[SOLVED] Trouble installing commercial certificates on Zimbra

[Miklos Kalman]

Hi,

I am using Zimbra FOSS 5.02. We purchased a commercial certificate from Digicert and wanted to install that onto Zimbra. I received 3 crt files:
1/
TrustedRoot.crt
2/
DigiCertCA.crt
3/
mail_westerlike_com.crt

I added 3/ as Certificate:, 1/ as Root CA: and 2/ as Intermediate. When I click install I get the following error:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12


If I only add 3/ and 1/ I get the error:
Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=hu/ST=Csongrad/L=Szeged/O=Westerlike Informatikai \xE9s Kereskedelmi Kft./OU=Westerlike/CN=mail.westerlike.com

If I add 3/ and 2/ I get the error:
Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12

What is wrong? Can someone help me?

[gmsmith]

Give this a quick look...

Failed Commercial Cert Migration

[Miklos Kalman]

Previously I was running 5.02 as well, so no upgrade. The previous SSL certificate was self signed. I tried downloading the ExportPriv and running it but I couldn't find the commercial.keystore

root@mail:~/certs# java ExportPriv commercial.keystore tomcat zimbra >commercial.key
Exception in thread "main" java.io.FileNotFoundException: commercial.keystore (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:106)
at ExportPriv.doit(ExportPriv.java:36)
at ExportPriv.main(ExportPriv.java:24)
root@mail:~/certs# find /opt/zimbra -name commercial.keystore -print
root@mail:~/certs#

Which is the key file? I am new to SSL so I have no idea as to how to proceed. All I know is that we paid money for the certificate which I cannot install and its getting to be a little frustrating. We wanted to try out the new certificate before migrating over to the Network Edition next week.

Which files from to 1/ 2/ 3/ would I copy to the locations:
-From the link you posted-:
1. Extract my cert and private key from the old Java keystore.
2. Download my ca's root cert.
3. Copy these to /opt/zimbra/ssl/zimbra/commercial/{commercial_ca.crt|commercial.crt|commercial.key}
4. Also copy to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/{current_chain.crt|current.crt}
5. Run /opt/zimbra/bin/zmcertmgr deploycrt comm
------
I'm guessing commercial_ca.crt is the DigiCertCA.crt or the TrustedRoot.crt Which is the commercial.key?

Please help.

[Miklos Kalman]

Here's what I did. I reissued a new CSR without the accented characters. I requested the certificates from Digicert. I received the 3 files again.

I copied the DigiCertCA.crt to commercial_ca.crt under /opt/zimbra/ssl/commercial

I copied mail_westerlike_com.crt to commercial.crt under
/opt/zimbra/ssl/commercial

I copied DigiCertCA.crt to current_chain.crt under
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp

I copied mail_westerlike_com.crt to current.crt under
/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp

I then ran:
/opt/zimbra/bin/zmcertmgr deploycrt comm

And I got:

** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: OK
** Copying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Installing Certificates from /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080216220025
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

What am I doing wrong? It says that the certificate and the private key match in the above lines. Then later it states that there is no certificate that matches the private key?

[Miklos Kalman]

I found the solution (after searching more and finding that my case wasn't unique for Digicert)

I created a /opt/zimbra/certs
I then concatenated DigiCertCA and TrustedRoots into root.crt
and put and enter at the end of my certificate file
and then issued:
/opt/zimbra/bin/zmcertmgr /opt/zimbra/certs/certificate.crt /opt/zimbra/certs/root.crt

And it worked. I now have a signed SSL file.

[Todd B]

This post was a simple fix for the following issue:
XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

Cannon install commercial ssl cert after upgrade via admin web gui.