Results 1 to 2 of 2

Thread: [SOLVED] "zmcertmgr deploycrt self" Fails

  1. #1
    Join Date
    Oct 2005
    Rep Power

    Default [SOLVED] "zmcertmgr deploycrt self" Fails

    My original 365 day self-signed certificate recently expired on my Zimbra 5.0.9 server. I followed the Zimbra wiki instructions to create a new set of certs as follows. I got most of the way through the process and then it failed. Any ideas on resolving this problem?

    1. zmcertmgr createca -new
    2. zmcertmgr createcrt -new -days 365
    3. zmcertmgr deploycrt self

    Steps 1 and 2 completed successfully. Step 3 completed partially and then failed.

    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

    XXXXX ERROR: failed to create jetty.pkcs12
    unable to load private key

    From what I can tell, the mta, ldap, and proxy certs were created successfully, but the mailboxd cert failed to install. Here's what I get when I try to view the mailboxd cert.

    zmcertmgr viewdeployedcrt mailboxd
    ::service mailboxd::
    XXXXX ERROR: failed to export /opt/zimbra/mailboxd/etc/mailboxd.pem from keystore.

    keytool error: java.lang.Exception: Alias <jetty> does not exist

    unable to load certificate
    20972:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:
    notBefore=Aug 25 16:34:24 2007 GMT
    notAfter=Aug 24 16:34:24 2009 GMT
    subject= /C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/
    issuer= /C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/

    Now my /opt/zimbra/mailboxd/etc/keystore file is only 32 bytes. Prior to this process it was 1339 bytes. I've been mucking around in the zmcertmgr bash script, but I'm not getting anywhere.

    What just happened and what do I need to do to get my certs straightened out?

  2. #2
    Join Date
    Oct 2005
    Rep Power


    OK, after spending all day, I got this straightened out. Unfortunately, I can't pinpoint exactly what I did to fix the problem. Out of desparation, I downloaded a newer version of zmcertmgr (5.0.14) and temporarily changed the permissions of /opt/zimbra/ssl/etc/ to 777. This appears to have cleared up the problems with keytool failing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts