Results 1 to 4 of 4

Thread: zmcertmgr gencsr ignores subject parameter

Hybrid View

  1. #1
    Join Date
    Dec 2007
    Posts
    10
    Rep Power
    8

    Default zmcertmgr gencsr ignores subject parameter

    I am running Zimbra 5.0.0 GA on Ubuntu on a single server behind a NAT router. The server's FQDN is of the form myhost.mydomain.com (this is the output of the hostname command, and is the Zimbra server name). However I will use the URL mydomain.com to access the server, which will connect through the router (this is the Zimbra domain).

    The self-signed SSL certificate that was generated by Zimbra is for myhost.mydomain.com rather than mydomain.com. I am trying to run zmcertmgr gencsr in order to create a certificate with a CN of mydomain.com, but it is ignoring the subject parameter that I am passing to it. Here is the command I am using:
    Code:
    sudo /opt/zimbra/bin/zmcertmgr gencsr self -new "/C=US/ST=MyStateName/L=MyCityName/O=MyName/CN=mydomain.com"
    However it simply re-creates the certificate with an organization name of "Zimbra Collaboration Suite", a state and location of "N/A", and a CN of myhost.mydomain.com.

    I have tried the following procedure:
    • completely deleting everything in /opt/zimbra/ssl
    • deleting zimbraCertAuthorityCertSelfSigned and zimbraCertAuthorityKeySelfSigned in LDAP
    • hard-coding my desired values in /opt/zimbra/conf/zmssl.cnf.in
    • using the hostname command to temporarily change the FQDN of the server to the domain name alone
    • creating the certificate authority with zmcertmgr createca
    • deploying the certificate authority with zmcertmgr deployca
    • generating the certificate request with the command shown earlier
    • restarting Zimbra

    ...but the generated certificate still contains the wrong parameters.

    In a separate issue, the "Configuration > Servers" and "Tools > Certificates" sections in the administrative UI do not seem to be working at all for me either, even after a clean re-install of Zimbra 5.0.0 GA, so I can't see any settings in there. FYI, here is what I am getting when I try to click them (substituting myhost.mydomain.com where appropriate):
    Code:
    Message: system failure: exception during auth {RemoteManager: myhost.mydomain.com->zimbra@myhost.mydomain.com:22} Error code: service.FAILURE Method: ZmCsfeCommand.prototype.invoke Details:soap:Receiver

  2. #2
    Join Date
    Apr 2007
    Posts
    32
    Rep Power
    8

    Default

    I've just noticed this too. Looking at the zmcertmgr script it doesn't appear that the -subject argument is handled at all.

    Am I missing something here? How are other people managing to generate the csr?

  3. #3
    Join Date
    Apr 2007
    Posts
    32
    Rep Power
    8

    Default

    Looking a bit closer it seems that the script won't handle the -days and -subject arguments (as documented). I'll file a bug when I get a chance.

  4. #4
    Join Date
    Apr 2008
    Location
    the Netherlands
    Posts
    22
    Rep Power
    7

    Default

    Hi,

    it looks to me like 5.0.18 sufers from the same issue. Now i'm trying with the zmcertmgr but startssl.com requires 2048 bit i seem to have a 1024 bit . so now i'm trying cacert but the zmcert deploy hogs cpu like an idiot for like 5 minutes and freezes. the admin panel shows no cert for the specifiek domain/server.
    any clues if this is a glitch in the 5.0.18 GA ? OS ubuntu 606 lts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •