Zimbra

Priyantha Bleeker · #1 (**permalink**) 05-07-2008, 05:58 AM

Hi folks,

I am trying to install a QuickSSL certificate on a Zimbra 5.0.5 OSS Edition installation, installed on CentOS 4.5.

With the GUI I am getting the following error message:

Code:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=NL/O=mail.domainname.tld/OU=GT17839061/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.domainname.tld

When I try it on the console I get the following error:

Code:

sudo zmcertmgr deploycrt comm

** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=NL/O=mail.domainname.tld/OU=GT17839061/OU=See www.geotrust.com/resources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.domainname.tld
error 20 at 0 depth lookup:unable to get local issuer certificate
XXXXX ERROR: provided cert isn't valid.

PS. I changed the real hostname in 'mail.domainname.tld' in the errors above here.

I have downloaded the certificates statet here:
SSL Certificate, SSL, Server Certificates, Web Server Certificates
Without any luck.
Maybe some of the zimbra dev's or somebody else with the right knowledge may help me with this case ?

Thanks in advance

Priyantha Bleeker · #2 (**permalink**) 05-09-2008, 12:49 AM

Somebody who may help me and maybe others with the same problems ?

Priyantha Bleeker · #3 (**permalink**) 05-13-2008, 12:25 AM

Well, let's try it again...
It can't be true that I am the only one with this problem, isn't it ?

visualsoftspace · #4 (**permalink**) 05-16-2008, 11:32 AM

I have had the same problems in my attempts to load a commercial certificate. There are some comments on a couple of posts in the wiki about how to load the certs, and modify the zmcertmgr file. Check out this link in the wiki:

Commercial Certificate in 5.x - Zimbra :: Wiki

I attempted the install earlier in the week and it screwed up startup of Zimbra because of certificate failures when LDAP tried to load. I was able to correct the error by creating new certs and deploying them via the CLI.

This Saturday I will attempt to more closely follow the wiki link, and start over. If I am successful, then I will post my notes for you. In the meantime, if you figure it out first, please post your success.

Thanks...and goodluck.

Priyantha Bleeker · #5 (**permalink**) 05-19-2008, 12:23 AM

Nope I didn't succeed

I did try to follow the howto but didn't worked out.

visualsoftspace · #6 (**permalink**) 05-19-2008, 09:00 AM

I did my best to follow the wiki over the weekend, and I could not get the certs to install. I don't know if this is a bug in the 5.05 that I am running or something else, but it failed on attempts to install either Verisign trial cert or FreeSSL trial cert.

I will try to do some more research this week and let you know if I come up with a working solution.

warmbowski · #7 (**permalink**) 05-19-2008, 03:13 PM

I got the 'Invalid Certificate Chain' error as well when using the certificate wizard in the admin interface to install a commercial cert from godaddy.com. I followed the wiki instructions to no avail.

Code:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

These are the files that I tried uploading via the certificate wizard after sending the generated csr to godaddy. I had to download these files from here: https://certs.godaddy.com/Repository.go, except for the server cert which was copied and pasted from my godaddy cert account into a text file (named with extention .cer via the godaddy instructions). I was forced to do the manual downloads because our spam filter service blocked the email with the attached certificate files.

Certificate: my_server.cer (from my account)
Root CA: gd-class2-root.crt (from the godaddy repository)
Intermediate CA: gd_intermediate.crt (from the godaddy repository)
Intermediate CA: gd_cross_intermediate.crt (from the godaddy repository)

--ZCS OSS 5.0.4 on CentOS 5--

Any help would be appreciated.

-Paul

warmbowski · #8 (**permalink**) 05-21-2008, 04:43 PM

Well I got the godaddy cert installed without the 'invalid cert chain' error (with the help of this thread). It turns out that I WAS installing the incorrect intermediate cert thus the cert chain wasn't going back to the CA. So this is officially what I uploaded in the web interface:

Certificate: my_server.crt (copy/paste from my account)
Root CA: gd-class2-root.crt (from the godaddy repository)
Intermediate CA: gd_intermediate_bundle.crt (from the godaddy repository)

the differences being that: 1. I changed the file extension of my server cert from cer to crt, and 2. that the gd_intermediate_bundle.crt is a concantination of the gd_intermediate.crt, gd_cross_intermediate.crt, and a third cert that matches no other cert that I had come across.

If you want, you can go to the repository, download them and compare yourselves. Anyway, hope that helps a little for the original poster and the QuickSSL problem.