installed a new ssl cert but activesync won't use it

[alauppe]

I installed a new SSL cert (because the old one expired.) All the standard zimbra services work fine, and all use the new cert, but activesync continues to use the old one. Of course, now that its expired, devices refuse to connect.

What do I need to do to update the SSL cert for activesync?

Andy

[gnyce]

Dunno...
- does the sync.log show anything about this?
- What is the output of
/opt/zimbra/bin/zmcertmgr viewdeployedcrt mailboxd
- typically the mailboxd (which I think handles activesync as well?? could be wrong) stores its' keystore at /opt.zimbra/conf/keystore... however, I have seen where it can be used/located at /opt/zimbra/mailboxd/etc/keystore. See if you have that, maybe even compare?

[alauppe]

Hey thanks Greg :-)

Turns out, /opt/zimbra/conf/domaincerts did have the old crt/key files in it. I've backed them up and replaced them with the new stuff. Good thinking.

Andy

[alauppe]

So, /opt/zimbra/bin/zmcertmgr viewdeployedcrt returns the correct certs, and it doesn't make any reference to the cert that activesync is using.

Still stumped.

[alauppe]

We solved this problem. Here is how:

Our next step was to try another device. I had a colleague with an android device try to add an activesync account. He got an error, but in this case his device showed the proper (new) certificate, so we suspected that the problem was device related. Further reading suggested that the primary domain on the certificate must match the access URL (which in this case it did not - a wildcard cert has *.domain.com as its primary name).

We bought a dedicated, for the purpose, single domain certificate, deployed that, and the problem went away.

I suspected that the device was caching the old certificate, but I couldn't figure out why it would use it. Now, knowing that it didn't like the new one, I can almost understand. Bottom line here is that the wildcard certificate simply would not work for activesync.