Commercial SSL Cert

[alexz]

Quote:

Originally Posted by phoenix

I don't take your reply as being rude, I just don't understand why you didn't bother following any of the links that I provided. They were specific to your question and covered the reason why you got that error message. The point about following the wiki instructions is not to get to a point where there's an error and say 'I 've got this error, how do I fix it?', surely the point is to do some investigation as to why you've got the error and try to fix it yourself. Well, you asked the question and I pointed you to possible solutions but you seem to want someone to lead you by the hand through the problem, that's not my style and I'm sorry if that seems to offend you.

If, after doing your own investigation, you're stumped then by all means ask a question and detail what you've done to get to that stage and people will be willing to help.

Bill,

Perhaps I wasn't clear. I did do my own investigation and looked at the very same pages that you proposed prior to posing the question. I'm also a proponent of doing research and searching the web before posting. I posted the question after I exhausted my resources.

[alexz]

Are there any diagnostic commands I can run to see if the root and intermediary were properly imported or any other keytool commands that I can run to help narrow down this problem?

[bobby]

that wiki page is actually in the middle of some improvement. installing commercial certs on a zimbra server can be somewhat complicated because there are multiple components that may make use of the certs and because different certificate authorities have different procedures.

you're right that you don't need to edit server.xml. if you didn't get any errors returned from adding the ca certs, i would imagine they're ok. can you post the statement you're using to import the server cert? also, you can check what's in the keystore like this:

keytool --list -keystore PATH/TO/KEYSTORE

[phoenix]

Quote:

Originally Posted by alexz

Bill,

Perhaps I wasn't clear.

You not only wasn't that clear, you didn't even mention what you had done to research the problem.

Quote:

Originally Posted by alexz

I did do my own investigation and looked at the very same pages that you proposed prior to posing the question. I'm also a proponent of doing research and searching the web before posting. I posted the question after I exhausted my resources.

Then why, in heavens name, didn't you say that in the first place. It would help everyone if we knew what you were doing and what you had done.

[alexz]

Quote:

Originally Posted by bobby

that wiki page is actually in the middle of some improvement. installing commercial certs on a zimbra server can be somewhat complicated because there are multiple components that may make use of the certs and because different certificate authorities have different procedures.

you're right that you don't need to edit server.xml. if you didn't get any errors returned from adding the ca certs, i would imagine they're ok. can you post the statement you're using to import the server cert? also, you can check what's in the keystore like this:

keytool --list -keystore PATH/TO/KEYSTORE

Bobby - Here you go:
[zimbra@zimbra ssl]$ pwd
/opt/zimbra/ssl/ssl
[zimbra@zimbra ssl]$ keytool --list -keystore /opt/zimbra/ssl/ssl/commercial.keystore
Enter keystore password: zimbra

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Apr 15, 2006, keyEntry,
Certificate fingerprint (MD5): E9:C5:8A:11:3A:A2:7B:47:E4:4F:E9:8D:7B:6B:CD:C2

[alexz]

Quote:

Originally Posted by phoenix

You not only wasn't that clear, you didn't even mention what you had done to research the problem.


Then why, in heavens name, didn't you say that in the first place. It would help everyone if we knew what you were doing and what you had done.

Bill - I was hoping that someone would see the exact error message and know what is causing it. I see it happen all the time and several times I have posted message and people knew right away how to fix a problem. I think everyone should do some level of cursory research as I have but generally to look around for hours on end until posting a question is not practical.

If you can think of anything that I am missing or can be of help in solving this problem I would appreciate it.

[jholder]

alexz,
Sorry, I've been away for Easter.

Where are we now? Did Bobby's soluton work for you, or when you use the keytool, do you get the same error?

Note to all: Keep in mind that forums are difficult because it's rough to convey announciation. I know that when I post, I often will leave out words or details. Just remember that we are all here to help, and appreciate everything you do to make Zimrba better for all.

[alexz]

Quote:

Originally Posted by wannabetenor

alexz,
Sorry, I've been away for Easter.

Where are we now? Did Bobby's soluton work for you, or when you use the keytool, do you get the same error?

Note to all: Keep in mind that forums are difficult because it's rough to convey announciation. I know that when I post, I often will leave out words or details. Just remember that we are all here to help, and appreciate everything you do to make Zimrba better for all.

Hey, everyone needs SOME time off. It IS the weekend, after all (well, what's left of it, anyway).

I posted the info that Bobby requested in this thread so I'm just waiting to see if the info I posted sheds any light on how to solve this problem.

[alexz]

Ok, I finally figured it out and posted it to the Wiki:

http://wiki.zimbra.com/index.php?tit...y_Instructions

The key thing to remember is that when following instructions provided by the commercial cert vendor they often use "tomcat.keystore" in their keytool commands. All certificates (root, intermed, and your domain cert) have to go into the same keystore file and then copied to Zimbra's Tomcat directory.

Here are the instructions posted in the Wiki:

(You will be prompted for passwords. In this example all passwords are zimbra)

1. Create keystore:

su - zimbra keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

2. Create CSR (you are creating the commercial.csr file):

keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

3. Open the contents of the commecial.csr file and copy and paste into GoDaddy's CSR submission form.

4. Receive digital cert from GoDaddy as a zip file. Unzip and copy the cert and intermediate cert to a directory on the server. For simplicity, complete the commands below from that directory.

5. Import intermediate and root certs from GoDaddy. The intermediate cert is included in the zip file. The root cert is not. Download the root cert for GoDaddy from: https://certificates.starfieldtech.com/Repository.go

To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file valicert_class2_root.crt

To import intermediate cert: keytool -import -alias intermed -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file sf_issuing.crt

6. Import digital cert into keystore:

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file [FileNameofCert] -storepass zimbra

7. Copy the keystore to zimbra Tomcat keystore:

cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore

8. Tomcat restart

9. To turn on HTTPS you must use the zmtlsctl https to allow http and https logins OR zmtlsctl mixed to force https logins but all other traffic will be http.

[kechols]

Not Godaddy specifically but, for thawte certs the keytool command should be done as

Code:

keytool -import -alias tomcat -trustcacerts -file foo.crt -keystore /opt/zimbra/ssl/ssl/commercial.keystore

instead of

Code:

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file foo.crt

running the first says my certificate expired less than 1month after installing it.
This is of course according to thawte. I will be testing this tonight and see how it does. If anyone has run into this problem and can confirm it for me I'd appreciate it.

Thanks,
Kyle