GoDaddy Cert Problem

[bluethundr_]

Hello,

I am attempting to install a GoDaddy cert with my (otherwise wonderful) Zimbra setup.


First I am generating a csr and key with openssl -

Code:

[root@cloud3:~/certs ] #:openssl genrsa -des3 -out cloud3.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................................+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for cloud3.key:
6293:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters
Enter pass phrase for cloud3.key:
6293:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters
Enter pass phrase for cloud3.key:
Verifying - Enter pass phrase for cloud3.key:

Code:

[root@cloud3:~/certs ] #:openssl req -new -key cloud3.key -out cloud3.csr 
Enter pass phrase for cloud3.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NJ
Locality Name (eg, city) []:Summit
Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Jiffy Cloud!
Organizational Unit Name (eg, section) []:Zimbra
Common Name (eg, YOUR name) []:cloud3.jiffycloud.com
Email Address []:bluethundr@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

All pretty standard.

Then I verify the cert with the appropirate zimbra command:

Code:

[root@cloud3:~/certs ] #:/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/cloud3.key ./cloud3.newdom.com.crt ./gd_bundle.crt
** Verifying ./cloud3.newdom.com.crt against /opt/zimbra/ssl/zimbra/commercial/cloud3.key
Enter pass phrase for /opt/zimbra/ssl/zimbra/commercial/cloud3.key:
Certificate (./cloud3.newdom.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/cloud3.key) match.
Valid Certificate: ./cloud3.newdom.com.crt: OK

But when I try to deploy the cert I get this error:

Code:

[root@cloud3:~/certs ] #:/opt/zimbra/bin/zmcertmgr deploycrt comm ./cloud3.newdom.crt ./gd_bundle.crt
** Verifying ./cloud3.newdom.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Can't find private key  /opt/zimbra/ssl/zimbra/commercial/commercial.key  
XXXXX ERROR: provided cert isn't valid.

I made sure to key the cloud3.crt file with the CSR generated above.

It appears to be looking for commercial.key when I need to be using cloud3.key

Suggestions?

[moren]

Have a look at this wiki. It suggests a "Zimbra way" to generete the CSR.

Administration Console and CLI Certificate Tools - Zimbra :: Wiki

[LMStone]

FWIW, we use GoDaddy certs a fair amount but frequently have problems.

The "BFI" method we use is essentially to wipe everything, start fresh, and then use a blend of the commandline tools and the Admin Console. Doing this however requires some downtime.

First, backup up your ssl directory!

Then, get the system to a good clean state before doing the commercial ssl work:

1. Using the commandline tools, regenerate and deploy a new Zimbra CA.
2. Using the Admin Console, create and deploy a self-signed SSL cert.
3. Confirm at this point that the system works OK, and then back up the ssl directory once again.
4. Use the Admin Console to create a CSR for GoDaddy. One cert per server; domain wildcard and multi-server certs have for us never worked.
5. Go back to the commandline to fetch the newly created CSR; too often the Admin Console functionality to display/retrieve the CSR we find doesn't work.
6. Submit the CSR to Godaddy and get your ssl cert, plus the GoDaddy root and bundle certs.
7. Use the Admin Console to deploy the certs, using the bundle cert as the Intermediate cert.

Hope that helps,
Mark

P.S. ("BFI" = Brute Force and Ignorance...)

[skenkin]

We have found that GoDaddy certs rarely work from the Admin Console. The following are the steps that work reliably, root do the following:

1) mkdir /root/certs and place the cert files in there

2) cat gd_bundle.crt gd-class2-root.crt >> commercial_ca.crt

2.1) cp /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra

chmod 740 /opt/zimbra/ssl/zimbra/commercial.key

3) verify the certificate
cd /root/certs
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key ./commercial.crt ./commercial_ca.crt

4) deploy the cert
cd /root/certs
/opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt

5) restart the zimbra services
su - zimbra
zmcontrol stop
zmcontrol start

[craftedpacket]

I am trying to use a godaddy UCS cert. I dont have a gd-class2-root.crt file mine came with the following:
gd_bundle.crt
gd_cross_intermediate.crt
gd_intermediate.crt
mail.domain.com.crt

Trying to use the directions above but not sure exactly what to do.

[ewilen]

This may help, although it's focused on renewal of a UCC cert: http://www.zimbra.com/forums/install...t-renewal.html

[craftedpacket]

Thanks I was able to get it working through the GUI by choosing gd_bundle.crt for the root, mail.domain.crt for the cert and gd_intermediate.crt for the intermediate. Bookmarked your link for the future though. Thanks!