Results 1 to 2 of 2

Thread: Multi-server and Commercial cert

  1. 10-03-2012, 04:38 AM #1
    moren
    moren is offline Trained Alumni
    Join Date
    Jun 2007
    Location
    Halmstad, Sweden
    Posts
    45
    Rep Power
    6

    Default Multi-server and Commercial cert

    I have set up a test environment of a multi-server Zimbra, looking like this:

    Zimbra 8.0.0/Open Source, CentOS 6.3

    1 x LDAP
    2 x MTA/Proxy
    2 x Mail store

    One DNS-alias resolving to the two ip-adresses of the MTA/Proxy-machines (ie DNS round-robin). The name is mail.example.com and this name is to be used by end-users.

    Everything was working as expected until I tried to install a Commercial Certificate...

    I followed this wiki: Administration Console and CLI Certificate Tools - Zimbra :: Wiki
    (and my own notes of previous, successful installations in 7.x/NE/single-server).

    The wiki do not show the procedure for Multi-server + Commercial cert but I did like this:

    Code:
    # /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject '/C=COM/ST=Example/L=Someware/O=Some Site/OU=IT/CN=mail.example.com' -subjectAltNames 'z-ldap1.example.com, z-gw.1.exampl.com, ...' (all server names as AltNames)

# openssl req -noout -text -in /opt/zimbra/ssl/zimbra/commercial/commercial.csr (Looking good. Got it signed.)
# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/SSL/cert.crt /root/SSL/chain.crt (Looking good. After signing.)

# /opt/zimbra/bin/zmcertmgr deploycrt comm /root/SSL/mail.example.com.crt /root/SSL/chain.crt -allserver
    The last step started the installation on all machines in the system, but failed big time... se below:

    Did I guess wrong on how to do this for multi-server + comm cert?

    I ran this on one of the mail-stores (the wiki do not specify this). Was this correct?

    Output:
    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm /root/SSL/mail.example.com.crt /root/SSL/chain.crt -allserver
** Verifying /root/SSL/mail.example.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/root/SSL/mail.example.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /root/SSL/mail.example.com.crt: OK
** Copying /root/SSL/mail.example.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain /root/SSL/chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving global config key zimbraSSLCertificate...done.
** Saving global config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Warning: Permanently added 'z-gw-1.example.com,192.168.18.188' (RSA) to the list of known hosts.
STARTCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

STARTCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

** Retrieving server config key zimbraSSLCertificate...done.
** Retrieving server config key zimbraSSLPrivateKey...done.
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.
ENDCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

Warning: Permanently added 'z-gw-2.example.com,192.168.18.189' (RSA) to the list of known hosts.
STARTCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

STARTCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

** Retrieving server config key zimbraSSLCertificate...done.
** Retrieving server config key zimbraSSLPrivateKey...done.
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.
ENDCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

Warning: Permanently added 'z-ldap1.example.com,192.168.18.187' (RSA) to the list of known hosts.
STARTCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

STARTCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

Warning: Permanently added 'z-store2.example.com,192.168.18.186' (RSA) to the list of known hosts.
STARTCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

** Retrieving global config key zimbraSSLCertificate...done.
** Retrieving global config key zimbraSSLPrivateKey...done.
ENDCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver

STARTCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

** Retrieving server config key zimbraSSLCertificate...done.
** Retrieving server config key zimbraSSLPrivateKey...done.
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
XXXXX ERROR: Invalid Certificate:
XXXXX ERROR: provided cert isn't valid.
ENDCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm
    Reply With Quote Reply With Quote
  2. 10-05-2012, 01:36 AM #2
    moren
    moren is offline Trained Alumni
    Join Date
    Jun 2007
    Location
    Halmstad, Sweden
    Posts
    45
    Rep Power
    6

    Default

    Anyone ?

    I did run the "Multi-Node Self-Signed Certificate" installation from the wiki and that one installed a self-signed cert on all 5 machines with no errors. This indicates that my setup is functional. But now I am back at square one...

    I rephrase the question:

    How do I install a commercial certificate on a 5 node multi-server ZCS (details in post #1) ?
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 01:51 AM
  2. Commercial Certs for Multi-Server Install
    By jterhune in forum Administrators
    Replies: 5
    Last Post: 09-08-2009, 02:21 PM
  3. Installing Commercial Cert From Old Server
    By martin.beauchamp in forum Installation
    Replies: 1
    Last Post: 07-14-2008, 09:42 AM
  4. [SOLVED] Commercail Cert/Multi-server Install
    By rsharpe in forum Administrators
    Replies: 1
    Last Post: 03-03-2008, 07:00 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules