Results 1 to 2 of 2

Thread: [SOLVED] [zmcertmgr] error deploying comm startcom sslcert

Hybrid View

  1. #1
    Join Date
    Jul 2010
    Rep Power

    Default [SOLVED] [zmcertmgr] error deploying comm startcom sslcert

    Hi there,

    i'm running Release 6.0.7_GA_2473 on a Debian Testing.
    I tried to install a commerial startcom ssl cert as described in the zimbra wiki and here. Everything went fine until i tried to deploy the cert:
    server:~# /opt/zimbra/bin/zmcertmgr deploycrt comm /root/.ssl/commercial.crt /root/.ssl/commercial_ca.pem
    ** Verifying /root/.ssl/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/.ssl/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/.ssl/commercial.crt: OK
    ** Copying /root/.ssl/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain /root/.ssl/commercial_ca.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
    ** NOTE: mailboxd must be restarted in order to use the imported certificate.
    ** Saving server config key zimbraSSLCertificate.../opt/zimbra/bin/zmcertmgr: Zeile 210: /bin/su: Die Argumentliste ist zu lang
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key
    Apparently, the bash script zmcertmgr tries to pass the ca-bunde (this one) as a string over the command line:

    local content=`cat ${file}`
    echo -n "** Saving $location config key $key..."
    su - zimbra -c "${zimbra_home}/bin/zmprov -m -l -- ${zmprov_opts} ${key} \"$content\" 2> /dev/null"
    The bundles filesize is 132903 bytes, probably hitting some limit for command line argument length in my kernel:
    uname -r
    getconf ARG_MAX
    cat /usr/src/linux/include/linux/binfmts.h | grep MAX_ARG_STRLEN
    #define MAX_ARG_STRLEN (PAGE_SIZE * 32)
    getconf PAGE_SIZE
    Reffering to this article
    And as additional limit, one argument must not be longer than MAX_ARG_STRLEN (131072).
    i guess that the maximum length for that particular argument is slightly exceed, even though the ARG_MAX is big enough.

    I'd be happy to get some feedback on that.

    Thanks, Hawkeye.

  2. #2
    Join Date
    Jul 2010
    Rep Power

    Default [SOLVED] [zmcertmgr] error deploying comm startcom sslcert


    Startcom included about 100k crls to the ca-bundle. Removing every single
    -----BEGIN X509 CRL----- 
    -----END X509 CRL-----
    from ca-bundle.pem avoids the problem with the maximum command line argument length.

    Additionally, i had to add a <CR> (newline) to the end of my personal certificate to bypass this.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts