Results 1 to 7 of 7

Thread: [SOLVED] self-signed cert in 5.02_GA failed

  1. #1
    jimbo is offline Special Member
    Join Date
    Nov 2005
    Posts
    108
    Rep Power
    9

    Unhappy [SOLVED] self-signed cert in 5.02_GA failed

    I upgraded from 5.0 to 5.02 over the weekend and all went well. I tried generating a new self-signed certificate using the Admin wizard but it failed.

    This morning, I am no longer able to access the client or the admin. It seems to be receiving mail OK.

    I suspect the problem cropped up now as last night was the first backup of the system since the upgrade which required downing Zimbra and then bringing it back up following the backup.

    When I try to log into the Zimbra client with Firefox I get the following alert:

    Code:
    Firefox can't connect securely to mail.mydomain.com because the site uses a security protocol which isn't enabled
    How do I go about generating a new cert using the backend? I've done this before in 4.5 but not in 5.0.

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    zmcertmgr
    like:
    zmcertmgr deploycrt self -new

  3. #3
    jimbo is offline Special Member
    Join Date
    Nov 2005
    Posts
    108
    Rep Power
    9

    Default

    Thanks for the quick reply!

    I tried that and got the following output:

    Code:
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080212093124 
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...failed.
    
    Using configuration from /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    The stateOrProvinceName field needed to be the same in the
    CA certificate (N/A) and the request (WA)
    
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
    
    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key
    So obviously more than just the cert got hosed. How do I resolve? Is there instructions somewhere? I looked in the Wiki but only found entries for 4.5x

    Thanks so much for your help!

  4. #4
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Do a:
    zmcertmgr createca -new
    zmcertmgr deploycrt self -new

  5. #5
    jimbo is offline Special Member
    Join Date
    Nov 2005
    Posts
    108
    Rep Power
    9

    Default

    OK,

    Code:
     ./zmcertmgr createca -new
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    But still when I do:

    Code:
    ./zmcertmgr deploycrt self -new
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080212094352 
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...failed.
    
    Using configuration from /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    The stateOrProvinceName field needed to be the same in the
    CA certificate (N/A) and the request (WA)
    
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
    
    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key
    So it looks like it is trying to match something up with some of the data I had entered in the GUI the other day as it's picking up that the stateOrProvinceName field contains "WA" for "Washington". So there seems to be something lingering here. Do I need to blow anything away like I used to do with the cert and the key in 4.5?

    Thanks again for the help Mike, I sure do appreciate you guys!

  6. #6
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Possibly a left over /opt/zimbra/ssl/zimbra/ca/zmssl.cnf or /opt/zimbra/conf/zmssl.conf from the 5.0 thats restricting the locale to match the CA - check the /opt/zimbra/conf/zmssl.conf.in - see if you can find where it's getting it from, then rerun the 2 commands.

    You could manually set it (zmcertmgr deploycrt self -new SUBJECT='...") but the default should be N/A already: "/C=US/ST=N_A/L=N_A/O=Zimbra Collaboration Suite/CN=server.domain.com"
    Last edited by mmorse; 02-12-2008 at 11:16 AM.

  7. #7
    jimbo is offline Special Member
    Join Date
    Nov 2005
    Posts
    108
    Rep Power
    9

    Thumbs up

    BINGO!

    That was it! The key was the line in my output:

    Code:
    Using configuration from /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
    I deleted that file and then re-ran the two command you had indicated and this time it worked!

    Again, thanks Mike for the excellent support!

    jimbo

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  2. My Zimbra server down ... please help :)
    By frankb in forum Administrators
    Replies: 2
    Last Post: 12-12-2007, 11:29 AM
  3. Lotus migration
    By babou in forum Migration
    Replies: 15
    Last Post: 03-05-2007, 10:33 PM
  4. Replies: 18
    Last Post: 03-20-2006, 02:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •