Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Commercial SSL Cert

  1. #11
    alexz is offline Active Member
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    9

    Default

    Quote Originally Posted by phoenix
    I don't take your reply as being rude, I just don't understand why you didn't bother following any of the links that I provided. They were specific to your question and covered the reason why you got that error message. The point about following the wiki instructions is not to get to a point where there's an error and say 'I 've got this error, how do I fix it?', surely the point is to do some investigation as to why you've got the error and try to fix it yourself. Well, you asked the question and I pointed you to possible solutions but you seem to want someone to lead you by the hand through the problem, that's not my style and I'm sorry if that seems to offend you.

    If, after doing your own investigation, you're stumped then by all means ask a question and detail what you've done to get to that stage and people will be willing to help.
    Bill,

    Perhaps I wasn't clear. I did do my own investigation and looked at the very same pages that you proposed prior to posing the question. I'm also a proponent of doing research and searching the web before posting. I posted the question after I exhausted my resources.
    Sincerely,

    Alex

  2. #12
    alexz is offline Active Member
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    9

    Default

    Are there any diagnostic commands I can run to see if the root and intermediary were properly imported or any other keytool commands that I can run to help narrow down this problem?
    Sincerely,

    Alex

  3. #13
    bobby is offline Zimbra Employee
    Join Date
    Nov 2005
    Posts
    518
    Rep Power
    10

    Default

    that wiki page is actually in the middle of some improvement. installing commercial certs on a zimbra server can be somewhat complicated because there are multiple components that may make use of the certs and because different certificate authorities have different procedures.

    you're right that you don't need to edit server.xml. if you didn't get any errors returned from adding the ca certs, i would imagine they're ok. can you post the statement you're using to import the server cert? also, you can check what's in the keystore like this:

    keytool --list -keystore PATH/TO/KEYSTORE

  4. #14
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by alexz
    Bill,

    Perhaps I wasn't clear.
    You not only wasn't that clear, you didn't even mention what you had done to research the problem.

    Quote Originally Posted by alexz
    I did do my own investigation and looked at the very same pages that you proposed prior to posing the question. I'm also a proponent of doing research and searching the web before posting. I posted the question after I exhausted my resources.
    Then why, in heavens name, didn't you say that in the first place. It would help everyone if we knew what you were doing and what you had done.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #15
    alexz is offline Active Member
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    9

    Default

    Quote Originally Posted by bobby
    that wiki page is actually in the middle of some improvement. installing commercial certs on a zimbra server can be somewhat complicated because there are multiple components that may make use of the certs and because different certificate authorities have different procedures.

    you're right that you don't need to edit server.xml. if you didn't get any errors returned from adding the ca certs, i would imagine they're ok. can you post the statement you're using to import the server cert? also, you can check what's in the keystore like this:

    keytool --list -keystore PATH/TO/KEYSTORE
    Bobby - Here you go:
    [zimbra@zimbra ssl]$ pwd
    /opt/zimbra/ssl/ssl
    [zimbra@zimbra ssl]$ keytool --list -keystore /opt/zimbra/ssl/ssl/commercial.keystore
    Enter keystore password: zimbra

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    tomcat, Apr 15, 2006, keyEntry,
    Certificate fingerprint (MD5): E9:C5:8A:11:3A:A2:7B:47:E4:4F:E9:8D:7B:6B:CD:C2
    Sincerely,

    Alex

  6. #16
    alexz is offline Active Member
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    9

    Default

    Quote Originally Posted by phoenix
    You not only wasn't that clear, you didn't even mention what you had done to research the problem.


    Then why, in heavens name, didn't you say that in the first place. It would help everyone if we knew what you were doing and what you had done.
    Bill - I was hoping that someone would see the exact error message and know what is causing it. I see it happen all the time and several times I have posted message and people knew right away how to fix a problem. I think everyone should do some level of cursory research as I have but generally to look around for hours on end until posting a question is not practical.

    If you can think of anything that I am missing or can be of help in solving this problem I would appreciate it.
    Sincerely,

    Alex

  7. #17
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    alexz,
    Sorry, I've been away for Easter.

    Where are we now? Did Bobby's soluton work for you, or when you use the keytool, do you get the same error?

    Note to all: Keep in mind that forums are difficult because it's rough to convey announciation. I know that when I post, I often will leave out words or details. Just remember that we are all here to help, and appreciate everything you do to make Zimrba better for all.

  8. #18
    alexz is offline Active Member
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    9

    Default

    Quote Originally Posted by wannabetenor
    alexz,
    Sorry, I've been away for Easter.

    Where are we now? Did Bobby's soluton work for you, or when you use the keytool, do you get the same error?

    Note to all: Keep in mind that forums are difficult because it's rough to convey announciation. I know that when I post, I often will leave out words or details. Just remember that we are all here to help, and appreciate everything you do to make Zimrba better for all.
    Hey, everyone needs SOME time off. It IS the weekend, after all (well, what's left of it, anyway).

    I posted the info that Bobby requested in this thread so I'm just waiting to see if the info I posted sheds any light on how to solve this problem.
    Sincerely,

    Alex

  9. #19
    alexz is offline Active Member
    Join Date
    Oct 2005
    Posts
    46
    Rep Power
    9

    Thumbs up

    Ok, I finally figured it out and posted it to the Wiki:

    http://wiki.zimbra.com/index.php?tit...y_Instructions

    The key thing to remember is that when following instructions provided by the commercial cert vendor they often use "tomcat.keystore" in their keytool commands. All certificates (root, intermed, and your domain cert) have to go into the same keystore file and then copied to Zimbra's Tomcat directory.

    Here are the instructions posted in the Wiki:

    (You will be prompted for passwords. In this example all passwords are zimbra)

    1. Create keystore:

    su - zimbra keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore

    2. Create CSR (you are creating the commercial.csr file):

    keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore

    3. Open the contents of the commecial.csr file and copy and paste into GoDaddy's CSR submission form.

    4. Receive digital cert from GoDaddy as a zip file. Unzip and copy the cert and intermediate cert to a directory on the server. For simplicity, complete the commands below from that directory.

    5. Import intermediate and root certs from GoDaddy.
    The intermediate cert is included in the zip file. The root cert is not. Download the root cert for GoDaddy from: https://certificates.starfieldtech.com/Repository.go

    To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file valicert_class2_root.crt

    To import intermediate cert: keytool -import -alias intermed -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file sf_issuing.crt

    6. Import digital cert into keystore:

    keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file [FileNameofCert] -storepass zimbra

    7. Copy the keystore to zimbra Tomcat keystore:


    cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore

    8. Tomcat restart

    9. To turn on HTTPS you must use the zmtlsctl https to allow http and https logins OR zmtlsctl mixed to force https logins but all other traffic will be http.
    Last edited by alexz; 04-20-2006 at 07:54 PM.
    Sincerely,

    Alex

  10. #20
    kechols is offline Senior Member
    Join Date
    Jun 2006
    Posts
    72
    Rep Power
    9

    Default

    Not Godaddy specifically but, for thawte certs the keytool command should be done as
    Code:
    keytool -import -alias tomcat -trustcacerts -file foo.crt -keystore /opt/zimbra/ssl/ssl/commercial.keystore
    instead of
    Code:
    keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file foo.crt
    running the first says my certificate expired less than 1month after installing it.
    This is of course according to thawte. I will be testing this tonight and see how it does. If anyone has run into this problem and can confirm it for me I'd appreciate it.

    Thanks,
    Kyle

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 03:08 AM
  2. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 04:16 PM
  3. Replies: 2
    Last Post: 03-25-2007, 09:40 PM
  4. Commercial SSL certtificate installation
    By Daryl Jones in forum Installation
    Replies: 6
    Last Post: 02-13-2006, 12:55 PM
  5. Question installing commercial SSL cert
    By jigi in forum Administrators
    Replies: 0
    Last Post: 02-13-2006, 12:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •