Results 1 to 10 of 14

Thread: [SOLVED] Network Solutions Certs - certs do not verify

Hybrid View

  1. #1
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Cool [SOLVED] Network Solutions Certs - certs do not verify

    Folks, I tried to install my Network Solutions Certs with mixed results.

    =============

    I rechecked the certs and ran into this error:
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    31878:error:0906D066:PEM routines:PEM_read_bio:bad end lineem_lib.c:749:
    31878:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280:

    I is suggested that I add new lines in two of the certs that "AddTrustExternalCARoot.crt" and "NetworkSolutions_CA.crt" files _only_.

    How is the best way to make that change? Simply hit return at the end of the file or some other code?

    I tried this one other time and must have done something wrong.

    Suggestions Please.

    Tribear
    Last edited by tribear; 07-06-2010 at 05:59 PM.

  2. #2
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default No Responses

    Hello out there...I guess I am alone on this one...no responses from anyone?

    -- It is disappointing that this software is so difficult to work with on such important matters such as security. Installing cerificates from various vendors should be very easy to do. You always seem to have to do some CL magic to get things working. Even then its hit or miss - no clear documentation anywhere.

    I have used VM products for years and they all work..... I hope VM can clean up this product so many of us - with start up companies will feel confident in the software when its time to expand and that includes buying Zimbra vs Lotus Notes or others who do a better job.

    If I do not get any responses today I will kill off this thread.

    Tribear
    Last edited by tribear; 07-07-2010 at 09:28 AM. Reason: Wording Errors

  3. #3
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default Finding some answers and experimenting.

    Ok...

    Found some answers that helped.
    So far the CAT of certs >> commercial_CA.crt worked out with lines added to certs 1 & 2.
    After running the verify on comm certs got the messages I needed to deploy. After running deploy all ran OK until the end.
    Creating the pkcs12 file is still an issue.

    I need some help on this one... any ideas from anyone would be helpful.

    Tribear

    [root@mail1 commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm

    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
    [root@mail1 commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK

    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file

    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file

    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key
     

  4. #4
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

  5. #5
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default

    Ok... After discovering that my commercial.crt also need a CR at the end of the file so the deploy command can properly append the commercial_ca.crt - I reran the verify and deploy commands. Looks good!? - don't be foooled.


    On restart the logger gets upset. see below.

    bdial - got any other ideas?

    [root@mail1 commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
    [root@mail1 commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    ------------------------------------------------------------
    [zimbra@mail1 root]$ zmcontrol start
    Host mail1.xxxxxxxxxxx.com
    Starting ldap...Done.

    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.

    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
    zimbra logger service is not enabled! failed.
     
    Starting mailbox...Done.
    Starting memcached...Done.
    Starting imapproxy...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.

  6. #6
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

  7. #7
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default

    Well... after all this messing around... I got tired of the certificate issues and asked Network Solutions to reissue mine.

    I will start back at this when they arrive.... tune in later... to be continued.

    Tribear

  8. #8
    Join Date
    Jun 2007
    Posts
    15
    Rep Power
    8

    Default

    Hi, I'm not sure if I should start a new thread or reply to this one, but I'm having a similar issue with my Network Solutions cert. I'm trying to renew my SSL cert. Everything looked like it validated correctly. I download the .crt files and proceed to install it. When I run

    /opt/zimbra/bin/zmcertmgr verifycrt comm


    I get

    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    XXXXX ERROR: Unmatching certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.


    I'm not sure why it's happening. Everything seems correct. I tried it several times. I successfully did this two years ago so I'm just following the same steps. It's based on these instructions Installing a Network Solutions Certificate on ZCS 5.0.x - Zimbra :: Wiki

    Any help is appreciated. I'm stumped at this point. Thank you very much!

  9. #9
    Join Date
    Oct 2009
    Location
    North Carolina, USA
    Posts
    58
    Rep Power
    6

    Default Network Solutions Certs - Up and Running

    All - Just as they say "keep it simple".

    After all the coffee and eyestrain here's my solution:

    1. Use the Zimbra Admin Web UI to generate your certificate request (CSR) and Download it.




    2. Save it ..... and the /opt/zimbra/ssl/zimbra/commercial/ files:
    commercial.csr, commercial.key -----somewhere safe.
    3. Open the CSR download, copy and paste it (all of it!) into the Network Solutions certificate tool.


    4. When Network Solutions email you that you can download your certs.
    Go get them and save them somewhere safe.

    When you open the file (zipped up bundle) you should have:
    Your.Server.COM.crt (server's crt)
    AddTrustExternalCARoot.crt (Root CA)
    NetworkSolutions_CA.crt (intermediate crt)
    UTNAddTrustServer_CA.crt (intermediate crt)
    5. Log on to your server as ROOT and copy them - as they are - to a directory e.g. /root/certs.

    6. Now use the Zimbra Admin UI certificate manager to install the commercial certificates above. Selecting them as you browse /root/certs. Cross fingers here. Hit Install.

    7. If all is well you will get a note from the tool that they installed correctly.

    8. STOP! Before you do anything else open a terminal window and run this command to fix the nasty ldap and logger issues I saw earlier.

    /opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    Note: I am not sure why the installer does not handle this for you. Maybe a bug. Hopefully the code ninjas will take care of it soon.

    8. Next Step - run su zimbra , zmcontrol stop - then pause for some air - run zmcontrol start.

    Have a peaceful day....
    Last edited by tribear; 07-08-2010 at 10:21 PM. Reason: spelling errors

Similar Threads

  1. this is bad? named errors?
    By arisan in forum Administrators
    Replies: 5
    Last Post: 03-25-2010, 03:14 AM
  2. Commercial Certs for Multi-Server Install
    By jterhune in forum Administrators
    Replies: 5
    Last Post: 09-08-2009, 03:21 PM
  3. Note on creating SSL certs in opensource zimbra
    By pheonix1t in forum Administrators
    Replies: 2
    Last Post: 01-17-2009, 08:10 AM
  4. Replies: 1
    Last Post: 12-22-2008, 09:47 PM
  5. upgrading to network edition
    By zzzzsg in forum Installation
    Replies: 11
    Last Post: 03-06-2008, 10:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •