Results 1 to 7 of 7

Thread: [SOLVED] Generating CSR from Admin Wizard=Domain Mismatch

  1. #1
    Join Date
    Aug 2007
    Location
    Los Angeles
    Posts
    18
    Rep Power
    8

    Default [SOLVED] Generating CSR from Admin Wizard=Domain Mismatch

    Certificate Signing Request generates a domain mismatch.

    Recent upgrade to 5.0.8, which uses a new "Certificates" wizard in the Admin UI. Our current certificate is set to expire on the 8th of August. We're switching commercial certificate providers, so I'm in the process of generating CSR's for both servers in our cluster. When using the wizard in the Admin UI, I was able to generate, download and submit the CSR to Network Solutions. This was not a problem for the first server.

    Server 2 however, is proving to be more difficult. Generating the second CSR for the second server appears to work, however when submitting the CSR to Network Solution's there's a domain mismatch. I have no way of deciphering the CSR (to my knowledge) and obviously the wizard isn't doing the job. I think I may have to use zmcertmgr from the CLI.

    I'm tempted to use these instructions, How to create new CA on Zimbra 5.0 . -- STORY of AODDY. however, I'm concerned about time constraints (Aug 8th) and how long it'll take me to figure this out using the CLI.

    Strange because it appears to work, but Network Solutions won't accept the CSR. Any instructional help for zmcertmgr would be greatly appreciated.

  2. #2
    Join Date
    Aug 2007
    Location
    Los Angeles
    Posts
    18
    Rep Power
    8

    Default

    Every once in a great while you have an "Ah ha!" moment. Unfortunately, sometimes it takes posting in a public support forum to get your brain to think about your problem in a different light.

    I logged into the Admin UI from the second server and attempted generating the CSR from there. After downloading and submitting to Network Solutions, it appears to have accepted it for verification.

    Thus, if you use more than one server in your Zimbra environment and are attempting to generate certificate signing requests for each of them AND you suck at life because you're afraid of using the provided CLI tools on a production server - be sure to login to the Admin UI of each server before generating individual CSR's.
    Last edited by AdrianR; 08-08-2008 at 01:22 PM.

  3. #3
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    I suppose you're using a "multi servers cluster", not "HA cluster" ?

    Ooops, got my answer, you're running ZCS on OSX.

  4. #4
    Join Date
    Aug 2007
    Location
    Los Angeles
    Posts
    18
    Rep Power
    8

    Default

    Now that I have my signed certificates I'm having some trouble installing them. This is not a new install, just a change of certificate providers. I've downloaded the signed certificates from Network Solutions and am attempting to use the Admin WebUI to install them. I'm getting an error message when installing ERROR: Invalid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt

    The files I've received form Network Solutions are:
    AddTrustExternalCARoot.crt
    NetworkSolutions_CA.crt
    UTNAddTrustServer_CA.crt
    "SERVER NAME".crt

    Zimbra is asking for...
    Certificate:
    Root CA:
    Intermediate CA:

    I'm unclear as to what go's where. I used "SERVER NAME".crt for the Certificate. I used NetworkSolutions_CA.crt for the Root CA. I used AddTrustExternalCARoot.crt for the Intermediate CA. I did not use UTNAddTrustServer_CA.crt, although I noticed I have the option of adding an additional Intermediate CA.

    I have a feeling I'm not giving Zimbra the correct certs. Does anyone know what I use for Root CA and Intermediate CA?

  5. #5
    Join Date
    Aug 2007
    Location
    Los Angeles
    Posts
    18
    Rep Power
    8

    Default

    Ok, I think I have this figured out.

    Certificate: = "SERVER NAME".crt
    Root CA: = AddTrustExternalCARoot.crt
    Intermediate CA: = NetworkSolutions_CA.crt
    Intermediate CA: = UTNAddTrustServer_CA.crt

    Won't be able to attempt installation for another 3 hours.

  6. #6
    Join Date
    Aug 2007
    Location
    Los Angeles
    Posts
    18
    Rep Power
    8

    Default

    Attempted install from Admin WebUI which failed. Was forced to use wiki instructions for zmcertmgr located Commercial Certificate in 5.x - Zimbra :: Wiki

    After copying commercial.crt and commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/ and chmod'ing both to 700, I was able to run /opt/zimbra/bin/zmcertmgr verifycrt comm with the following output.

    Code:
    "server":/opt/zimbra/ssl/zimbra/commercial root# /opt/zimbra/bin/zmcertmgr verifycrt comm
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
    I then attempted to install using
    Code:
    /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    (which resulted in)

    Code:
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: /opt/zimbra/ssl/zimbra/commercial/commercial.crt and commercial.crt are identical (not copied).
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt and commercial_ca.crt are identical (not copied).
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
    
    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key
    I then attempted to follow wiki instructions for "Failed to create jetty.pkcs12". I made sure /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/ directory was set to 644 and owned by zimbra:zimbra.

    Then (following wiki article) ran
    Code:
    keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
    which failed. I assumed it was because I was running it as root, so I changed over to user zimbra and ran the command again. This time with different, but equally depressing result.

    Then as zimbra ran zmcontrol stop followed by zmcontrol start, which produced:

    Code:
    "server":~ zimbra$ zmcontrol start
    Host "FQDN"
    	Starting ldap...Done.
    FAILED
    Failed to start slapd.  Attempting debug start to determine error.
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
    TLS: error:0906D066:PEM routines:PEM_read_bio:bad end line pem_lib.c:746
    TLS: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib ssl_rsa.c:491
    main: TLS init def ctx failed: -1
    I'm pretty much dead in the water. The first server is still running, but also needs the updated certificate installed.

    -Adrian
    Last edited by AdrianR; 08-11-2008 at 10:22 AM.

  7. #7
    Join Date
    Aug 2007
    Location
    Los Angeles
    Posts
    18
    Rep Power
    8

    Default

    I can mark this solved now. Ramadan, from Zimbra gave me a call after submitting a support request.

    There were three things I was doing wrong during the certificate installation.

    In the wiki documentation for Commercial Certificates in Version 5, under Network Solutions, it states to copy the renamed certificate to /opt/zimbra/ssl/zimbra/commercial prior to deploying the cert. This is incorrect, at least for version 5.0.8. You should create a temp deployment directory and run the certificate verification and deployment from the temp working directory.

    Also, cat'ing the remaining root and intermediate certs into commercial_ca.crt passes the verification just fine, however will not deploy correctly. As it turns out, you must edit the commercial_ca.crt in vi and insert line breaks to separate the certificates correctly.

    This also go's for the commercial.crt. I had to edit the server certificate in vi and insert a line break at the end of the cert. Again, without these modifications, the certs will pass verification, but will fail deployment.

    After making these three changes, I was able to install the certificates for both servers.

Similar Threads

  1. Statistics Graph Generation Failing
    By 3RiversTechAdmin in forum Administrators
    Replies: 10
    Last Post: 06-11-2008, 09:35 AM
  2. Stats problems!!
    By mmike in forum Administrators
    Replies: 7
    Last Post: 03-25-2008, 10:33 PM
  3. Error in my /tmp/gengraphs.out file
    By Xao in forum Installation
    Replies: 9
    Last Post: 01-04-2008, 09:32 PM
  4. centos 5 zimbra 4.5.6 no statistics
    By rutman286 in forum Installation
    Replies: 9
    Last Post: 08-14-2007, 10:30 AM
  5. Stats don't update
    By Doug_M in forum Administrators
    Replies: 33
    Last Post: 05-05-2007, 09:17 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •