Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Can't install ca_cert certificates

  1. #1
    adamf663 is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    Scottsdale, AZ
    Posts
    17
    Rep Power
    5

    Default Can't install ca_cert certificates

    This is on a fresh install.
    Running zcs-6.0.5_GA_2213.DEBIAN5_64.20100131185825
    Have registered domain of form myname.us
    local dns maps myname.us to 192.168.10.3
    fresh install, using myname.us as fully qualified name, myname as machine name

    attempts to use admin web interface to install key result in key mismatch
    attempts to install via CLI results in broken system.
    cert and cert chain verified before deploy

    logger and mailbox fail to start

    Error for logger is:
    $ zmlogswatchctl start
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
    zimbra logger service is not enabled! failed.

  2. #2
    adamf663 is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    Scottsdale, AZ
    Posts
    17
    Rep Power
    5

    Default still working on it

    1) don't use Ajcody's cli recipe for cacert. It's not for zimbra 6 and will always leave a system broken and having to have certs wiped and a new self signed one installed.
    Ajcody-Notes-SSLCerts - Zimbra :: Wiki

    2) use cacert's cacert-bundle, not just their root cert.
    attachment:cacert-boundle.crt of FAQ - CAcert Wiki
    and the cert will install from the gui. don't use an intermediate

    I got it to install from the gui but still had a broken system afterwards.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
    zimbra logger service is not enabled! failed.

    next I'm going to try to 'install all servers', not just myname.us.

    Or am I wasting my time? Are signed certs broken in the GA 6.x release?

  3. #3
    adamf663 is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    Scottsdale, AZ
    Posts
    17
    Rep Power
    5

    Default

    since some of the servers fail to start, zimbra seems to use the certs for it's own use.
    Perhaps I need to install a fresher root cert in /etc/ssl/certs/cacert.org.pem ?

  4. #4
    adamf663 is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    Scottsdale, AZ
    Posts
    17
    Rep Power
    5

    Default

    root certs in /usr/share/ca-certificates/cacert.org match those from cacert

  5. #5
    adamf663 is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    Scottsdale, AZ
    Posts
    17
    Rep Power
    5

    Default

    another fresh install

    followed instructions from this link exactly:
    Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    Yet another trashed system.
    $ zmcontrol start
    Host thefelsons.us
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
    zimbra logger service is not enabled! failed.
    ...

    Is it because I use domain/hostname of myname.us instead of machine.myname.us?
    Is it time to file a bug, that zimra 6.0.5 is incompatible with certs created with cacert?

  6. #6
    adamf663 is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    Scottsdale, AZ
    Posts
    17
    Rep Power
    5

    Default I give up

    another fresh install
    hostname mail.myname.us
    local dns returns 192.168.10.3
    ajcody page was adament about time being accurate. It is, but shells reflected UTC. ried setting TZ on root and zimbra user for local timezone
    got CSR, went to cacert to get CRT, installed it
    broken system.

    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
    zimbra logger service is not enabled! failed.


    I think I'm finished with zimbra. back to postfix/dovecot/openldap.
    I hate .0 releases. They're always buggy garbage. I'd consider 5.x but it never got past .0
    either.

    I really liked the ajax webmail, but I don't need it. Fat clients like thunderbird are fine.

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,470
    Rep Power
    56

    Default

    Quote Originally Posted by adamf663 View Post
    I think I'm finished with zimbra. back to postfix/dovecot/openldap.
    I hate .0 releases. They're always buggy garbage. I'd consider 5.x but it never got past .0
    either.
    Both of those statements are nonsense.

    Let's start from the beginning. What exactly are you trying to do, install a commercial certificate (if so, who supplied it)? Post the output of the following commands (run on the zimbra server):

    Code:
    cat /etc/hosts
    cat /etc/resolv.conf
    dig yourdomain.com any
    dig yourdomain.com mx
    host `hostname`  <- use that exact command with backticks not single quotes
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    adamf663 is offline Intermediate Member
    Join Date
    Mar 2010
    Location
    Scottsdale, AZ
    Posts
    17
    Rep Power
    5

    Default

    Code:
    > cat /etc/hosts
    192.168.10.3 mail.thefelsons.us mail
    127.0.0.1 localhost.localdomain localhost
    Code:
    > cat /etc/resolv.conf
    domain thefelsons.us
    nameserver 127.0.0.1
    Code:
    > dig yourdomain.com any
    bash: dig: command not found
    Code:
    but elsewhere I have it installed.
    $ dig mail.thefelsons.us
    
    ; <<>> DiG 9.4.3-P4 <<>> mail.thefelsons.us
    ;; global options:  printcmd               
    ;; Got answer:                             
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37699
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
    
    ;; QUESTION SECTION:
    ;mail.thefelsons.us.            IN      A
    
    ;; ANSWER SECTION:
    mail.thefelsons.us.     600     IN      A       68.2.93.108
    
    ;; AUTHORITY SECTION:
    thefelsons.us.          900     IN      NS      ns3.mydyndns.org.
    thefelsons.us.          900     IN      NS      ns1.mydyndns.org.
    thefelsons.us.          900     IN      NS      ns2.mydyndns.org.
    thefelsons.us.          900     IN      NS      ns5.mydyndns.org.
    thefelsons.us.          900     IN      NS      ns4.mydyndns.org.
    
    ;; ADDITIONAL SECTION:
    ns1.mydyndns.org.       319     IN      A       204.13.248.76
    ns2.mydyndns.org.       89      IN      A       204.13.249.76
    ns3.mydyndns.org.       89      IN      A       208.78.69.76
    ns4.mydyndns.org.       89      IN      A       91.198.22.76
    ns5.mydyndns.org.       89      IN      A       203.62.195.76
    
    ;; Query time: 86 msec
    ;; SERVER: 192.168.10.1#53(192.168.10.1)
    ;; WHEN: Fri Mar 19 00:51:50 2010
    ;; MSG SIZE  rcvd: 234

    NOTE: I'm using a mail service of dyndns. The pick up mail to their port 25, buffer and do some despamming and deliver to my router's port 24 which forwards to zimbra port 25. It works fine.


    Code:
    >dig yourdomain.com mx
    $ dig mail.thefelsons.us mx
    
    ; <<>> DiG 9.4.3-P4 <<>> mail.thefelsons.us mx
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18450
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;mail.thefelsons.us.            IN      MX
    
    ;; AUTHORITY SECTION:
    thefelsons.us.          900     IN      SOA     ns1.mydyndns.org. zone-admin.dyndns.com. 2010030124 10800 1800 604800 1800
    
    ;; Query time: 123 msec
    ;; SERVER: 192.168.10.1#53(192.168.10.1)
    ;; WHEN: Fri Mar 19 00:53:12 2010
    ;; MSG SIZE  rcvd: 109
    Code:
    > host `hostname`  <- use that exact command with backticks not single quotes
    
    host `hostname`
    bash: host: command not found
    root@mail:/# hostname
    mail
    root@mail:/# ping mail
    PING mail.thefelsons.us (192.168.10.3) 56(84) bytes of data.
    64 bytes from mail.thefelsons.us (192.168.10.3): icmp_seq=1 ttl=64 time=0.046 ms
    
    Does that tell you what you wanted w/ the host command?

    cert is from cacert. csr is from zimbra's gui, or instructions given on official zimbra site. both break system and cause the logger error I reported.
    Last edited by phoenix; 03-19-2010 at 05:08 AM.

  9. #9
    jzdrzalek is offline New Member
    Join Date
    Mar 2010
    Posts
    4
    Rep Power
    5

    Default

    hi,

    same issue here. I'm trying to install StartSSL.com free Class1 Certificate. CSR is created with the zimbra gui. StartSSL has a root ca and an intermediate ca. My zimbra is:Release 6.0.5_GA_2213.RHEL5_20100202211341 CentOS5 NETWORK edition.
    It's all in one installation.

    After installation of certificates finishes and reboot is done
    mailbox service doesn't start anymore.

    Code:
    [root@mx2 ~]# cat /etc/hosts
    # Do not remove the following line, or various programs
    # that require network functionality will fail.
    127.0.0.1		localhost.localdomain localhost
    ::1		localhost6.localdomain6 localhost6
    85.182.255.142	mx2.silpion.it	mx2
    Code:
    [root@mx2 ~]# cat /etc/resolv.conf
    nameserver 85.182.255.129
    search localdomain
    Code:
    root@mx2 ~]# hostname -f
    mx2.silpion.it
    Code:
    [root@mx2 ~]# host -t a silpion.it
    silpion.it has address 195.68.236.54
    Code:
    [root@mx2 ~]# host -t mx silpion.it
    silpion.it mail is handled by 10 mx2.silpion.it.
    Code:
    [root@mx2 ~]# host -t a mx2.silpion.it
    mx2.silpion.it has address 85.182.255.142

  10. #10
    jzdrzalek is offline New Member
    Join Date
    Mar 2010
    Posts
    4
    Rep Power
    5

    Default

    I gave it a try on the console:

    1. copy a private key to
    /opt/zimbra/ssl/zimbra/commercial/commercial.key
    2. deploy ca bundle
    /opt/zimbra/bin/zmcertmgr deployca /path-to-ca-bundle/commercial_ca.crt
    3. copy a ca bundle to:
    /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    4. verify key and cert
    /opt/zimbra/bin/zmcertmgr verifycrt comm /yourpath/commercial.key /yourpath/commercial.crt
    5. deploy cert
    /opt/zimbra/bin/zmcertmgr deploycrt comm /yourpath/commercial.crt /yourpath/commercial_ca.crt
    6. restart zimbra
    /etc/init.d/zimbra stop
    /etc/init.d/zimbra start

    All above actions finished ok.

    now it still doesn't start correctly.

    Code:
    Mar 19 19:03:01 mx2 zimbramon[31570]: 31570:info: zmmtaconfig: gacf ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
    Mar 19 19:03:04 mx2 zimbramon[31570]: 31570:info: zmmtaconfig: Skipping getAllReverseProxyURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
    All other errors are compaining: "system failure: ZimbraLdapContext"

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. install oss fc7 not run well
    By epelaez in forum Installation
    Replies: 1
    Last Post: 03-05-2008, 03:26 PM
  2. Replies: 0
    Last Post: 01-15-2008, 01:33 PM
  3. Replies: 21
    Last Post: 09-27-2007, 11:49 AM
  4. Replies: 16
    Last Post: 11-29-2006, 10:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •