Can't install ca_cert certificates

[adamf663]

This is on a fresh install.
Running zcs-6.0.5_GA_2213.DEBIAN5_64.20100131185825
Have registered domain of form myname.us
local dns maps myname.us to 192.168.10.3
fresh install, using myname.us as fully qualified name, myname as machine name

attempts to use admin web interface to install key result in key mismatch
attempts to install via CLI results in broken system.
cert and cert chain verified before deploy

logger and mailbox fail to start

Error for logger is:
$ zmlogswatchctl start
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.

[adamf663]

1) don't use Ajcody's cli recipe for cacert. It's not for zimbra 6 and will always leave a system broken and having to have certs wiped and a new self signed one installed.
Ajcody-Notes-SSLCerts - Zimbra :: Wiki

2) use cacert's cacert-bundle, not just their root cert.
attachment:cacert-boundle.crt of FAQ - CAcert Wiki
and the cert will install from the gui. don't use an intermediate

I got it to install from the gui but still had a broken system afterwards.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.

next I'm going to try to 'install all servers', not just myname.us.

Or am I wasting my time? Are signed certs broken in the GA 6.x release?

[adamf663]

since some of the servers fail to start, zimbra seems to use the certs for it's own use.
Perhaps I need to install a fresher root cert in /etc/ssl/certs/cacert.org.pem ?

[adamf663]

root certs in /usr/share/ca-certificates/cacert.org match those from cacert

[adamf663]

another fresh install

followed instructions from this link exactly:
Administration Console and CLI Certificate Tools - Zimbra :: Wiki

Yet another trashed system.
$ zmcontrol start
Host thefelsons.us
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.
...

Is it because I use domain/hostname of myname.us instead of machine.myname.us?
Is it time to file a bug, that zimra 6.0.5 is incompatible with certs created with cacert?

[adamf663]

another fresh install
hostname mail.myname.us
local dns returns 192.168.10.3
ajcody page was adament about time being accurate. It is, but shells reflected UTC. ried setting TZ on root and zimbra user for local timezone
got CSR, went to cacert to get CRT, installed it
broken system.

Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.


I think I'm finished with zimbra. back to postfix/dovecot/openldap.
I hate .0 releases. They're always buggy garbage. I'd consider 5.x but it never got past .0
either.

I really liked the ajax webmail, but I don't need it. Fat clients like thunderbird are fine.

[phoenix]

Quote:

Originally Posted by adamf663

I think I'm finished with zimbra. back to postfix/dovecot/openldap.
I hate .0 releases. They're always buggy garbage. I'd consider 5.x but it never got past .0
either.

Both of those statements are nonsense.

Let's start from the beginning. What exactly are you trying to do, install a commercial certificate (if so, who supplied it)? Post the output of the following commands (run on the zimbra server):

Code:

cat /etc/hosts
cat /etc/resolv.conf
dig yourdomain.com any
dig yourdomain.com mx
host `hostname`  <- use that exact command with backticks not single quotes

[adamf663]

Code:

> cat /etc/hosts
192.168.10.3 mail.thefelsons.us mail
127.0.0.1 localhost.localdomain localhost

Code:

> cat /etc/resolv.conf
domain thefelsons.us
nameserver 127.0.0.1

Code:

> dig yourdomain.com any
bash: dig: command not found

Code:

but elsewhere I have it installed.
$ dig mail.thefelsons.us

; <<>> DiG 9.4.3-P4 <<>> mail.thefelsons.us
;; global options:  printcmd               
;; Got answer:                             
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37699
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;mail.thefelsons.us.            IN      A

;; ANSWER SECTION:
mail.thefelsons.us.     600     IN      A       68.2.93.108

;; AUTHORITY SECTION:
thefelsons.us.          900     IN      NS      ns3.mydyndns.org.
thefelsons.us.          900     IN      NS      ns1.mydyndns.org.
thefelsons.us.          900     IN      NS      ns2.mydyndns.org.
thefelsons.us.          900     IN      NS      ns5.mydyndns.org.
thefelsons.us.          900     IN      NS      ns4.mydyndns.org.

;; ADDITIONAL SECTION:
ns1.mydyndns.org.       319     IN      A       204.13.248.76
ns2.mydyndns.org.       89      IN      A       204.13.249.76
ns3.mydyndns.org.       89      IN      A       208.78.69.76
ns4.mydyndns.org.       89      IN      A       91.198.22.76
ns5.mydyndns.org.       89      IN      A       203.62.195.76

;; Query time: 86 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Fri Mar 19 00:51:50 2010
;; MSG SIZE  rcvd: 234

NOTE: I'm using a mail service of dyndns. The pick up mail to their port 25, buffer and do some despamming and deliver to my router's port 24 which forwards to zimbra port 25. It works fine.

Code:

>dig yourdomain.com mx
$ dig mail.thefelsons.us mx

; <<>> DiG 9.4.3-P4 <<>> mail.thefelsons.us mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18450
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.thefelsons.us.            IN      MX

;; AUTHORITY SECTION:
thefelsons.us.          900     IN      SOA     ns1.mydyndns.org. zone-admin.dyndns.com. 2010030124 10800 1800 604800 1800

;; Query time: 123 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Fri Mar 19 00:53:12 2010
;; MSG SIZE  rcvd: 109

Code:

> host `hostname`  <- use that exact command with backticks not single quotes

host `hostname`
bash: host: command not found
root@mail:/# hostname
mail
root@mail:/# ping mail
PING mail.thefelsons.us (192.168.10.3) 56(84) bytes of data.
64 bytes from mail.thefelsons.us (192.168.10.3): icmp_seq=1 ttl=64 time=0.046 ms

Does that tell you what you wanted w/ the host command?

cert is from cacert. csr is from zimbra's gui, or instructions given on official zimbra site. both break system and cause the logger error I reported.

[jzdrzalek]

hi,

same issue here. I'm trying to install StartSSL.com free Class1 Certificate. CSR is created with the zimbra gui. StartSSL has a root ca and an intermediate ca. My zimbra is:Release 6.0.5_GA_2213.RHEL5_20100202211341 CentOS5 NETWORK edition.
It's all in one installation.

After installation of certificates finishes and reboot is done
mailbox service doesn't start anymore.

Code:

[root@mx2 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
85.182.255.142	mx2.silpion.it	mx2

Code:

[root@mx2 ~]# cat /etc/resolv.conf
nameserver 85.182.255.129
search localdomain

Code:

root@mx2 ~]# hostname -f
mx2.silpion.it

Code:

[root@mx2 ~]# host -t a silpion.it
silpion.it has address 195.68.236.54

Code:

[root@mx2 ~]# host -t mx silpion.it
silpion.it mail is handled by 10 mx2.silpion.it.

Code:

[root@mx2 ~]# host -t a mx2.silpion.it
mx2.silpion.it has address 85.182.255.142

[jzdrzalek]

I gave it a try on the console:

1. copy a private key to
/opt/zimbra/ssl/zimbra/commercial/commercial.key
2. deploy ca bundle
/opt/zimbra/bin/zmcertmgr deployca /path-to-ca-bundle/commercial_ca.crt
3. copy a ca bundle to:
/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
4. verify key and cert
/opt/zimbra/bin/zmcertmgr verifycrt comm /yourpath/commercial.key /yourpath/commercial.crt
5. deploy cert
/opt/zimbra/bin/zmcertmgr deploycrt comm /yourpath/commercial.crt /yourpath/commercial_ca.crt
6. restart zimbra
/etc/init.d/zimbra stop
/etc/init.d/zimbra start

All above actions finished ok.

now it still doesn't start correctly.

Code:

Mar 19 19:03:01 mx2 zimbramon[31570]: 31570:info: zmmtaconfig: gacf ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
Mar 19 19:03:04 mx2 zimbramon[31570]: 31570:info: zmmtaconfig: Skipping getAllReverseProxyURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

All other errors are compaining: "system failure: ZimbraLdapContext"