Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Problem installing commercial certificate

  1. #1
    cwagner is offline Intermediate Member
    Join Date
    Jun 2008
    Posts
    22
    Rep Power
    6

    Default Problem installing commercial certificate

    I am trying to install a commercial certificate from Network Solutions and I am having problems. I have generated the CSR using the admin panel and have received the certificate from Network Solutions. When I go to install the certificate I get the following error:

    Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate:

    When I generated the csr, it did not ask for the businesses physical address. When I told Net Sol. to make the ticket it made me enter in a street address. I don't know if this matters???? What else could I be missing? I have tried the guide that is on the wiki for installing the network solutions certificate and I get the following when verifying the certificate:

    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    10774:error:0906D066:PEM routines:PEM_read_bio:bad end lineem_lib.c:746:
    10774:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280:
    usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
    recognized usages:
    sslclient SSL client
    sslserver SSL server
    nssslserver Netscape SSL server
    smimesign S/MIME signing
    smimeencrypt S/MIME encryption
    crlsign CRL signing
    any Any Purpose
    ocsphelper OCSP helper
    XXXXX ERROR: Invalid Certificate:

    Any help is greatly appreciated.

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    20

    Default

    What version are you running? http://www.zimbra.com/forums/announc...html#post62754

    Not entirely sure, but it kinda looks like the one everyone's hitting lately Bug 28085 – zmcertmgr doesn't break down the concatenated commercial cert from Ldap (fixed in 5.0.9)
    The workaround is to select "--- All Servers ---" as the target server when installing the commercial cert from the admin console.
    Last edited by mmorse; 07-17-2008 at 09:08 PM.

  3. #3
    cwagner is offline Intermediate Member
    Join Date
    Jun 2008
    Posts
    22
    Rep Power
    6

    Default

    I am not sure what you mean by selecting all servers. I only have one server listed. I am using the following version:

    Client Version: 5.0.7_GA_2450.UBUNTU6_64
    Client Release: 20080630192957
    Build Date: 20080630-1939

    I don't know if this matters but the server name is webmail.business.net and certificate is for the address of webmail.business.com Thanks

  4. #4
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,016
    Rep Power
    24

    Default

    It common name should be the FQDN of the server.

  5. #5
    cwagner is offline Intermediate Member
    Join Date
    Jun 2008
    Posts
    22
    Rep Power
    6

    Default

    I changed the fqdn of the server to webmail.business.com however the zimbra server is still webmail.business.net

  6. #6
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    9

    Default

    Quote Originally Posted by cwagner View Post
    I changed the fqdn of the server to webmail.business.com however the zimbra server is still webmail.business.net
    I'm pretty sure the CSR from your Zimbra box will include what it believes to be the fully-qualified hostname, and if that doesn't match the FQDN as you have it in your routing, one or both of two things will happen (1) the certificate won't match the CSR and will refuse to load, and/or (2) if you ever do get it loaded nobody's browser will accept it since the hostname and FQDN don't match. That is a prescription for failure. Gotta choose one (.net or .com) and use it in both places.

    If what you are trying to do is have .net mail forward to .com (or vice versa) you can always set up a second domain or an alternate MX record, but your server and its cert have got to agree with each other on who they are.
    Cheers,

    Dan

  7. #7
    cwagner is offline Intermediate Member
    Join Date
    Jun 2008
    Posts
    22
    Rep Power
    6

    Default

    Thanks for your reply. The problem started because originally our domain was a .net domain. We then decided to go with .com. Meanwhile the server name has been setup as webmail.business.net. i Have added the domain for the business.com and this is our primary domain. Im sure this problem would have been avoided if the host name was originally setup as the .com Should I change the server hostname to .com? I have seen the instructions on here and it seems fairly easy, the only problem is it seems like some people have had major problems after switching it. Unfortunately we can't afford to have any problems.
    Server: Dell 2850, Dual Xeon Dual Core 3.0ghz CPUs, 16gb Ram, 4 x 750gb 15k Hard drives

  8. #8
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    9

    Default

    Quote Originally Posted by cwagner View Post
    Thanks for your reply. The problem started because originally our domain was a .net domain. We then decided to go with .com. Meanwhile the server name has been setup as webmail.business.net. i Have added the domain for the business.com and this is our primary domain. Im sure this problem would have been avoided if the host name was originally setup as the .com Should I change the server hostname to .com? I have seen the instructions on here and it seems fairly easy, the only problem is it seems like some people have had major problems after switching it. Unfortunately we can't afford to have any problems.
    I'll have to leave it to others smarter than I as to whether you should change your hostname or just re-map your .com domain to the .net server. I'm guessing, though, that in the long run having the hostname be what you are really using is probably a good idea.

    But I'm a lot more sure that you can't issue a cert. based on a CSR for one domain (e.g. whatever.net), but choose the cert. to be on whatever.com, and have that work. So EITHER you have to change the domain of your server, OR you have to issue the cert for the .net version.
    Cheers,

    Dan

  9. #9
    cwagner is offline Intermediate Member
    Join Date
    Jun 2008
    Posts
    22
    Rep Power
    6

    Default

    If I manually change the hostname using the steps found on this page:

    ZmSetServerName - Zimbra :: Wiki

    Do I need to complete step 4 with this version of the software?
    Server: Dell 2850, Dual Xeon Dual Core 3.0ghz CPUs, 16gb Ram, 4 x 750gb 15k Hard drives

  10. #10
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    9

    Default

    I've not done a name change myself, but step 4 specifically says "for versions earlier than 4.5.7"
    Cheers,

    Dan

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Installing Commercial Cert From Old Server
    By martin.beauchamp in forum Installation
    Replies: 1
    Last Post: 07-14-2008, 09:42 AM
  2. Installing a Commercial certificate
    By moetiker in forum Installation
    Replies: 4
    Last Post: 03-27-2008, 06:18 AM
  3. [SOLVED] Upgraded to 5.0 OSS - Sendmail Problem
    By Chewie71 in forum Installation
    Replies: 11
    Last Post: 12-28-2007, 07:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •