Zimbra

Bill Brock · #1 (**permalink**) 04-22-2008, 05:12 PM

After upgrading to 5.0.5, my certificate will no longer install in IE's certificate store. It says the issuer is Zimbra Collaboration Suite. In the past, I believe the Issuer was the web site itself. I did mot have this problem with 5.0.2 or 5.0.4.

Bill Brock · #2 (**permalink**) 04-22-2008, 08:29 PM

Every account I host now where the user uses Internet Explorer can no longer Install the certificate. Before, installing it once into the trusted root store would stop the certificate error message when the site was accessed. Now the certificate won't install in the trusted root store and if you install it in any other store, IE say there is not enough info to verify the certificate.

This is the case with both of my servers after upgrading to 5.0.5.

I guess the next step is to try and create another certificate where the issuer and the issued to are both the mail server FQDN. This is the way all previous version of Zimbra created certificates until 5.0.5.

Bill Brock · #3 (**permalink**) 04-23-2008, 09:02 AM

It appears Zimbra has changed or limited the scope of the certificate and this is why IE will not install it into the root store any more.

Is this the case? Am I wasting my breath here?

brian · #4 (**permalink**) 04-23-2008, 03:45 PM

First of all, upgrades should preserve all certs as long as they are not expired. So if the cert was regenerated during upgrade between 5.0.4 and 5.0.5 that would be considered a bug unless you manually regenerated the cert.

The second part of this is that nothing changed with the scope in zmssl.cnf between 5.0.4 and 5.0.5, so the certs should be created and signed in the same fashion with the same settings. Can you paste the exact IE error you are seeing as well as the output of

sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt

thanks

Bill Brock · #5 (**permalink**) 04-23-2008, 05:09 PM

When I get back to the office tomorrow I will post the output you asked for.

I can tell you that the issuer is Zimbra on the one that worked and Zimbra collaboration Suite on the one that is showing up now.

There is no error message from IE. The certificate simply won't show up in the root store after I install it. If I install it to any other store it tells me "The issuer of this certificate could not be found." Of course that is because when I install it to the root store it says it is installed but doesn't show up.

I run two Zimbra stand alone servers and this is the case when accessing either server - after the upgrade but not before. Since the certificate from 5.0.4 was installed and worked, I know the certificate had to change because IE only started warning after the upgrade.

I have always simply installed the cert into the root store and IE would then go to the site without warning again. This has been the case since version 4.x.x.

Bill Brock · #6 (**permalink**) 04-24-2008, 05:24 AM

First off, thank you for replying Brian.

I plan on installing an earlier version of ZCS on my test box, pull a certificate, then upgrade to 5.0.5 and pull another certificate. I will send you both plus the output from the command you ask me to run.

There is definitely different fields in the two versions of certs plus different parameters in like fields. This is the first time in years of installing certs into IE that I've had one that wouldn't show up in the root store after specifically being installed there. Firefox has no problem. But then it doesn't force you to have a cert from the issuer in the root store either to consider the certificate valid.

If it were up to me I would just quit using IE but some of my hosted user do not share my feelings. :-)

Bill Brock · #7 (**permalink**) 04-24-2008, 02:37 PM

lin2nowork.txt
lin2works.txt

These need to be renamed to .cer. But lin2work is from 4.5.11. Lin2nowork is after upgrade to 5.0.5. Lin2work will import into IE's root store, Lin2nowork will not.

You can see the content of the cert's are different. The issuer and the subject are identical on the one that works. Of coures a self signed cert should be so. The one that doesn't work has the issuer and subject being somewhat different. They need to be identical for a self signed cert to be proper.

How can I change the zmssl.cnf file to make both identical?

I think this is a bug but would like your opinion.

brian · #8 (**permalink**) 04-24-2008, 10:04 PM

Well going from 4.5.x to 5.0.5 the certs could definitely be different. Starting in 5.0.5 we loosened the restrictions on cert signing in zmssl.cnf.

If IE is requiring a valid cert path you have 2 choices. You can create the cert with the same subject as the CA. Using the Admin Console Certificate extension or via cli zmcertmgr or you can import the public cert from the CA as well as the cert.

To create a cert with a matching subject use:

zmcertmgr createcrt -new -days 365 -subject "SUBJECT"

where subject fields match those of the self CA.

Bill Brock · #9 (**permalink**) 04-24-2008, 10:57 PM

I tried that. There is a "Location" object in the "Issuer" field that is not in the subject field. It's impossible to make them identical. I guess I have to figure out where that is happening in the zmssl.cnf file.

Bottom line is the cert generated by the Zimbra install won't go to the root store in IE.

Bill Brock · #10 (**permalink**) 04-26-2008, 07:53 AM

OK. Guess I'm on my own on this one.

Zimbra

Downloads

Product Information

Toolbox

Why Join?