Results 1 to 7 of 7

Thread: [SOLVED] SSL Installation Error

  1. #1
    Join Date
    May 2008
    Location
    South Dakota
    Posts
    81
    Rep Power
    7

    Question [SOLVED] SSL Installation Error

    I've looked around a lot to find the answer to this issue and have yet to find a single thing to solve my issue.

    I recovered from a backup copy of /opt/zimbra. Aside from a few stupid mistakes (like forgetting to rename the directory from current to zimbra) it went pretty well.

    During my installation, my ssl certificate from godaddy was revoked. There's a fun story behind that.

    I tried to install a new certificate by first making a new csr, going out to godaddy, rekeying the thing, and then going to the web interface. I've previously had issues installing certificates from godaddy onto zimbra so I already had a bookmark to a comment. http://www.zimbra.com/forums/adminis...html#post95868

    I remember that working perfectly in the past, but not this go around. After trying to install, I got this error.

    Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair.

    Now, this makes sense that a non-existing file wouldn't match up with the existing file....

    zimbra@vindico:~$ file /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt
    /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: ASCII text

    zimbra@vindico:~$ file /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key
    /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key: ERROR: cannot open `/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key' (No such file or directory)

    zimbra@vindico:~$ ls -l /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/
    total 12
    -rw-r----- 1 zimbra zimbra 1785 Apr 11 02:10 current.crt
    -rw-r----- 1 zimbra zimbra 8144 Apr 11 02:10 current_chain.crt

    On a side note: I wish I understood why ls -l grabbed a number for .. instead of just .

    I'm not really sure how this can make a .crt w/o a .key so I'm assuming something must have been missed.

    I've been fighting this for 20+hr and I've had it with trying to figure it out myself.

    I realize I probably have about a week to wait until I can get an answer, but I do hope for a quick response. I know that once you guys get to me you'll be able to take care of me right well.

    Thanks,

  2. #2
    Join Date
    Oct 2006
    Posts
    55
    Rep Power
    9

    Default

    You can use the zmcertmgr utility to deploy the certificate.
    run these commands As ROOT
    PHP Code:
     1mkdir /root/certs and place the cert files in there
     2
    )  cat gd_cross_intermediate.crt gd_intermediate.crt gd-class2-root.crt >> /root/certs/commercial_ca.crt
     3
    verify the certificate
         cd 
    /root/certs
        
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt./commercial_ca.crt
     4
    deploy the cert
        cd 
    /root/certs
        
    /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt./commercial_ca.crt
     5
    restart the zimbra services
      su 
    zimbra
      zmcontrol stop
      zmcontrol start 
    Last edited by Ramadan Mansoura; 04-11-2009 at 12:32 PM.

  3. #3
    Join Date
    May 2008
    Location
    South Dakota
    Posts
    81
    Rep Power
    7

    Default

    This is as far as I can get... Thanks for the really fast reply.

    root@vindico:/root/certs# ls
    commercial_ca.crt gd-class2-root.crt gd_intermediate.crt
    gd_bundle.crt gd_cross_intermediate.crt vindico.crt

    root@vindico:/root/certs# cat gd_cross_intermediate.crt gd_intermediate.crt gd-class2-root.crt > /root/certs/commercial_ca.crt

    root@vindico:/root/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key ./commercial.crt./commercial_ca.crt
    ** Verifying ./commercial.crt./commercial_ca.crt against /opt/zimbra/ssl/zimbra/commercial.key
    XXXXX ERROR: Can't find private key /opt/zimbra/ssl/zimbra/commercial.key

  4. #4
    Join Date
    May 2008
    Location
    South Dakota
    Posts
    81
    Rep Power
    7

    Default Little Change

    There's an error on that wiki page.

    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt./commercial_ca.crt

    Right here -> ./commercial.crt./commercial_ca.crt <- shold have a space in there.


    root@vindico:/root/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./vindico.crt ./commercial_ca.crt
    ** Verifying ./vindico.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./vindico.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Error loading file ./commercial_ca.crt
    4595:error:0906D066:PEM routines:PEM_read_bio:bad end lineem_lib.c:746:
    4595:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280:
    usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
    recognized usages:
    sslclient SSL client
    sslserver SSL server
    nssslserver Netscape SSL server
    smimesign S/MIME signing
    smimeencrypt S/MIME encryption
    crlsign CRL signing
    any Any Purpose
    ocsphelper OCSP helper
    XXXXX ERROR: Invalid Certificate:
    root@vindico:/root/certs#

  5. #5
    Join Date
    May 2008
    Location
    South Dakota
    Posts
    81
    Rep Power
    7

    Default Another Update

    Apparently there's something funky with the second file.

    I went into the file and replaced
    -----END CERTIFICATE----------BEGIN CERTIFICATE-----
    With this
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----

    Now I get the following error. I don't like that an error is still occurring, but I'm happy that I'm at least making progress. I guess sleep does help things.


    root@vindico:/root/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./vindico.crt ./commercial_ca.crt
    ** Verifying ./vindico.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./vindico.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: ./vindico.crt: /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
    error 2 at 2 depth lookup:unable to get issuer certificate

    I'm not really sure how it can be freaking out that my certificate is invalid when the private key matches up with it. and that cert came from a download.

  6. #6
    Join Date
    May 2008
    Location
    South Dakota
    Posts
    81
    Rep Power
    7

    Default And Fixed!

    That space thing happens with the deploycrt command too.

    I used this instead:
    cat gd_cross_intermediate.crt gd_intermediate.crt gd_bundle.crt > commercial_ca.crt

    Went in and fixed that line break thing.

    And things finally work.

    Now to go try it out.

  7. #7
    Join Date
    Jul 2013
    Posts
    1
    Rep Power
    2

    Default

    thank you, this was usefull for me,
    and firstly i solved the trouble with the time on the host

Similar Threads

  1. Installation zimbra Initializing ldap...failed. (28416)
    By farrukh.nadeem in forum Installation
    Replies: 10
    Last Post: 08-14-2009, 07:52 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 05:42 PM
  3. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 01:42 AM
  4. [SOLVED] Debian Etch 32 / 64: MTA not working
    By xflip in forum Installation
    Replies: 2
    Last Post: 01-18-2008, 04:58 AM
  5. M3 problem with shares
    By titangears in forum Users
    Replies: 4
    Last Post: 01-12-2006, 01:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •