Results 1 to 2 of 2

Thread: [SOLVED] Tomcat ignoring new SSL cert?

  1. #1
    Join Date
    May 2007
    Location
    San Diego
    Posts
    53
    Rep Power
    8

    Exclamation [SOLVED] Tomcat ignoring new SSL cert?

    I'm desperately trying to get Zimbra up and running again after our old cert expired, and the new cert doesn't seem to be taking hold.

    I swear I've replaced every single SSL cert and keystore I can find, and Tomcat still dies claiming the certificate expired yesterday.

    I've followed the instructions here (Commercial Certificates - ZimbraWiki) to the letter.

    I've replaced the following with my new cert and key:

    /opt/zimbra/conf/smtpd.crt
    /opt/zimbra/conf/smtpd.key
    /opt/zimbra/conf/slapd.crt
    /opt/zimbra/conf/slapd.key
    /opt/zimbra/conf/perdition.pem
    /opt/zimbra/conf/perdition.key
    /opt/zimbra/ssl/ssl/server/tomcat.crt
    /opt/zimbra/ssl/ssl/server/tomcat.key
    /opt/zimbra/ssl/ssl/server/server.crt
    /opt/zimbra/ssl/ssl/server/server.key

    I've generated a new keystore from my cert and key, and replaced /opt/zimbra/tomcat/conf/keystore with it.

    If I go to the admin console (https://servername:7071), and have firefox show me the certificate information, the expiration date is in 2008, like it should be.

    I can log in to the admin console.

    Users cannot log in to the web interface, IMAP(S), or POP3(S) at all. Postfix fails LMTP deliveries. Basically, any network connection to anything that runs in tomcat still dies, with the root error (in mailbox.log) being:

    Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 06 16:59:59 PDT 2007

    Checking the certificate file I used for everything (with "openssl x509 -in cert.pem -text"), I get:

    HTML Code:
            Validity
                Not Before: Aug 13 00:00:00 2007 GMT
                Not After : Sep  9 23:59:59 2008 GMT
    What am I missing? Where the hell is tomcat getting the old cert from?

  2. #2
    Join Date
    May 2007
    Location
    San Diego
    Posts
    53
    Rep Power
    8

    Default External LDAP Auth cert!

    Always remember to check that the services on other systems which you might be depending on are also running properly.

    All the problems turned out to be due to new certs being installed on our LDAP servers, which we're having Zimbra use as an external authentication source, but the LDAP server processes were never restarted to pick up the new certs.

    So, all our problems, really, were due to authentication, because our external LDAP servers were running with stale certificates.

    I'd be really nice if Zimbra could fail more gracefully in this situation.

Similar Threads

  1. Replies: 2
    Last Post: 03-25-2007, 09:40 PM
  2. Help with tomcat ssl errors...
    By sgtstadanko in forum Administrators
    Replies: 4
    Last Post: 03-19-2007, 09:13 PM
  3. IMAP/POP/SMTP SSL Cert warning
    By scottnelson in forum Administrators
    Replies: 8
    Last Post: 12-29-2006, 12:24 PM
  4. SSL Cert Problem using SOAP API
    By pbwebguy in forum Developers
    Replies: 1
    Last Post: 06-06-2006, 05:29 PM
  5. Question installing commercial SSL cert
    By jigi in forum Administrators
    Replies: 0
    Last Post: 02-12-2006, 11:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •