[SOLVED] 5.0.2NE and commercial cert install

[tecnalb]

I am running 5.0.2 and used the GUI tool to generate a csr for my Digicert wildcard certificate. I received my cert and when I tried to install I get this

Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12 Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX ERROR: failed to create jetty.pkcs12

[phoenix]

Have you followed this procedure: How to manually install your commercial certificate in 5.x - Zimbra :: Wiki

[Klug]

I had the same problem setting up a cert from GoDaddy : impossible to install it through the GUI, same error ("failed to create jetty.pkcs12").

I deleted the empty jetty.pkcs12 file on the server and installed the cert with the CLI, it worked flawlessly.
I used this : How to manually install your commercial certificate in 5.x - Zimbra :: Wiki

[tecnalb]

Quote:

Originally Posted by phoenix

Have you followed this procedure: How to manually install your commercial certificate in 5.x - Zimbra :: Wiki

yes and below is the resultt: One thing, I noticed that there is a 0 byte file timestamped to my attempt called pksc12 with root ownership. Located in /opt/zimbra/ssl/zimbra


[zimbra@zagnut certs]$ sudo zmcertmgr deploycrt comm star_storeitoffsite_com.crt comb.crt
** Verifying star_storeitoffsite_com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (star_storeitoffsite_com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: star_storeitoffsite_com.crt: OK
** Copying star_storeitoffsite_com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain comb.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Installing Certificates from /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080208073824
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

[zimbra@zagnut certs]$

[tecnalb]

bump


Anyone installed a DigiCert wildcard certificate into Zimbra 5.02? I'm having no luck...

[tecnalb]

I found the problem. While using the CLI install routine I would get the below. As you can see the private key and cert are verified correct, yet at the end it would fail.

[root@zagnut commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/certs/star_domain_com.crt /opt/zimbra/certs/root.crt
** Verifying /opt/zimbra/certs/star_domain_com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/certs/star_domain_com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/certs/star_domain_com.crt: OK
** Copying /opt/zimbra/certs/star_domain_com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/certs/root.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Installing Certificates from /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080209170438
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key


I found that during this routine, the domain certificate and root certificate are combined together. The issue is (I guess) that when this happens they there is a carriage return left out which produces this:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

instead of this:

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

What I did was edit my DigiCert star_domain_com.crt and add a return to the end. This produced the correct results and the cert installed correctly and I'm flying high!!

[stiller]

This still happens in 6.0.7 for my rapidSSL cert and adding a return still helps.

[Sir_Yaro]

Same here. Anyone ?

[mek1]

For ZCS 7.1 NE admins - I had to add a carriage return to the SSL certificate otherwise we would get the above mentioned

Code:

system failure: XXXXX ERROR: failed to create jetty.pkcs12

Just a heads up.

[adalle]

I'm running ZCS 7.1.1 and went round and around until I found this thread.

Carriage return saves the day. I hope they fix this bug, particularly since LDAP fails to start with a broken certificate install. That is fixed by running "zmcertmgr deploycrt" to re-deploy the self-signed cert.