Certificate question

[easyrider]

Zimbra beta on RHEL4. The install went extremely well. Very impressive.

Everything seems to be working OK except that I am getting complaints about:

Nov 16 12:14:16 newmail postfix/smtpd[19821]: warning: cannot get certificate from file /opt/zimbra/conf/smtpd.crt

The file is indeed not there. Tried the create certificate tool but apparently that's for a different cert. This isn't causing any problems but it's generating a lot of error messages. What needs to be done to create this crt file?

TIA!

[marcmac]

after zmcreatecert

zmcertinstall mta /opt/zimbra/ssl/ssl/smtpd.crt /opt/zimbra/ssl/ssl/smtpd.key

postfix stop
postfix start

[easyrider]

I believe zmcreatecert ran during the install but I ran it again anyway:
zmcertinstall failed. The default shell for the zimbra account is bash

[zimbra@newmail ~]$ zmcreatecert
** Importing CA

keytool error: java.lang.Exception: Certificate not imported, alias already exists
** Creating keystore

** Creating server cert request

Generating a 1024 bit RSA private key
......++++++
.........++++++
unable to write 'random state'
writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
-----
** Signing cert request

Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 8 (0x8)
Validity
Not Before: Nov 16 19:23:31 2005 GMT
Not After : Nov 16 19:23:31 2006 GMT
Subject:
countryName = US
stateOrProvinceName = N/A
organizationName = Zimbra Collaboration Suite
commonName = newmail.designtechnica.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:57:91:DB:FE:DE:D4:0F:D4:86:8F:1B:5C:D3:A2:D1:69 :8F:61:E7
X509v3 Authority Key Identifier:
DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=newmail.d
esigntechnica.com
serial:00

Certificate is to be certified until Nov 16 19:23:31 2006 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
unable to write 'random state'
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=newmail.designtechnica.com
Getting CA Private Key
unable to write 'random state'
[zimbra@newmail ~]$ zmcertinstall mta /opt/zimbra/ssl/ssl/smtpd.crt /opt/zimbra/
ssl/ssl/smtpd.key
/opt/zimbra/bin/zmcertinstall: line 47: print: command not found
[zimbra@newmail ~]$

[marcmac]

Sorry, that one slipped by. It's not finding the cert file you specified.

And the syntax I gave you was wrong:

should be
zmcertinstall mta /opt/zimbra/ssl/ssl/server/smtpd.crt /opt/zimbra/ssl/ssl/ca/ca.key

[easyrider]

Same failure

[root@plain log]# su - zimbra
[zimbra@newmail ~]$ zmcertinstall mta mta /opt/zimbra/ssl/ssl/server/smtpd.crt /
opt/zimbra/ssl/ssl/ca/ca.key
/opt/zimbra/bin/zmcertinstall: line 47: print: command not found
[zimbra@newmail ~]$

[marcmac]

Does /opt/zimbra/ssl/ssl/server/smtpd.crt exist? (Are you running M2?)

[easyrider]

I'm running the latest release of the "build it yourself" version downloaded from your site yesterday. Ran install.sh, answered a couple of questions and boom, everything worked.

smtpd.crt does not exist anywhere on the system. I have:

/opt/zimbra/ssl/ssl/server/tomcat.crt
/opt/zimbra/ssl/ssl/server/server.crt
/opt/zimbra/conf/slapd.crt

[marcmac]

Well, that's strange - I'll try to duplicate that, but for now:

as root:
cd ~zimbra
mv ssl foo
mkdir ssl
chown zimbra ssl

as zimbra:
zmcreateca
zmcreatecert

find ssl/

Should have:
ssl/
ssl/ssl
ssl/ssl/ca
ssl/ssl/ca/ca.pem
ssl/ssl/ca/ca.srl.old
ssl/ssl/ca/ca.key
ssl/ssl/ca/ca.csr
ssl/ssl/ca/ca.srl
ssl/ssl/zmssl.cnf
ssl/ssl/cert
ssl/ssl/server
ssl/ssl/server/tomcat.crt
ssl/ssl/server/server.csr
ssl/ssl/server/tomcat.csr
ssl/ssl/server/server.key
ssl/ssl/server/server.crt
ssl/ssl/newCA
ssl/ssl/newCA/index.txt
ssl/ssl/newCA/newcerts
ssl/ssl/newCA/newcerts/02.pem
ssl/ssl/newCA/index.txt.old

zmcertinstall mailbox
zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key

[easyrider]

I think that may have fixed it. I'll know for sure in a few minutes.

FYI, /opt/zimbra had root/root ownership and a 755 mask.

I had to change it to root/zimbra (chgrp) and give group write access. I'm wondering if this is why install.sh failed to create this stuff when I built it...

[easyrider]

A related problem (I think..)

I think this happened after changing the hostname from the generic name that the ISP used when building the server. Everything seems to be working ok though.

The key does exist:
[root@plain named]# ls -l /opt/zimbra/conf/smtpd.key
-rw-rw-r-- 1 zimbra zimbra 887 Nov 16 15:21 /opt/zimbra/conf/smtpd.key
[root@plain named]#

Nov 20 22:52:17 plain postfix/smtpd[18752]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
Nov 20 22:52:17 plain postfix/smtpd[18752]: warning: TLS library problem: 18752:
error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
Nov 20 22:52:45 plain postfix/smtpd[18752]: warning: 209.190.15.3: hostname mx1.reg4you.com verification failed: Name or service not known
Nov 20 22:54:49 plain postfix/smtpd[19114]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
Nov 20 22:54:49 plain postfix/smtpd[19114]: warning: TLS library problem: 19114:
error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389: