Certificate problem following 3.1.0 -> 4.0 upgrade

[simonellistonball]

I'm having a problem with security certificates following an upgrade to 4.0.

zmprov no longer works, it would seem to be something to do with a trust issue.

Code:

[zimbra@zs1 ~]$ zmprov 
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Jul 09 14:50:44 BST 2006
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)

I attempted to recreate the certificate with little luck.

Code:

[root@zs1 zimbra]# zmcreatecert 
** Importing CA

keytool error: java.lang.Exception: Certificate not imported, alias <my_ca> already exists
** Creating keystore

** Creating server cert request

Generating a 1024 bit RSA private key
........++++++
...........++++++
writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
-----
** Signing cert request

Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 7 (0x7)
        Validity
            Not Before: Aug 21 10:43:39 2006 GMT
            Not After : Aug 21 10:43:39 2007 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = N/A
            organizationName          = Zimbra Collaboration Suite
            commonName                = zs1.cromwells.co.uk
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                00:6C:C7:C4:3F:84:DD:38:E1:EE:75:FC:20:88:37:51:AE:48:8C:8F
            X509v3 Authority Key Identifier: 
                DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite
                serial:A5:C8:2E:FF:BD:0D:9B:23

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
Certificate is to be certified until Aug 21 10:43:39 2007 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=zs1.cromwells.co.uk
Getting CA Private Key
[root@zs1 zimbra]# zmcertinstall 
** Importing server cert

/opt/zimbra/bin/zmcertinstall: line 81: [: =: unary operator expected
cp: missing destination file operand after `/opt/zimbra/conf/smtpd.key'
Try `cp --help' for more information.
[root@zs1 zimbra]# zmcertinstall mailbox
** Importing server cert

keytool error: java.lang.Exception: Failed to establish chain from reply
[root@zs1 zimbra]#

Any pointers?

[claros]

Have a look to this:

http://wiki.zimbra.com/index.php?tit...certificate%29

Seem you simply have to delete the alias...

Ciao

[phoenix]

Seem you simply have to delete the alias...

Not quite, the instructions are for deleting and creating a new certificate - but you are correct, that's all that's needed to resolve this problem.

[mijit]

i have the same problem with an expired certificate after upgrade, but i am unable to to delete it:

Code:

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password>
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

i tried an administrator password, but i do not recall any other password i set at the time of install. is there any way for me to continue?

[phoenix]

have you checked that you're allowed to delete that file? Did you follow these instructions ?

[mijit]

yes, i followed those directions. however, i did not use the word "changeit" because i assumed the instructions were telling me to "change it" to my own password. that turns out to have been wrong - using the word "changeit" verbatim allowed the operation to proceed.

i did also get this error:

Code:

keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)

which had to do with the lack of write privileges on the cacerts file, fixed by:

Code:

chmod 644 /opt/zimbra/java/jre/lib/security/cacerts