Problem installing commercial certificate

[cwagner]

I am trying to install a commercial certificate from Network Solutions and I am having problems. I have generated the CSR using the admin panel and have received the certificate from Network Solutions. When I go to install the certificate I get the following error:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate:

When I generated the csr, it did not ask for the businesses physical address. When I told Net Sol. to make the ticket it made me enter in a street address. I don't know if this matters???? What else could I be missing? I have tried the guide that is on the wiki for installing the network solutions certificate and I get the following when verifying the certificate:

** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
10774:error:0906D066:PEM routines:PEM_read_bio:bad end lineem_lib.c:746:
10774:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper
XXXXX ERROR: Invalid Certificate:

Any help is greatly appreciated.

[mmorse]

What version are you running? http://www.zimbra.com/forums/announc...html#post62754

Not entirely sure, but it kinda looks like the one everyone's hitting lately Bug 28085 – zmcertmgr doesn't break down the concatenated commercial cert from Ldap (fixed in 5.0.9)
The workaround is to select "--- All Servers ---" as the target server when installing the commercial cert from the admin console.

[cwagner]

I am not sure what you mean by selecting all servers. I only have one server listed. I am using the following version:

Client Version: 5.0.7_GA_2450.UBUNTU6_64
Client Release: 20080630192957
Build Date: 20080630-1939

I don't know if this matters but the server name is webmail.business.net and certificate is for the address of webmail.business.com Thanks

[uxbod]

It common name should be the FQDN of the server.

[cwagner]

I changed the fqdn of the server to webmail.business.com however the zimbra server is still webmail.business.net

[dwmtractor]

I changed the fqdn of the server to webmail.business.com however the zimbra server is still webmail.business.net

I'm pretty sure the CSR from your Zimbra box will include what it believes to be the fully-qualified hostname, and if that doesn't match the FQDN as you have it in your routing, one or both of two things will happen (1) the certificate won't match the CSR and will refuse to load, and/or (2) if you ever do get it loaded nobody's browser will accept it since the hostname and FQDN don't match. That is a prescription for failure. Gotta choose one (.net or .com) and use it in both places.

If what you are trying to do is have .net mail forward to .com (or vice versa) you can always set up a second domain or an alternate MX record, but your server and its cert have got to agree with each other on who they are.

[cwagner]

Thanks for your reply. The problem started because originally our domain was a .net domain. We then decided to go with .com. Meanwhile the server name has been setup as webmail.business.net. i Have added the domain for the business.com and this is our primary domain. Im sure this problem would have been avoided if the host name was originally setup as the .com Should I change the server hostname to .com? I have seen the instructions on here and it seems fairly easy, the only problem is it seems like some people have had major problems after switching it. Unfortunately we can't afford to have any problems.

[dwmtractor]

Thanks for your reply. The problem started because originally our domain was a .net domain. We then decided to go with .com. Meanwhile the server name has been setup as webmail.business.net. i Have added the domain for the business.com and this is our primary domain. Im sure this problem would have been avoided if the host name was originally setup as the .com Should I change the server hostname to .com? I have seen the instructions on here and it seems fairly easy, the only problem is it seems like some people have had major problems after switching it. Unfortunately we can't afford to have any problems.

I'll have to leave it to others smarter than I as to whether you should change your hostname or just re-map your .com domain to the .net server. I'm guessing, though, that in the long run having the hostname be what you are really using is probably a good idea.

But I'm a lot more sure that you can't issue a cert. based on a CSR for one domain (e.g. whatever.net), but choose the cert. to be on whatever.com, and have that work. So EITHER you have to change the domain of your server, OR you have to issue the cert for the .net version.

[cwagner]

If I manually change the hostname using the steps found on this page:

ZmSetServerName - Zimbra :: Wiki

Do I need to complete step 4 with this version of the software?

[dwmtractor]

I've not done a name change myself, but step 4 specifically says "for versions earlier than 4.5.7"