I've never been able to get the basic StartSSL cert to work with Zimbra. I don't know if it's me, or if it's StartSSL, but I get the following message when installing it via the CLI:
And the following message when installing it via the admin console:
XXXXX ERROR: Unmatching certificate (/tmp/ssl.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.
As far as I know, I'm doing everything correct. I generated a new certificate signing request via the admin console, give the CSR to StartSSL (which they like), and they generate a certificate for me.
Message: invalid request: missing required attribute: server Error code: service.INVALID_REQUEST Method: GetCertRequest Details:soap:Sender
My hunch is that the problem lies with the way my Zimbra server is named. The server itself is named friendlyname.ourdomain.com, but the certificate needs to be for mail.ourdomain.com.
When generating the CSR, I specify "mail.ourdomain.com" as the common name. Should it be a Subject Alternative Name instead....or both?
Or, perhaps, it is a StartSSL problem as "All content of the certificate signing request is ignored except its public key."?
We used to use ipsCA certs and never had an issue (until their CA cert expired)...