zmprov zclient.IO_ERROR Untrusted Server Certificate Chain

[msmyth]

I am trying to provision a number of accounts using zmprov, and I continue to get this error:

Code:

ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)

We have changed our certificate to be a commercial (GoDaddy) cert via the steps on http://wiki.zimbra.com/index.php?tit...l_Certificates and imported the root and intermediate certs to the keystore. We've linked the certs and keys (for smtpd, slapd, and perdition) to the correct items (per the same page) and the mail clients and browsers are happy, but zmprov isn't. It won't work.

I've found other pages (Certificate problem following 3.1.0 -> 4.0 upgrade or http://wiki.zimbra.com/index.php?tit...certificate%29 as examples) that say to use the certinstall, which just is a batch copying the files like our links. So it's not that.

How can I get zmprov to recognize that the cert is valid? Or how can I tell it to ignore the mismatch? Or what else should I consider?

Thanks!

-Matthew

[Ramadan Mansoura]

You want to look at this link since you are using a commercial certificate
http://wiki.zimbra.com/index.php?tit...rt_the_new_CRT

You need to add the cert to the java trustedcerts.

keytool -import -alias aliasname -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /path/to/cert/file -trustcacerts -storepass changeit

Notes;
replace the aliasname with the alias you choose when you imported your cert into the commercial.keystore.
for osx, the path to java trustedcerts is different.

I hope this helps

[msmyth]

So I tried the line you suggested:

Code:

keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -file ./my.decrypted.crt -trustcacerts -storepass changeit

and restarted Tomcat. No luck.

We were using the wiki page (from my first post and your post) as the guideline, and we are indeed using Mac OSX, so the path looks kind of different.

We did, from the GoDaddy section:

Code:

To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/\
commercial.keystore -trustcacerts -file valicert_class2_root.crt

To import intermediate cert: keytool -import -alias intermed -keystore /opt/zim\
bra/ssl/ssl/commercial.keystore -trustcacerts -file sf_issuing.crt

keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore\
 -trustcacerts -file [FileNameofCert] -storepass 

cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore

The thing I'm noticing is that all of the paths (and where we're targeting) show /opt/zimbra/tomcat/conf/keystore as the path... but if it is different in OSX, I'm not finding an alternate location. It's certainly not at /opt/zimbra/java/jre/lib/security/cacerts which doesn't exist. Should I be looking somewhere else? Is there a way to show what keystore is in use?

[Ramadan Mansoura]

The path to java trustedcerts in os x is
/System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts

[msmyth]

So having that path instead was the trick. What ended up working was:

Code:

keytool -import -alias tomcat -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -trustcacerts -file /opt/zimbra/ssl/<your ssl root_keys path>/valicert_class2_root.crt -storepass changeit

which now lets me use zmprov with no issue!

Thanks... and I'll add a note in the Wiki so future OS X users aren't caught...