New ipsCA will not install

[Mistoffeles]

Zimbra is not accepting the new ipsCA cert, even though I used the *same* cert request file that I used for the old cert.

The error is:

Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/aimbraAdmin/tmp/current_comm.key) pair.

I am about ready to take this whole package and throw it out, I am so sick of it all. If it's not one thing, it's another going wrong with Zimbra.

[Rich Graves]

I could still swear that I submitted the right CSR for a cert I recently got from startssl (in favor of which we dumped ipsCA for class 1 certs).

But I clearly didn't. It matched the key for a completely different server that I'd submitted around the same time.

Use the command line ~zimbra/bin/zmcertmgr verifycrt to match keys, certs, and trust chains, and zmcertmgr deploycrt to install.

By the way, neither ipsCA nor startssl is going to be trusted by many cell phones. If that's important to you, GoDaddy's class 1 certs seem to be as low-end as you can go. They're not the $0 that ipsCA charges .edu's, but they're very inexpensive, especially if you do a web search for discount codes.

[Mistoffeles]

Unfortunately this cert is a replaceemnt for an existing cert that is paid for two years in advance. To change now would not receive easy approval with management.

[Mistoffeles]

I am getting a strange error now, is Zimbra not compatible with the new ipsCA certificates? I made a whole new certificate request this time.

Here is the error:

Zimbra Administration

Your certificate was not installed due to the error: system failure: XXXXX ERROR: Invalid Certificate Chain: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=ES/ST=MADRID/L=MADRID/O=ips Certification Authority/OU=Certificationes/CN=ipsCA Level 1 CA/emailAddress=ipscalevel1@ipsca.com

I can understand where Zimbra would not like something I did, but rejecting a new Level 1 certificate that is working for many other people is something I do not understand.

[vbn]

So I am assuming (since you have not mentioned) the following :

- You have generated a new key and csr
- Using the above you have requested a new crt (for extension)
- You are installing using text-mode for installation on Zimbra

The above steps would be a good way to get a new crt installed. The first error is certainly a mismatch between your key and crt files. You can always generate a new set of key/csr and request your crt to be re-keyed. Then install all three using the text-mode way.

You can refer my older post here for console installation > Installing an existing commercial wildcard SSL certificate

[Mistoffeles]

I can generate a new key, or I must generate a new key?

The first time I tried this, ipsCA said I could jsut submit my original CSR, so I did that, sent it to ipsCA, got a new cert, and it did not work.

The second time, I generated a new CSR, submitted it to ipsCA, got a new cert, and it does not work.

This is command line or GUI, and I include the new ipsCA Level 1 and Intermediate certificates as well (of course).