Zimbra 5.08 SSL Certificate Instalation

[askr]

The certificate verification goes ok:

Code:

root@zimbra:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key  zimbra_amazis_pl.crt commercial.crt
** Verifying zimbra_amazis_pl.crt against commercial.key
Certificate (zimbra_amazis_pl.crt) and private key (commercial.key) match.
Valid Certificate: zimbra_amazis_pl.crt: OK

But when I try to load the certificate, it fails:

Code:

root@zimbra:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.key  zimbra_amazis_pl.crt commercial.crt
** Verifying commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key
unable to load certificate
26328:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
XXXXX ERROR: Unmatching certificate (commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
unable to load certificate
26332:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.

Thanks for any help with this
- Andrew

[greenrenault]

IMHO the instructions in the Zimbra Wiki are WRONG and need to be updated.

I found a solution by searching the forums & trial / error. Wasted two hours on this one, this should have been a simple process. I expect that the error in the Zimbra SSL Wizard was caused by either permissions of a failed file copy (ie. Zimbra does not copy the CA file correctly). So I've included our solution below at the bottom of this page.

THE PROBLEM
I have found that using the Zimbra SSL Wizard or the command-line steps from Commercial Certificate in 5.x - Zimbra :: Wiki to install SSL certs DOES NOT WORK (ZCS 5.0.8), see below:

Code:

root@mail:~# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ~/commercial.crt  ~/commercial_ca.crt
** Verifying /root/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/commercial.crt: OK
root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt comm ~/commercial.crt  ~/commercial_ca.crt
** Verifying /root/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/commercial.crt: OK
** Copying /root/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /root/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
 
XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key
 
root@mail:~#                     
zimbra@mail:~$ zmcontrol start
Host mail.zimbra.net
        Starting ldap...Done.
FAILED
Failed to start slapd.  Attempting debug start to determine error.
TLS: error:0906D066:PEM routines:PEM_read_bio:bad end line pem_lib.c:746
TLS: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib ssl_                                 rsa.c:491
main: TLS init def ctx failed: -1

THE SOLUTION
Based on [SOLVED] Trouble installing commercial certificates on Zimbra

I found the solution to be the following steps:
1. As root, creating /opt/zimbra/certs directory
2. Copying the certificate and root certificate into /opt/zimbra/certs directory
3. Changing ownership of /opt/zimbra/certs to zimbra:zimbra
4. Adding an extra line at the end of the signed certificate
5. As root execute:

Code:

zmcertmgr deploycrt comm /opt/zimbra/certs/commercial.crt  /opt/zimbra/certs/commercial_ca.crt

6. Certificates should install OK now
7. Start Zimbra

This even worked with RapidSSL certificates - the real cheap'n nasty ones

Woo hoo!

[Insanity5902]

I am going to add to this, hoping to help with the searching.

I upgrading from an earlier release to 5.0.11 and it broke my commercial ssl certs. The quick fix was to use zmcertmgr to re-issue some self-signned certs, this allowed me to get e-mail flow working. Otherwise I was having zmmailboxdctl die on me with something about ldap, startssl and dict lookups.

When I tried to re-install the commercial SSL, i was getting -

Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair.

the problem was as stated above, it was missing a blank line at the end of the issued cert. I didn't have to do all the other steps to install the comm cert, just had to open the file, add a blank line and then re-install with Zimbra Certificates Manager.

I was using CACert (cacert.org) as my CA. I will try to add this to the wiki page to help see if this catches it.