Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: https login and zmcertinstall

Hybrid View

  1. #1
    Join Date
    Feb 2006
    Location
    Southern California
    Posts
    49
    Rep Power
    9

    Default https login and zmcertinstall

    Hello all,

    In attempting to get my self signed ssl certs functinonal for mail clients, i tried to recreate the certs using the instructions from this thead.

    http://www.zimbra.com/forums/showthr...=zmcertinstall

    I've gone though and tried to reset my cert numberous times, but i still am unable to login via https. Below are the error messages from zimbra.log.

    2006-02-22 18:30:40,282 FATAL [ImapSSLServer] [] TcpServer/993 - accept loop failed
    javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
    at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.c heckEnabledSuites(SSLServerSocketImpl.java:303)
    at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.a ccept(SSLServerSocketImpl.java:253)
    at com.zimbra.cs.tcpserver.TcpServer.run(TcpServer.ja va:185)
    at java.lang.Thread.run(Thread.java:595)

    Can anyone be of assistance to get my https logins working again? Thank you.

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Here's the entry from the Wiki:

    http://wiki.zimbra.com/index.php?tit...icate_Problems

    Have all these commands run without error?

    If so have you restarted zimbra?
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    Join Date
    Jan 2006
    Posts
    88
    Rep Power
    9

    Default Additional data suggestions for wiki article

    Could you provide a list of approved SSL certificate vendors in the wiki article, and instructions for installing commercial cert's provided by these vendors?

    I wouldnt mind if you only had one or two official cert vendors, but some concrete guides on what type of cert to buy, and the process of adding the certs to both tomcat and the mta's would be very useful.

    The place where this comes up is IMAP clients, like thunderbird, who get the certificate warning and are forced to accept the self-signed certificate that zimbra defaults to.

    From a user training perspective, i'd rather not get the users used to hitting the accept button when those types of messages pop up.

    Right now I ordered a cert for zimbra.mycompany.com from GeoTrust. It's a basic SSL webserver certificate. Installing on the MTA worked fine, but when trying to do the install to tomcat (zmcertinstall mailbox) things went very very wrong, and got the dreaded "firefox cannot communicate with zimbra.mycompany.com because we share no common encryption algorithms" message on the client side.

  4. #4
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    Quote Originally Posted by jonnyRo
    Could you provide a list of approved SSL certificate vendors in the wiki article, and instructions for installing commercial cert's provided by these vendors?
    No - we'd have to worry about keeping the docs up to date for each vendor, we'd have to (in some fashion) approve or certify the vendors, etc, and that's not what we do for a living.
    I wouldnt mind if you only had one or two official cert vendors, but some concrete guides on what type of cert to buy, and the process of adding the certs to both tomcat and the mta's would be very useful.
    The problem is that SSL certs are complicated - everyone has different needs, different systems, different requirements. So complicated, that many books have been written, and a huge industry exists to service this stuff.

    Even if we were inclined to try to enter that space as a "simplified" cert training provider, or something along those lines - I'm not sure we'd do anything but further muddy the waters.

    The place where this comes up is IMAP clients, like thunderbird, who get the certificate warning and are forced to accept the self-signed certificate that zimbra defaults to.

    From a user training perspective, i'd rather not get the users used to hitting the accept button when those types of messages pop up.

    Right now I ordered a cert for zimbra.mycompany.com from GeoTrust. It's a basic SSL webserver certificate. Installing on the MTA worked fine, but when trying to do the install to tomcat (zmcertinstall mailbox) things went very very wrong, and got the dreaded "firefox cannot communicate with zimbra.mycompany.com because we share no common encryption algorithms" message on the client side.
    Did geotrust have information on how to generate a CSR for tomcat? What errors did you get when you installed it?

  5. #5
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    I did add a basic how-to for removing the self-signed cert and adding your new one. As Marc says you'll need to figure out on your own how to get it into the right format as each vendor is different.
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  6. #6
    Join Date
    Feb 2006
    Location
    Southern California
    Posts
    49
    Rep Power
    9

    Default Been reading...

    I continued on my path last night and was able to recreate the self signed cert and get https access back up and working. I followed the steps posted in these forums for recreating all the certs from scratch. Thank you Kevin for the new post and steps. I am almost back. I have full fuctionality from the webmail, i.e. I can login, send and recieve from my domain via https.

    However, from my IMAP client, i am unable to send. I was able to send successfully from the client prior to my recreating my ssl certs. The error i'm getting is "TLS not available due to local problem". I've continued reading and searching in the forums, and think my issue lies with the saslauthd processes.

    zimbra@dmrmail01:~/conf> zmcontrol stop
    Host dmrmail01.dmrcom.com
    Stopping antispam...Done
    Stopping antivirus...Done
    Stopping ldap...Done
    Stopping logger...Done
    Stopping mailbox...Done
    Stopping mta...FAILED
    /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd: no process killed


    Stopping snmp...Done
    Stopping spell...Done
    zimbra@dmrmail01:~/conf> zmcontrol start
    Host dmrmail01.dmrcom.com
    Starting ldap...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting mta...Done.
    Starting snmp...Done.
    Starting spell...Done.
    zimbra@dmrmail01:~/conf> zmcontrol status
    Host dmrmail01.dmrcom.com
    antispam Running
    antivirus Running
    ldap Running
    logger Running
    mailbox Running
    mta Running
    snmp Running
    spell Running

    I've checked the saslauthd.conf and saslauthd.conf.in files and restarted the service. Additionally, i've restarted postfix.

    dmrmail01:/ # cat /opt/zimbra/cyrus-sasl/etc/saslauthd.conf.in
    zimbra_url: https://dmrmail01.dmrcom.com:443/service/soap/
    zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
    zimbra_cert_check: off
    dmrmail01:/ # cat /opt/zimbra/cyrus-sasl/etc/saslauthd.conf
    zimbra_url: https://dmrmail01.dmrcom.com:443/service/soap/
    zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
    zimbra_cert_check: off

    Thank you for any assistance.

  7. #7
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    What do you get from:
    zmprov gs SERVERNAME | grep zimbraMtaAuthHost
    and
    zmprov gs SERVERNAME | grep zimbraMailMode

    If mail mode is not mixed or https, then reset teh auth host to it's current value (workaround for a known bug):
    zmprov ms SERVERNAME zimbraMtaAuthHost CURRENTVALUE

    Then, restart sasl
    zmsaslauthdctl stop
    zmsaslauthdctl start

  8. #8
    Join Date
    Feb 2006
    Location
    Southern California
    Posts
    49
    Rep Power
    9

    Default

    zimbra@dmrmail01:~/log> zmprov gs SERVERNAME | grep zimbraMtaAuthHost
    ERROR: account.NO_SUCH_SERVER (no such server: SERVERNAME)
    zimbra@dmrmail01:~/log> zmprov gs SERVERNAME | grep zimbraMailMode
    ERROR: account.NO_SUCH_SERVER (no such server: SERVERNAME)

    My mail mode is https - so i'll wait for some advice. Thank you.

  9. #9
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    replace SERVERNAME with the name of your server. zmprov gas will return the full list.

  10. #10
    Join Date
    Feb 2006
    Location
    Southern California
    Posts
    49
    Rep Power
    9

    Default

    zimbra@dmrmail01:~/log> zmprov gas
    dmrmail01.dmrcom.com
    zimbra@dmrmail01:~/log> zmprov ms dmrmail01.dmrcom.com zimbraMtaAuthHost CURRENTVALUE
    ERROR: service.INVALID_REQUEST (invalid request: specified zimbraMtaAuthHost does not correspond to a valid service hostname: CURRENTVALUE)
    zimbra@dmrmail01:~/log> zmsaslauthdctl stop
    zimbra@dmrmail01:~/log> zmsaslauthdctl start

    Thanks Marc.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •