Results 1 to 5 of 5

Thread: zmprov zclient.IO_ERROR Untrusted Server Certificate Chain

  1. #1
    msmyth is offline Junior Member
    Join Date
    Dec 2006
    Posts
    5
    Rep Power
    8

    Default zmprov zclient.IO_ERROR Untrusted Server Certificate Chain

    I am trying to provision a number of accounts using zmprov, and I continue to get this error:
    Code:
    ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)
    We have changed our certificate to be a commercial (GoDaddy) cert via the steps on http://wiki.zimbra.com/index.php?tit...l_Certificates and imported the root and intermediate certs to the keystore. We've linked the certs and keys (for smtpd, slapd, and perdition) to the correct items (per the same page) and the mail clients and browsers are happy, but zmprov isn't. It won't work.

    I've found other pages (Certificate problem following 3.1.0 -> 4.0 upgrade or http://wiki.zimbra.com/index.php?tit...certificate%29 as examples) that say to use the certinstall, which just is a batch copying the files like our links. So it's not that.

    How can I get zmprov to recognize that the cert is valid? Or how can I tell it to ignore the mismatch? Or what else should I consider?

    Thanks!

    -Matthew

  2. #2
    Ramadan Mansoura is offline Former Zimbran
    Join Date
    Oct 2006
    Posts
    55
    Rep Power
    8

    Default

    You want to look at this link since you are using a commercial certificate
    http://wiki.zimbra.com/index.php?tit...rt_the_new_CRT

    You need to add the cert to the java trustedcerts.

    keytool -import -alias aliasname -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /path/to/cert/file -trustcacerts -storepass changeit

    Notes;
    replace the aliasname with the alias you choose when you imported your cert into the commercial.keystore.
    for osx, the path to java trustedcerts is different.

    I hope this helps

  3. #3
    msmyth is offline Junior Member
    Join Date
    Dec 2006
    Posts
    5
    Rep Power
    8

    Default Not quite yet... did I miss something?

    So I tried the line you suggested:
    Code:
    keytool -import -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -file ./my.decrypted.crt -trustcacerts -storepass changeit
    and restarted Tomcat. No luck.

    We were using the wiki page (from my first post and your post) as the guideline, and we are indeed using Mac OSX, so the path looks kind of different.

    We did, from the GoDaddy section:
    Code:
    To import root cert: keytool -import -alias root -keystore /opt/zimbra/ssl/ssl/\
    commercial.keystore -trustcacerts -file valicert_class2_root.crt
    
    To import intermediate cert: keytool -import -alias intermed -keystore /opt/zim\
    bra/ssl/ssl/commercial.keystore -trustcacerts -file sf_issuing.crt
    
    keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore\
     -trustcacerts -file [FileNameofCert] -storepass 
    
    cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore
    The thing I'm noticing is that all of the paths (and where we're targeting) show /opt/zimbra/tomcat/conf/keystore as the path... but if it is different in OSX, I'm not finding an alternate location. It's certainly not at /opt/zimbra/java/jre/lib/security/cacerts which doesn't exist. Should I be looking somewhere else? Is there a way to show what keystore is in use?

  4. #4
    Ramadan Mansoura is offline Former Zimbran
    Join Date
    Oct 2006
    Posts
    55
    Rep Power
    8

    Default

    The path to java trustedcerts in os x is
    /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts

  5. #5
    msmyth is offline Junior Member
    Join Date
    Dec 2006
    Posts
    5
    Rep Power
    8

    Default We have a winner!

    So having that path instead was the trick. What ended up working was:
    Code:
    keytool -import -alias tomcat -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -trustcacerts -file /opt/zimbra/ssl/<your ssl root_keys path>/valicert_class2_root.crt -storepass changeit
    which now lets me use zmprov with no issue!

    Thanks... and I'll add a note in the Wiki so future OS X users aren't caught...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  2. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  3. Untrusted Server Certificate Chain Error
    By fmodola in forum Administrators
    Replies: 3
    Last Post: 05-14-2007, 03:39 AM
  4. Replies: 9
    Last Post: 04-14-2007, 08:31 AM
  5. zmprov certificate chain trust
    By dseven in forum Administrators
    Replies: 1
    Last Post: 01-29-2007, 02:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •