Results 1 to 9 of 9

Thread: Howto: GoDaddy UCC cert renewal

  1. #1
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default Howto: GoDaddy UCC cert renewal

    A lot of people seem to have trouble with GoDaddy certs, especially when renewing. I did, too--tried to use the Admin GUI, fail. Looked through the forums and tried a few things others suggested, without luck. Finally I combined two ideas I'd seen on the forum and it was easy as pie. So I thought I'd share.

    It's all done through the CLI. ZCS in this case is 6.0.6.1.

    Step 1: Generate CSR as root.

    # /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 "/C=$country/ST=$state/L=$city/O=$organization/OU=$unit/CN=$FQDN1/CN=$FQDN2"

    The $items are for you to fill in, without the dollar signs of course. In this case I had an organizational unit (OU). If you don't have one, leave out the "/OU=$unit". Also the first $FQDN1 is the primary name on the cert; any Subject Alternative Name(s) go in the second $FQDN2 (and any subsequent ones).

    The output should look something like this:
    Code:
    ** Generating a server csr for download comm -new -keysize 2048 /C=$country/ST=$state/L=$city/O=$organization/OU=$unit/CN=zimbra.company.com/CN=zimbra.company2.com
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100605164109 
    ** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    If all goes well, the CSR will be in opt/zimbra/ssl/zimbra/commercial/commercial.csr

    Step 2: Submit CSR to GoDaddy and download the cert.

    # cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr

    Copy & paste the output into the GoDaddy form. For server type, use "Other". Then download the cert zipfile, unzip it, and put the contents somewhere on your zimbra server. E.g. we'll assume they're in /root/certs/ and that the site cert is called zimbra.company.com.crt. The only other cert in the zip is gd_bundle.crt. (I haven't found any need for GoDaddy's intermediate cert bundle, which is apparently included in the downloads for certain servers.)

    Step 3: Verify the cert chain.

    cd /root/certs/
    # /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./zimbra.company.com.crt ./gd_bundle.crt


    The output should be
    Code:
    ** Verifying ./zimbra.company.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./zimbra.company.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./zimbra.company.com.crt: OK
    Step 4: Install the cert

    # /opt/zimbra/bin/zmcertmgr deploycrt comm ./zimbra.company.com.crt ./gd_bundle.crt

    And the output
    Code:
    ** Verifying ./zimbra.company.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./zimbra.company.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./zimbra.company.com.crt: OK
    ** Copying ./zimbra.company.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain ./gd_bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Step 4: Check the cert.

    I didn't want to reboot the whole server right away, so I just did
    # su zimbra
    # zmmailboxdctl restart


    Once mailboxd had restarted, I opened the login page with a web browser and inspected the certificate.

    Since I'm not sure if other services (such as mta) need to load the cert independently, I scheduled a full restart (zmcontrol stop && zmcontrol start) for later, after notifying the users.

    (Here's where I found the answers: http://www.zimbra.com/forums/install...tml#post175034 and http://www.zimbra.com/forums/adminis...tml#post176902.)
    Last edited by ewilen; 06-05-2010 at 09:35 PM.

  2. #2
    Join Date
    May 2010
    Posts
    272
    Rep Power
    5

    Default

    thanks ewilen. very helpfull, works like charm
    to bad that teh gui dont have those options..

  3. #3
    Join Date
    Mar 2006
    Location
    Kansas City
    Posts
    36
    Rep Power
    9

    Default

    Worked like a charm. Thanks for the steps.

  4. #4
    Join Date
    Dec 2009
    Posts
    7
    Rep Power
    5

    Default

    @ Elliot Wilen...Thank you so much for your step by step intructions on how to generate a CSR code and installing a certificate from GoDaddy provider.

    Release 6.0.5_GA_2213.UBUNTU8 UBUNTU8 FOSS edition.

  5. #5
    Join Date
    Apr 2008
    Location
    Seattle
    Posts
    37
    Rep Power
    7

    Default

    Much thanks for the recipe. Made my day.

  6. #6
    Join Date
    Oct 2007
    Location
    Carcavelos, Lisbon
    Posts
    61
    Rep Power
    8

    Default

    I'm running Release 6.0.2_GA_1912.F7_20091020145320 F7 FOSS edition.
    Try to install a new godaddy certificate without success. I follow this steps but still the same error:
    "zmcontrol start
    Host server_name.FQDN
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
    zimbra logger service is not enabled! failed."

    The only difference was that I created the csr file from the GUI, should I create the CSR file from the command line?

    Thanks

  7. #7
    Join Date
    Oct 2007
    Location
    Carcavelos, Lisbon
    Posts
    61
    Rep Power
    8

    Default

    gave up, I cannot install the certificate. The only difference, I can note, is instead of zimbra.company.com.crt I get company.com.crt

    Everything is OK until I restart the server.

  8. #8
    Join Date
    Mar 2008
    Posts
    3
    Rep Power
    7

    Default

    Thank you for this howto Elliot!
    It worked flawlessly for me on single-node ZCS 8.0.2, with alias domains, with a GoDaddy UCC certificate.

    david

  9. #9
    Join Date
    Dec 2009
    Posts
    7
    Rep Power
    5

    Default

    @ ferra ....Hello ferra.....get in touch with me if you still need help generating certificate and installing godaddy cert on your Zimbra server. Let’s try troubleshoot it together.....i followed Elliot Wilen step by step instructions after a few tries it was not successful because of my own errors but once I sat down without any distraction I was able to accomplish my goal. Again Elliot Wilen thank you for your help to the Zimbra community users. BTW I am running my Zimbra Mail Server on Ubuntu 10 64Bit Server

Similar Threads

  1. GoDaddy Cert Problem
    By bluethundr_ in forum Installation
    Replies: 6
    Last Post: 11-30-2010, 01:10 PM
  2. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  3. [SOLVED] UCC ssl Cert compaibility
    By baradeithel in forum Administrators
    Replies: 1
    Last Post: 12-15-2009, 03:03 AM
  4. Install GoDaddy Cert
    By sunfire in forum Administrators
    Replies: 1
    Last Post: 07-16-2008, 06:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •