Results 1 to 6 of 6

Thread: [SOLVED] Can't install my commercial certificate

  1. #1
    Join Date
    Sep 2008
    Location
    Belgium
    Posts
    91
    Rep Power
    7

    Default [SOLVED] Can't install my commercial certificate

    Hi all,

    I am running zcs-6.0.6_GA_2330.DEBIAN5_64.20100505212715 on Debian 5.0

    After the installation was successful, I had the zimbra admin consile generate a csr file that I gave to StartCom.

    I got a crt file back and I went on to installing it via the gui.

    I got the following error:
    Code:
    Message: 
    Your certificate was not installed due to the error : invalid request: missing required element: keysize 
    Error code: ZaCertWizard.prototype.installCallback 
    Method: AjxException.UNKNOWN_ERROR Details:invalid request: missing required element: keysize
    After a bit of reading I copied my copied and renamed my crt file to '/opt/zimbra/ssl/zimbra/commercial/commecrial.crt'.

    I checked that the csr file was still the same I used to request the crt file.

    As root, I then ran the following command and got the error:

    Code:
    # wget --no-check-certificate https://www.startssl.com/certs/ca.pem
    # wget --no-check-certificate https://www.startssl.com/certs/sub.class2.server.ca.pem
    # cat ca.pem sub.class2.server.ca.pem > commercial_ca.crt
    
    # ls -l
    total 24
    -rw-r--r-- 1 root root 4972 2010-05-25 00:28 commercial_ca.crt
    -rw-r--r-- 1 root root 5662 2010-05-25 00:27 commercial.crt
    -rw-r--r-- 1 root root 1086 2010-05-24 23:33 commercial.csr
    -rw-r----- 1 root root 1679 2010-05-24 23:33 commercial.key
    
    # /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
    ** Verifying commercial.crt against commercial.key
    unable to load certificate
    12564:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:749:
    XXXXX ERROR: Unmatching certificate (commercial.crt) and private key (commercial.key) pair.
    I read that adding a space at the end of the crt might help but I got the same error.

    Cany anyone help me solve this one?

    Thanks
    -Ed
    Last edited by ecobrazim; 05-24-2010 at 04:39 PM. Reason: better error code

  2. #2
    Join Date
    Dec 2006
    Location
    Minneapolis MN
    Posts
    777
    Rep Power
    10

    Default

    1. Place the csr and the private key in /opt/zimbra/ssl/zimbra/commercial directory and name them: commercial.csr and commercial.key.
    2. Make sure the permissions are set to 740 root:root
    3. Make a new directory, ex: /root/certs
    4. Place the singed cert and the bundle cert in /root/certs
    5. Verify that the cert and the key match via this command run As ROOT
      # cd /root/certs
      # /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./<crt_file> ./<bundle_file>
    6. If the output looks good, you can deploy the certificate via this command:
      # /opt/zimbra/bin/zmcertmgr deploycrt comm ./<crt_file> ./<bundle_file>
    7. The final step would be to restart the zimbra services for the change to take effect

  3. #3
    Join Date
    Sep 2008
    Location
    Belgium
    Posts
    91
    Rep Power
    7

    Default

    Hi Krishopper,

    The installation of the key worked beautifully, thanks but I am now getting the following errors when restarting the service.
    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt 
    ** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./commercial.crt: OK
    ** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    
    # su - zimbra
    
    $ zmcontrol stop && sleep 5 && zmcontrol start
    Host mail.precognet.com
            Stopping stats...Done.
            Stopping mta...Done.
            Stopping spell...Done.
            Stopping snmp...Done.
            Stopping archiving...Done.
            Stopping antivirus...Done.
            Stopping antispam...Done.
            Stopping imapproxy...Done.
            Stopping memcached...Done.
            Stopping mailbox...Done.
            Stopping logger...Done.
            Stopping ldap...Done.
    Host mail.precognet.com
            Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
            Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
    zimbra logger service is not enabled!  failed.
            Starting mailbox...Done.
            Starting antispam...Done.
            Starting antivirus...Done.
            Starting snmp...Done.
            Starting spell...Done.
            Starting mta...Done.
            Starting stats...Done.
    I admit I am rushing of to work and did not take the time to check the net for this problem. I will do so this evening unless you have a quick fix to my problem

    Anyway, the cert is installed so I'm one step further. Thanks!
    -Ed

  4. #4
    Join Date
    Dec 2006
    Location
    Minneapolis MN
    Posts
    777
    Rep Power
    10

    Default

    I didn't encounter any such issue, but from a quick search, check the forums for "Enabled services read from cache" and see if you can find some answers.

    Quick searching shows that /etc/hosts didn't contain "localhost.localdomain localhost" for 127.0.0.1 in a few cases, possibly an expired certificate, bad DNS?

  5. #5
    Join Date
    Sep 2008
    Location
    Belgium
    Posts
    91
    Rep Power
    7

    Default

    OK, so I did do some reading and I did find the solution

    First of all, I checked the hosts file to get rid of the error as mentioned here:

    Code:
    Enabled services read from cache. Service list may be inaccurate.
    Now to fix the following error and the error above:

    Code:
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
    ... I did (as root) with zimbra still running:
    Code:
    # /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /root/certs/commercial.crt
    Thanks robmc

    I then restarted the zimbra services and shazam, all is working!

    Thank you all for your help.
    -Ed

  6. #6
    Join Date
    Jun 2010
    Posts
    3
    Rep Power
    5

    Default Installing GoDaddy SSL Certificate on Zimbra versions 5 and 6

    Here's a lengthy write up I made using information from several threads:

    IT Bang Bang: Installing $12.99 GoDaddy SSL Certificate on Zimbra versions 5 and 6

    I hope it helps people get their Certificates properly set up.

    Leave me comments if it worked.

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 04:08 AM
  2. Problem with Commercial Certificate in 5.0.9 GA
    By bibo in forum Administrators
    Replies: 3
    Last Post: 09-17-2008, 07:03 AM
  3. [SOLVED] How to install certificate wizard?
    By salu in forum Installation
    Replies: 1
    Last Post: 06-17-2008, 12:24 PM
  4. Replies: 0
    Last Post: 01-15-2008, 01:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •