Results 1 to 6 of 6

Thread: [SOLVED] Certificate problem with 6.0.5

  1. #1
    Join Date
    Jul 2007
    Location
    Brazil
    Posts
    55
    Rep Power
    8

    Exclamation [SOLVED] Certificate problem with 6.0.5

    Dear all,

    I made upgrade to zimbra 6.0.5. When I tried to install a new certificate
    I received this error.

    [root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial
    commercial_ca.crt commercial.crt commercial.csr commercial.key
    [root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt root.crt
    ** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./commercial.crt: OK
    [root@mailhost certs]# cat class3.crt root.crt >> commercial_ca.crt
    [root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/comm
    ercial/commercial.key ./commercial.crt commercial_ca.crt
    ** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./commercial.crt: OK
    [root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt commercial_ca.crt
    ** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./commercial.crt: OK
    [root@mailhost certs]# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt
    ** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./commercial.crt: OK
    ** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key

    I saw the same error in another post but I didnīt find the solution.

    How do I fix this?

    Best regards,
    Bibo

  2. #2
    Join Date
    Jul 2007
    Location
    Brazil
    Posts
    55
    Rep Power
    8

    Default

    I run the zmcertmgr command in debug mode to help me and I found out that my problem was the commercial.crt file. This file finish in that line.
    -----END CERTIFICATE-----
    Then I added new line (\n) and the script run without problem.

    [root@mailhost certs]# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt
    ** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./commercial.crt: OK
    ** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain ./commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    [root@mailhost certs]#

    Best regards,
    Bibo

  3. #3
    Join Date
    Aug 2007
    Location
    London, UK
    Posts
    297
    Rep Power
    8

    Default

    bibo I want to say a big THANK YOU for posting this.
    Spent 5 hours trying to get this going and that newline character was the problem all along. Thanks!

    Cheers, B
    Last edited by batfastad; 06-25-2010 at 10:50 AM.

  4. #4
    Join Date
    Oct 2008
    Location
    Alberta
    Posts
    19
    Rep Power
    7

    Default

    bibo - My thanks as well. I've been struggling getting my cert installed and I thought I had it fixed until I started receiving the same error that you wrote in your first post.

  5. #5
    Join Date
    Jun 2010
    Posts
    5
    Rep Power
    5

    Default

    This worked for me. Very simple

    First Generate CSR in GUI

    Save resulting Cert file as commercial.crt

    Download Thawte Root Certs: https://www.thawte.com/roots/index.html

    Find Thawte Server CA.pem in folder "Thawte SSL123 Roots" and rename to commercial_ca.crt

    Upload commercial.crt and commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial

    Verify Certificate

    As root run: /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt

    /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
    ** Verifying commercial.crt against commercial.key
    Certificate (commercial.crt) and private key (commercial.key) match.
    Valid Certificate: commercial.crt: OK
    Install Certificate

    As root run: /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

    /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
    ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
    ** NOTE: mailboxd must be restarted in order to use the imported certificate.
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Restart Zimbra services zmcontrol restart as zimbra user.

    ****
    One more Note:

    Zimbra recommends that you place those files (Trusted Root and commercial.crt) elsewhere and let the zmcertmgr tool copy them to the proper location and install them into ldap. Like the following:

    /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
    ****
    Last edited by itdoug; 07-07-2010 at 06:00 AM.

  6. #6
    Join Date
    Jul 2008
    Posts
    7
    Rep Power
    7

    Default

    Dear bibo,

    A big thank you to your valuable guides here!!!

Similar Threads

  1. [SOLVED] Problem when install CAcert certificate
    By bibo in forum Administrators
    Replies: 4
    Last Post: 11-17-2008, 05:49 AM
  2. problem with certificate + WM6?
    By raul_denia in forum Zimbra Mobile
    Replies: 0
    Last Post: 09-01-2008, 06:39 AM
  3. Certificate fun...
    By TommyTheKid in forum Administrators
    Replies: 2
    Last Post: 02-12-2008, 05:32 PM
  4. SSL certificate problem(?) Tomcat not working
    By akai in forum Installation
    Replies: 1
    Last Post: 07-02-2007, 03:43 PM
  5. Certificate problem with SMTP using TLS
    By yuit in forum Installation
    Replies: 4
    Last Post: 11-02-2006, 06:03 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •