Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
 
Go Back   Zimbra - Forums > Zimbra Collaboration Suite > Migration
Reload this Page Certificate problem following 3.1.0 -> 4.0 upgrade

Welcome to the Zimbra - Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack (1) Thread Tools Display Modes
  1 links from elsewhere to this Post. Click to view. #1 (permalink)  
Old 08-21-2006, 04:59 AM
Intermediate Member
  
Posts: 20
Default Certificate problem following 3.1.0 -> 4.0 upgrade
I'm having a problem with security certificates following an upgrade to 4.0.

zmprov no longer works, it would seem to be something to do with a trust issue.

Code:
[zimbra@zs1 ~]$ zmprov 
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Jul 09 14:50:44 BST 2006
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) (cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)
I attempted to recreate the certificate with little luck.

Code:
[root@zs1 zimbra]# zmcreatecert 
** Importing CA

keytool error: java.lang.Exception: Certificate not imported, alias <my_ca> already exists
** Creating keystore

** Creating server cert request

Generating a 1024 bit RSA private key
........++++++
...........++++++
writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
-----
** Signing cert request

Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 7 (0x7)
        Validity
            Not Before: Aug 21 10:43:39 2006 GMT
            Not After : Aug 21 10:43:39 2007 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = N/A
            organizationName          = Zimbra Collaboration Suite
            commonName                = zs1.cromwells.co.uk
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                00:6C:C7:C4:3F:84:DD:38:E1:EE:75:FC:20:88:37:51:AE:48:8C:8F
            X509v3 Authority Key Identifier: 
                DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite
                serial:A5:C8:2E:FF:BD:0D:9B:23

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
Certificate is to be certified until Aug 21 10:43:39 2007 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=zs1.cromwells.co.uk
Getting CA Private Key
[root@zs1 zimbra]# zmcertinstall 
** Importing server cert

/opt/zimbra/bin/zmcertinstall: line 81: [: =: unary operator expected
cp: missing destination file operand after `/opt/zimbra/conf/smtpd.key'
Try `cp --help' for more information.
[root@zs1 zimbra]# zmcertinstall mailbox
** Importing server cert

keytool error: java.lang.Exception: Failed to establish chain from reply
[root@zs1 zimbra]#
Any pointers?
Reply With Quote
  #2 (permalink)  
Old 08-22-2006, 06:04 AM
Project Contributor
  
Posts: 58
Default
Have a look to this:

http://wiki.zimbra.com/index.php?tit...certificate%29

Seem you simply have to delete the alias...

Ciao
Reply With Quote
  #3 (permalink)  
Old 08-22-2006, 06:10 AM
Zimbra Consultant & Moderator
  
Posts: 11,517
Default
Quote:
Originally Posted by claros
Seem you simply have to delete the alias...
Not quite, the instructions are for deleting and creating a new certificate - but you are correct, that's all that's needed to resolve this problem.
__________________
Regards


Bill
Reply With Quote
  #4 (permalink)  
Old 09-26-2006, 02:26 PM
New Member
  
Posts: 3
Default
i have the same problem with an expired certificate after upgrade, but i am unable to to delete it:

Code:
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass <password>
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
i tried an administrator password, but i do not recall any other password i set at the time of install. is there any way for me to continue?
Reply With Quote
  #5 (permalink)  
Old 09-26-2006, 02:40 PM
Zimbra Consultant & Moderator
  
Posts: 11,517
Default
have you checked that you're allowed to delete that file? Did you follow these instructions ?
__________________
Regards


Bill
Reply With Quote
  #6 (permalink)  
Old 09-26-2006, 02:56 PM
New Member
  
Posts: 3
Default
yes, i followed those directions. however, i did not use the word "changeit" because i assumed the instructions were telling me to "change it" to my own password. that turns out to have been wrong - using the word "changeit" verbatim allowed the operation to proceed.

i did also get this error:

Code:
keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
which had to do with the lack of write privileges on the cacerts file, fixed by:

Code:
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
Reply With Quote
Reply

« Previous Thread | Today's Posts or Week's Posts | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode


Similar Threads

Product Information

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

Zimbrablog.com


Home - Blog - Contact Us - Archive - Top


 

Search Engine Optimization by vBSEO 3.1.0