Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Problem: successfully installing a commercial SSL cert breaks Zimbra NE LDAP access

  1. #1
    deltatango is offline Active Member
    Join Date
    Jul 2007
    Posts
    36
    Rep Power
    8

    Default Problem: successfully installing a commercial SSL cert breaks Zimbra NE LDAP access

    I just tried to deploy our commercial wild-card SSl cert from Digicert. I followed this: Installing a Network Solutions Certificate on ZCS 5.0.x - Zimbra :: Wiki and adapted it slightly:

    1. I created a CSR via Zimbra Web interface

    2. requested an additional Tomcat SSL cert on the DigiCert website (already using one for Apache on several websites)

    3. Got files: commercial.csr and commercial.key (created by Zimbra), downloaded: DigiCertCA.crt (intermediate cert, TrustedRoot.crt (root cert), star_example.com.p7b, star_example.com.crt.

    4. as root: "cat DigiCertCA.crt TrustedRoot.crt >/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt"

    5. checked the certfiles: "/opt/zimbra/bin/zmcertmgr verifycrt comm":
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK

    6. deployed it: "/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt":
    mail:/opt/zimbra/ssl/zimbra/commercial root# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: /opt/zimbra/ssl/zimbra/commercial/commercial.crt and commercial.crt are identical (not copied).
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt and commercial_ca.crt are identical (not copied).
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.

    7. restarted Zimbra as user zimbra: "zmcontrol stop;zmcontrol start" but then I ge tthe dreaded error:
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.

    After cleaning out /opt/zimbra/log/ I get this:
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.

    I just wanted to get fresh log files for easier diagnosing the problem but now I don't get any log messages at all ...
    so it appears as if some components cannot access the LDAP store any longer.

    How can that happen and what do I do now?

  2. #2
    brian is offline Project Contributor
    Join Date
    Jul 2006
    Posts
    623
    Rep Power
    10

    Default

    your failure started at step 4. don't use /opt/zimbra/ssl/zimbra/ as the working directory, use a temporary directory.
    Bugzilla - Wiki - Downloads - Before posting... Search!

  3. #3
    deltatango is offline Active Member
    Join Date
    Jul 2007
    Posts
    36
    Rep Power
    8

    Default

    Thanks, Brian, I now moved commercial.crt and commercial_ca.crt away and tried to re-deploy the cert:
    mail:/opt/zimbra/temp root# ../bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.

    mail:/opt/zimbra/temp root# su -l zimbra
    mail:~ zimbra$ zmcontrol start
    Host mail.proximic.com
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    mail:~ zimbra$

    the re-deployment didn't help at all and the installation is still not working. Luckily this is a test installation, thus no production is affected. Will re-install zimbra and start anew.

  4. #4
    deltatango is offline Active Member
    Join Date
    Jul 2007
    Posts
    36
    Rep Power
    8

    Default

    And the Wiki howto is then completely wrong?
    -> Installing a Network Solutions Certificate on ZCS 5.0.x - Zimbra :: Wiki

  5. #5
    deltatango is offline Active Member
    Join Date
    Jul 2007
    Posts
    36
    Rep Power
    8

    Default

    This is becoming ridiculous: I restored the /opt/zimbra tree from a backup I took before I touched any ssl stuff. Then I tried to install the commercial cert again:

    1. created csr via web admin (I failed at several attempts to install the cert via web admin, thus I went back to command line tools for further steps) which left both the csr and key in /opt/zimbra/ssl/zimbra/commercial/

    2. had my cert created by Digicert (luckily one can create additional certs for free once one has purchased a wild card cert) and downloaded

    3. Instead of the Wiki document I mentioned in my previous post, I now followed this: Administration Console and CLI Certificate Tools - Zimbra :: Wiki, which also claims to be certified, thus is expected to be somewhat trustworthy.

    4. as I already had a commercial.key and commercial.csr (created by the web admin) I started with "cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt"

    5. Then wanted to verify cert and key:
    /opt/zimbra/bin/zmcertmgr verifycrt comm \
    /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt

    Which failed until I temporarily copied /tmp/ca_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt, then it worked:

    mail:/opt/zimbra/backup root# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt
    ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /tmp/commercial.crt: OK

    Now is the time to deploy it. I removed commercial_ca.crt from /opt/zimbra/ssl/zimbra/commercial and deployed:

    mail:/opt/zimbra/backup root# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
    ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /tmp/commercial.crt: OK
    ** Copying /tmp/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain /tmp/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    mail:/opt/zimbra/backup root#

    Looks good, doesn't it?
    Now I switched to user zimbra for restarting all the services: "zmcontrol stop", then:

    mail:~ zimbra$ zmcontrol start
    Host mail.example.com
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.

    What the hell am I doing wrong here?

  6. #6
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    Try the following:

    cd /opt/zimbra/conf/ca
    rm *
    cd /opt/zimbra/ssl/
    mv zimbra zimbra.dead

    Then re-run the cert deployment pieces.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    digicert is offline Starter Member
    Join Date
    Oct 2009
    Posts
    1
    Rep Power
    5

    Default

    We've had another customer experience this error before. They said it was resolved by re-installing the certificate and rebooting the server before running the zmcontrol commands. Specifically they said they followed these instructions:

    "1. You must use the web UI admin console to generate the CSR file. You must choose "all server". Do not choose your domain.
    2. After generating the CSR file, open it and generate the cert on DigiCert website. Choose “Other” as the web server type.
    3. Download the three files domain.crt, DigicertCa.crt and Trustedroot.crt into */opt/zimbra/ssl/zimbra/commercial/* with root account
    4. Cat the three files into the commercial_ca.crt (3 file : domain.crt, DigicertCa.crt and Trustedroot.crtnot 2 file: DigicertCa.crt and Trustedroot.crt) and rename domain.crt to commercial.crt
    5. Verify this crt with root command
    cd /opt/zimbra/ssl/zimbra/commercial/
    /opt/zimbra/bin/zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt
    6. Add CA cert */opt/zimbra/bin/zmcertmgr addcacert ./commercial.crt*
    /opt/zimbra/bin/zmcertmgr addcacert ./commercial_ca.crt
    7.Deploy
    /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt
    8 After it said all is done, reboot this server. Don't stop and start with zmcontrol, just reboot. I don't know why but it successful. After reboot you can start and stop with zmcontrol you always get the correct message."

    You can check if it is installed correctly at SSL Certificate Tester - Check Certificates (you can check LDAP by including :636 after the hostname)

    If that still doesn't work, please give us a call (+1 800-896-7973) and we'll see if there is anything else we can try.

    Dan
    DigiCert Support

  8. #8
    steeef is offline Intermediate Member
    Join Date
    Oct 2009
    Posts
    17
    Rep Power
    5

    Default

    I'm having this same issue with a certificate issued by GoDaddy. I also removing the files in ca and moving the zimbra directory to zimbra.dead, but it still complains about reading service info from cache. Also, all services are unresponsive (https, imaps), and I can't seem to get more log info.

  9. #9
    steeef is offline Intermediate Member
    Join Date
    Oct 2009
    Posts
    17
    Rep Power
    5

    Default

    Also tried restarting without stopping/starting Insight, no change.

    I'm forced to use the command line to create the csr, since GoDaddy requires a key length of at least 2048 bytes.

  10. #10
    steeef is offline Intermediate Member
    Join Date
    Oct 2009
    Posts
    17
    Rep Power
    5

    Default

    I think I found the solution. Run this as root:
    Code:
    /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem
    Credit goes to cpiess: ZCS Network Install: Was working, now possibly broken due to SSL?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 04:16 PM
  2. Replies: 8
    Last Post: 01-20-2009, 01:06 PM
  3. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 02:00 AM
  4. Replies: 22
    Last Post: 12-02-2007, 05:05 PM
  5. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 01:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •