Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Failed Commercial Cert Migration

  1. #1
    Join Date
    Mar 2006
    Posts
    16
    Rep Power
    9

    Default Failed Commercial Cert Migration

    When I upgrade from 4.5.9 to 5.0.1, the commercial cert migration failed. While the cert for the tomcat/jetty moved over successfully, it did not move over the cert for postfix/ldap/etc...

    After installing, mail stopped working I went ahead and installed a self-signed cert http://www.zimbra.com/forums/70910-post26.html just so i could get something up and running.

    I still have a Java keystore file with my commercial cert. What is the procedure for installing this cert in 5.0. Commercial Certificates - Zimbra :: Wiki doesn't seem quite up to date (doesn't mention zmcertmgr). Not sure what format it expects, etc...

  2. #2
    Join Date
    Apr 2006
    Location
    Williamsburg, VA
    Posts
    451
    Rep Power
    9

    Default

    Out of curiosity does your cert name match your Zimbra host name? Ran into a similar problem myself. The guys in support (kudos to Brian, Mike and Ramadan) were able to get the issue resolved. During the initial upgrade, the tomcat cert migrated over, but nothing else was maintained. When re-installing the commercial cert with zmcertmgr it halted mail delivery. It was traced down to the tls communication between postfix and ldap and because the hostname of the zimbra server did not match the certificate name. The quick work around was to modify the zmmtainit to turn of tls, once that was done everything worked fine.

    My understanding is that bug 23922 is tracking this issue and it appears there is at least a work around done.

  3. #3
    Join Date
    Mar 2006
    Posts
    16
    Rep Power
    9

    Default

    Yes, the cert does match the hostname of the machine.

  4. #4
    Join Date
    Jan 2007
    Location
    UK
    Posts
    160
    Rep Power
    8

    Default

    Quote Originally Posted by gmsmith View Post
    Out of curiosity does your cert name match your Zimbra host name? Ran into a similar problem myself. The guys in support (kudos to Brian, Mike and Ramadan) were able to get the issue resolved. During the initial upgrade, the tomcat cert migrated over, but nothing else was maintained. When re-installing the commercial cert with zmcertmgr it halted mail delivery. It was traced down to the tls communication between postfix and ldap and because the hostname of the zimbra server did not match the certificate name. The quick work around was to modify the zmmtainit to turn of tls, once that was done everything worked fine.

    My understanding is that bug 23922 is tracking this issue and it appears there is at least a work around done.
    Exactly the problem I had going from 5.0.0 to 5.0.1 (and by the sounds of things resolved with exactly the same fix)

  5. #5
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

  6. #6
    Join Date
    Mar 2006
    Posts
    16
    Rep Power
    9

    Default

    So, since this doesn't seem to be documented anywhere, this is what i ended up doing to migrate my keys:

    1. Extract my cert and private key from the old Java keystore.
    2. Download my ca's root cert.
    3. Copy these to /opt/zimbra/ssl/zimbra/commercial/{commercial_ca.crt|commercial.crt|commercial.key}
    4. Also copy to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/{current_chain.crt|current.crt}
    5. Run /opt/zimbra/bin/zmcertmgr deploycrt comm

  7. #7
    Join Date
    Apr 2006
    Location
    Williamsburg, VA
    Posts
    451
    Rep Power
    9

    Default

    Quote Originally Posted by solarsail View Post
    So, since this doesn't seem to be documented anywhere, this is what i ended up doing to migrate my keys:

    1. Extract my cert and private key from the old Java keystore.
    2. Download my ca's root cert.
    3. Copy these to /opt/zimbra/ssl/zimbra/commercial/{commercial_ca.crt|commercial.crt|commercial.key}
    4. Also copy to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/{current_chain.crt|current.crt}
    5. Run /opt/zimbra/bin/zmcertmgr deploycrt comm
    What steps did you use to extract your cert and private key from the keystore?

  8. #8
    Join Date
    Mar 2006
    Posts
    16
    Rep Power
    9

    Default

    Quote Originally Posted by gmsmith View Post
    What steps did you use to extract your cert and private key from the keystore?
    To extract the cert:
    Code:
    keytool -keystore commercial.keystore -export -alias tomcat -file exported.crt
    openssl x509 -out commercial.crt -outform pem -text -in exported.crt -inform der
    To extract the key (You want to use the old version of ExportPriv.java, the new one doesn't wrap the base64 in a way zmcertmgr can handle):
    Code:
     
    curl http://mark.foster.cc/pub/java/ExportPriv.old.java > ExportPriv.java
    javac ExportPriv.java
    java ExportPriv commercial.keystore tomcat zimbra >commercial.key

  9. #9
    Join Date
    Feb 2007
    Location
    Massachusetts
    Posts
    136
    Rep Power
    8

    Default

    Thank you SolarSail. Without your documentation, I don't think I would have ever figured that out!

    -Nutz

  10. #10
    Join Date
    Oct 2006
    Posts
    24
    Rep Power
    9

    Default

    Seconded -- I couldn't figure anything else out after the 5.0.4->5.0.5 upgrade overwrote my commercial cert with a new self-signed one. Thank you so much!

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  2. My Zimbra server down ... please help :)
    By frankb in forum Administrators
    Replies: 2
    Last Post: 12-12-2007, 11:29 AM
  3. Replies: 2
    Last Post: 03-25-2007, 10:40 PM
  4. Lotus migration
    By babou in forum Migration
    Replies: 15
    Last Post: 03-05-2007, 10:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •