Results 1 to 2 of 2

Thread: certificate renew on multi server installation on production

  1. 06-11-2012, 01:37 AM #1
    gullio
    gullio is offline Junior Member
    Join Date
    May 2011
    Posts
    8
    Rep Power
    3

    Default certificate renew on multi server installation on production

    hi guys, i hope that someone can help me with this issue:

    i have multiple zcs 7.1 server installation(1 server mailbox,ldap;1 server mta spam, proxy)

    today the servers certificate has been expired..then i follow the istruction on Administration Console and CLI Certificate Tools and i was able to resolve the problem in the mailbox server but not in the mta server. here the output of the deploycrt:

    Code:
    root@zmailbox:/opt/zimbra/ssl/zimbra/ca# /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
** Saving global config key zimbraSSLCertificate...done.
** Saving global config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
STARTCMD: mta.gullio.it sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver

** Retrieving global config key zimbraSSLCertificate...failed.
** Retrieving global config key zimbraSSLPrivateKey...failed.
ENDCMD: mta.gullio.it sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver

STARTCMD: mta.amapspa.it sudo /opt/zimbra/bin/zmcertmgr deploycrt self

** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/mta.gullio.it.pkcs12...failed.

XXXXX ERROR: failed to create mta.gullio.it.pkcs12
unable to load private key
140504767506088:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY

ENDCMD: mta.gullio.it sudo /opt/zimbra/bin/zmcertmgr deploycrt self
    on the mta server when i try to verify the certs it show this output:

    Code:
    root@mta:/opt/zimbra# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
::service mta::
unable to load certificate
140718467270312:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
unable to load certificate
139883959674536:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
SubjectAltName=
::service proxy::
unable to load certificate
140275570091688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
unable to load certificate
140074771527336:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
SubjectAltName=
::service mailboxd::
XXXXX ERROR: failed to export /opt/zimbra/mailboxd/etc/mailboxd.pem from keystore.

keytool error: java.lang.RuntimeException: Usage error, /opt/zimbra/conf/keystore is not a legal command

XXXXX ERROR: /opt/zimbra/mailboxd/etc/mailboxd.pem does not exist
::service ldap::
unable to load certificate
140146101458600:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
unable to load certificate
139950821123752:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
SubjectAltName=
    can someone suggest me how i can solve the problem, it is very urgent pls

    thanks
    Giulio
    Reply With Quote Reply With Quote
  2. 06-11-2012, 04:23 AM #2
    gullio
    gullio is offline Junior Member
    Join Date
    May 2011
    Posts
    8
    Rep Power
    3

    Default

    hi guys i was able to resolve the issue alone with all those steps:

    on all hosts i have deleted
    Code:
    /opt/zimbra/ssl
    directory(i have done a backup 1st) then issue this commands:

    Code:
    /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
 
/opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
    (the last only on mailboxd)

    next i have created the ca with self certificate and after that i have issued those commands on mailboxd:

    Code:
    /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
    that operation fill the ssl directory on all servers, then i have run an scp to Mta and copied the ca.pem and ca.key from mailboxd server in
    Code:
    /opt/zimbra/conf/ca
    and run only on mta:
    Code:
    /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem
    after that i run:
    Code:
    zmupdateauthkeys
    and at the end restart zimbra services with zmcontrol.

    hope that help someone with the same problem
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. multi-node commercial certificate installation?
    By tiger2000 in forum Administrators
    Replies: 3
    Last Post: 01-06-2013, 07:12 PM
  2. Zimbra 4.55 Self-Signed SSL Certificate ERROR on Production server
    By Newuser in forum Administrators
    Replies: 3
    Last Post: 06-01-2010, 04:33 AM
  3. Renew a certificate
    By Billy in forum Administrators
    Replies: 3
    Last Post: 09-07-2009, 02:20 AM
  4. Renew of GoDaddy SSL Certificate
    By phatbyte in forum Administrators
    Replies: 4
    Last Post: 10-07-2008, 09:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules