Results 1 to 6 of 6

Thread: Certificate problem following 3.1.0 -> 4.0 upgrade

  1. #1
    simonellistonball is offline Intermediate Member
    Join Date
    Apr 2006
    Posts
    20
    Rep Power
    9

    Default Certificate problem following 3.1.0 -> 4.0 upgrade

    I'm having a problem with security certificates following an upgrade to 4.0.

    zmprov no longer works, it would seem to be something to do with a trust issue.

    Code:
    [zimbra@zs1 ~]$ zmprov 
    [] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Jul 09 14:50:44 BST 2006
    ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)
    I attempted to recreate the certificate with little luck.

    Code:
    [root@zs1 zimbra]# zmcreatecert 
    ** Importing CA
    
    keytool error: java.lang.Exception: Certificate not imported, alias <my_ca> already exists
    ** Creating keystore
    
    ** Creating server cert request
    
    Generating a 1024 bit RSA private key
    ........++++++
    ...........++++++
    writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
    -----
    ** Signing cert request
    
    Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 7 (0x7)
            Validity
                Not Before: Aug 21 10:43:39 2006 GMT
                Not After : Aug 21 10:43:39 2007 GMT
            Subject:
                countryName               = US
                stateOrProvinceName       = N/A
                organizationName          = Zimbra Collaboration Suite
                commonName                = zs1.cromwells.co.uk
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    00:6C:C7:C4:3F:84:DD:38:E1:EE:75:FC:20:88:37:51:AE:48:8C:8F
                X509v3 Authority Key Identifier: 
                    DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite
                    serial:A5:C8:2E:FF:BD:0D:9B:23
    
                X509v3 Key Usage: 
                    Digital Signature, Non Repudiation, Key Encipherment
    Certificate is to be certified until Aug 21 10:43:39 2007 GMT (365 days)
    
    Write out database with 1 new entries
    Data Base Updated
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=zs1.cromwells.co.uk
    Getting CA Private Key
    [root@zs1 zimbra]# zmcertinstall 
    ** Importing server cert
    
    /opt/zimbra/bin/zmcertinstall: line 81: [: =: unary operator expected
    cp: missing destination file operand after `/opt/zimbra/conf/smtpd.key'
    Try `cp --help' for more information.
    [root@zs1 zimbra]# zmcertinstall mailbox
    ** Importing server cert
    
    keytool error: java.lang.Exception: Failed to establish chain from reply
    [root@zs1 zimbra]#
    Any pointers?

  2. #2
    claros's Avatar
    claros is offline Project Contributor
    Join Date
    Mar 2006
    Location
    L'Aquila, ITALIA
    Posts
    59
    Rep Power
    9

    Default

    Have a look to this:

    http://wiki.zimbra.com/index.php?tit...certificate%29

    Seem you simply have to delete the alias...

    Ciao

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,485
    Rep Power
    56

    Default

    Quote Originally Posted by claros
    Seem you simply have to delete the alias...
    Not quite, the instructions are for deleting and creating a new certificate - but you are correct, that's all that's needed to resolve this problem.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    mijit is offline New Member
    Join Date
    Sep 2006
    Posts
    3
    Rep Power
    8

    Default

    i have the same problem with an expired certificate after upgrade, but i am unable to to delete it:

    Code:
    keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password>
    keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
    i tried an administrator password, but i do not recall any other password i set at the time of install. is there any way for me to continue?

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,485
    Rep Power
    56

    Default

    have you checked that you're allowed to delete that file? Did you follow these instructions ?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    mijit is offline New Member
    Join Date
    Sep 2006
    Posts
    3
    Rep Power
    8

    Default

    yes, i followed those directions. however, i did not use the word "changeit" because i assumed the instructions were telling me to "change it" to my own password. that turns out to have been wrong - using the word "changeit" verbatim allowed the operation to proceed.

    i did also get this error:

    Code:
    keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
    which had to do with the lack of write privileges on the cacerts file, fixed by:

    Code:
    chmod 644 /opt/zimbra/java/jre/lib/security/cacerts

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. 4.5.6 -> 5.0 Upgrade Problem :(
    By uxbod in forum Installation
    Replies: 3
    Last Post: 07-21-2007, 08:02 PM
  2. 4.0 RC1 Documents initialization failed on upgrade
    By neilmc in forum Administrators
    Replies: 13
    Last Post: 10-05-2006, 02:46 AM
  3. 4.01 to 4.02 upgrade problem (with solution)
    By criley in forum Migration
    Replies: 2
    Last Post: 09-28-2006, 11:36 PM
  4. Replies: 2
    Last Post: 04-15-2006, 07:34 AM
  5. M1 -> M2 Upgrade Scripts
    By KevinH in forum Announcements
    Replies: 57
    Last Post: 12-15-2005, 10:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •