[SOLVED] self-signed cert in 5.02_GA failed

[jimbo]

I upgraded from 5.0 to 5.02 over the weekend and all went well. I tried generating a new self-signed certificate using the Admin wizard but it failed.

This morning, I am no longer able to access the client or the admin. It seems to be receiving mail OK.

I suspect the problem cropped up now as last night was the first backup of the system since the upgrade which required downing Zimbra and then bringing it back up following the backup.

When I try to log into the Zimbra client with Firefox I get the following alert:

Code:

Firefox can't connect securely to mail.mydomain.com because the site uses a security protocol which isn't enabled

How do I go about generating a new cert using the backend? I've done this before in 4.5 but not in 5.0.

[mmorse]

zmcertmgr
like:
zmcertmgr deploycrt self -new

[jimbo]

Thanks for the quick reply!

I tried that and got the following output:

Code:

** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080212093124 
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...failed.

Using configuration from /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (N/A) and the request (WA)

** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

So obviously more than just the cert got hosed. How do I resolve? Is there instructions somewhere? I looked in the Wiki but only found entries for 4.5x

Thanks so much for your help!

[mmorse]

Do a:
zmcertmgr createca -new
zmcertmgr deploycrt self -new

[jimbo]

OK,

Code:

 ./zmcertmgr createca -new
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

But still when I do:

Code:

./zmcertmgr deploycrt self -new
** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080212094352 
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...failed.

Using configuration from /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (N/A) and the request (WA)

** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

So it looks like it is trying to match something up with some of the data I had entered in the GUI the other day as it's picking up that the stateOrProvinceName field contains "WA" for "Washington". So there seems to be something lingering here. Do I need to blow anything away like I used to do with the cert and the key in 4.5?

Thanks again for the help Mike, I sure do appreciate you guys!

[mmorse]

Possibly a left over /opt/zimbra/ssl/zimbra/ca/zmssl.cnf or /opt/zimbra/conf/zmssl.conf from the 5.0 thats restricting the locale to match the CA - check the /opt/zimbra/conf/zmssl.conf.in - see if you can find where it's getting it from, then rerun the 2 commands.

You could manually set it (zmcertmgr deploycrt self -new SUBJECT='...") but the default should be N/A already: "/C=US/ST=N_A/L=N_A/O=Zimbra Collaboration Suite/CN=server.domain.com"

[jimbo]

BINGO!

That was it! The key was the line in my output:

Code:

Using configuration from /opt/zimbra/ssl/zimbra/ca/zmssl.cnf

I deleted that file and then re-ran the two command you had indicated and this time it worked!

Again, thanks Mike for the excellent support!

jimbo