[jholder]

Quote:

Originally Posted by webaj

Out of curiosity, why do you ask?

Anyway I am in the US.

There was a separate issue I thought you might be hitting. Turns out that's not it.

[webaj]

Quote:

Originally Posted by jholder

We suggest waiting until 5.0.1 is out for Commercial Cert use/installation. There are several fixes for Commercial Certs that you'll need.

I upgraded the server today and still get the following problem.

Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX ERROR: failed to create jetty.pkcs12

[brian]

Try installing with the command line interface and post the full error message. As zimbra

Code:

sudo zmcertmgr deploycrt comm  

If your cert authority has a root ca plus intermediaries you'll need to concatenate them into one file.

[webaj]

Quote:

Originally Posted by brian

Try installing with the command line interface and post the full error message. As zimbra

Code:

sudo zmcertmgr deploycrt comm  

If your cert authority has a root ca plus intermediaries you'll need to concatenate them into one file.

zimbra@abby:/opt/key> sudo zmcertmgr deploycrt comm /opt/key/star_example_org.crt /opt/key/DigiCertCA.crt
** Verifying /opt/key/star_example_org.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (/opt/key/star_example_org.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.

or


zimbra@abby:/opt/key> sudo zmcertmgr deploycrt comm
** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: OK
** Copying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Installing Certificates from /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080114092253
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

[jonl]

This is my first post so hope I am doing things correctly.

Anyway, fwiw I am having the same problem when installing commercial certificates. I tried using the web interface and using the command line with the same results as the last poster.

It errors the same way via the web interface when I try to create a self-signed certificate while renaming the Location, Organization, Department, etc.

After receiving the error with the self-signed certificate and not reinstalling the original certificate the web interface will disappear after a system restart. This does not happen after the error if I try to install a commercial certificate.

[brian]

Jonl:

The current openssl policy doesn't support changing the Locale, City, ST when generating a self-signed cert. This has been fixed for 5.0.2.

webaj:

This means the cert you are trying to install doesn't match the private key? Did you generate the csr from the zimbra wizard? If not you'll need to install the private key from where ever you generated the csr to send to your commercial cert provider.