Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Certificate question

  1. #1
    easyrider is offline Junior Member
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    9

    Default Certificate question

    Zimbra beta on RHEL4. The install went extremely well. Very impressive.

    Everything seems to be working OK except that I am getting complaints about:

    Nov 16 12:14:16 newmail postfix/smtpd[19821]: warning: cannot get certificate from file /opt/zimbra/conf/smtpd.crt

    The file is indeed not there. Tried the create certificate tool but apparently that's for a different cert. This isn't causing any problems but it's generating a lot of error messages. What needs to be done to create this crt file?

    TIA!

  2. #2
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default cert install

    after zmcreatecert

    zmcertinstall mta /opt/zimbra/ssl/ssl/smtpd.crt /opt/zimbra/ssl/ssl/smtpd.key

    postfix stop
    postfix start

  3. #3
    easyrider is offline Junior Member
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    9

    Default

    I believe zmcreatecert ran during the install but I ran it again anyway:
    zmcertinstall failed. The default shell for the zimbra account is bash

    [zimbra@newmail ~]$ zmcreatecert
    ** Importing CA

    keytool error: java.lang.Exception: Certificate not imported, alias already exists
    ** Creating keystore

    ** Creating server cert request

    Generating a 1024 bit RSA private key
    ......++++++
    .........++++++
    unable to write 'random state'
    writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
    -----
    ** Signing cert request

    Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 8 (0x8)
    Validity
    Not Before: Nov 16 19:23:31 2005 GMT
    Not After : Nov 16 19:23:31 2006 GMT
    Subject:
    countryName = US
    stateOrProvinceName = N/A
    organizationName = Zimbra Collaboration Suite
    commonName = newmail.designtechnica.com
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    AB:57:91:DB:FE:DE:D4:0F:D4:86:8F:1B:5C:D3:A2:D1:69 :8F:61:E7
    X509v3 Authority Key Identifier:
    DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=newmail.d
    esigntechnica.com
    serial:00

    Certificate is to be certified until Nov 16 19:23:31 2006 GMT (365 days)

    Write out database with 1 new entries
    Data Base Updated
    unable to write 'random state'
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=newmail.designtechnica.com
    Getting CA Private Key
    unable to write 'random state'
    [zimbra@newmail ~]$ zmcertinstall mta /opt/zimbra/ssl/ssl/smtpd.crt /opt/zimbra/
    ssl/ssl/smtpd.key
    /opt/zimbra/bin/zmcertinstall: line 47: print: command not found
    [zimbra@newmail ~]$

  4. #4
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default bug

    Sorry, that one slipped by. It's not finding the cert file you specified.

    And the syntax I gave you was wrong:

    should be
    zmcertinstall mta /opt/zimbra/ssl/ssl/server/smtpd.crt /opt/zimbra/ssl/ssl/ca/ca.key

  5. #5
    easyrider is offline Junior Member
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    9

    Default

    Same failure

    [root@plain log]# su - zimbra
    [zimbra@newmail ~]$ zmcertinstall mta mta /opt/zimbra/ssl/ssl/server/smtpd.crt /
    opt/zimbra/ssl/ssl/ca/ca.key
    /opt/zimbra/bin/zmcertinstall: line 47: print: command not found
    [zimbra@newmail ~]$

  6. #6
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default file not found

    Does /opt/zimbra/ssl/ssl/server/smtpd.crt exist? (Are you running M2?)

  7. #7
    easyrider is offline Junior Member
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    9

    Default

    I'm running the latest release of the "build it yourself" version downloaded from your site yesterday. Ran install.sh, answered a couple of questions and boom, everything worked.

    smtpd.crt does not exist anywhere on the system. I have:

    /opt/zimbra/ssl/ssl/server/tomcat.crt
    /opt/zimbra/ssl/ssl/server/server.crt
    /opt/zimbra/conf/slapd.crt

  8. #8
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default no cert

    Well, that's strange - I'll try to duplicate that, but for now:

    as root:
    cd ~zimbra
    mv ssl foo
    mkdir ssl
    chown zimbra ssl

    as zimbra:
    zmcreateca
    zmcreatecert

    find ssl/

    Should have:
    ssl/
    ssl/ssl
    ssl/ssl/ca
    ssl/ssl/ca/ca.pem
    ssl/ssl/ca/ca.srl.old
    ssl/ssl/ca/ca.key
    ssl/ssl/ca/ca.csr
    ssl/ssl/ca/ca.srl
    ssl/ssl/zmssl.cnf
    ssl/ssl/cert
    ssl/ssl/server
    ssl/ssl/server/tomcat.crt
    ssl/ssl/server/server.csr
    ssl/ssl/server/tomcat.csr
    ssl/ssl/server/server.key
    ssl/ssl/server/server.crt
    ssl/ssl/newCA
    ssl/ssl/newCA/index.txt
    ssl/ssl/newCA/newcerts
    ssl/ssl/newCA/newcerts/02.pem
    ssl/ssl/newCA/index.txt.old

    zmcertinstall mailbox
    zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key

  9. #9
    easyrider is offline Junior Member
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    9

    Default

    I think that may have fixed it. I'll know for sure in a few minutes.

    FYI, /opt/zimbra had root/root ownership and a 755 mask.

    I had to change it to root/zimbra (chgrp) and give group write access. I'm wondering if this is why install.sh failed to create this stuff when I built it...

  10. #10
    easyrider is offline Junior Member
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    9

    Default

    A related problem (I think..)

    I think this happened after changing the hostname from the generic name that the ISP used when building the server. Everything seems to be working ok though.

    The key does exist:
    [root@plain named]# ls -l /opt/zimbra/conf/smtpd.key
    -rw-rw-r-- 1 zimbra zimbra 887 Nov 16 15:21 /opt/zimbra/conf/smtpd.key
    [root@plain named]#

    Nov 20 22:52:17 plain postfix/smtpd[18752]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
    Nov 20 22:52:17 plain postfix/smtpd[18752]: warning: TLS library problem: 18752:
    error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
    Nov 20 22:52:45 plain postfix/smtpd[18752]: warning: 209.190.15.3: hostname mx1.reg4you.com verification failed: Name or service not known
    Nov 20 22:54:49 plain postfix/smtpd[19114]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
    Nov 20 22:54:49 plain postfix/smtpd[19114]: warning: TLS library problem: 19114:
    error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 03:08 AM
  2. tomcat certificate question
    By 3RiversTechAdmin in forum Administrators
    Replies: 0
    Last Post: 11-13-2006, 12:27 PM
  3. SSL Certificate - Keytool Question
    By 3RiversTechAdmin in forum Administrators
    Replies: 0
    Last Post: 11-02-2006, 12:59 PM
  4. Certificate problem following 3.1.0 -> 4.0 upgrade
    By simonellistonball in forum Migration
    Replies: 5
    Last Post: 09-26-2006, 01:56 PM
  5. Certificate Question - Best practices
    By shankwc in forum Administrators
    Replies: 1
    Last Post: 03-04-2006, 11:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •