Results 1 to 7 of 7

Thread: Thawte SSL123 (Did not Use Admin Panel)

  1. #1
    Join Date
    May 2006
    Posts
    33
    Rep Power
    9

    Default Thawte SSL123 (Did not Use Admin Panel)

    That's right my client went ahead and purchased a Thawte ssl123 cert without consulting me first and did not know about the admin panel and having to use it to create the CSR first. So we have an SSL123 created the standard way from the linux command prompt. Is there any way to get this sucker working in Zimbra?
    5.0.7_GA_2444.RHEL5_64_20080626020449 RHEL5_64 FOSS edition

  2. #2
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    well i've just spent 3 hours wiki'ing, forum'ing and googl'ing and eventually found the answer to this - it's pretty cryptic (no pun intended)

    request the cert in tomcat format, download the signed cert in x.509 format (you have to cut and paste into a file, call it commercial.crt).

    download the root ca cert from here:
    https://search.thawte.com/support/ss...INK&id=AR1470#
    again, cut and paste into a file, call it ca.root

    download the ssl intermediate bundle cert from here:
    https://search.thawte.com/support/ss...LINK&id=AR1372
    you'll want to choose the 'Apache, Plesk & CPanel' option 1, ie 'Download the Bundled CA version' - save it to ca.inter

    now concatenate the two:
    cat ca.root ca.inter >commercial_ca.crt

    edit the newly created commercial_ca.crt and make sure that the ---BEGIN and ---END lines are all on their own line, and there are no empty gap lines anywhere.

    then verify:
    /opt/zimbra/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt

    hopefully this goes ok - if you get any wierd errors you either have requested the cert wrong or have not quite got the above steps 100% correct.

    then install:
    /opt/zimbra/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

    then restart zimbra

  3. #3
    Join Date
    May 2006
    Posts
    33
    Rep Power
    9

    Default

    Thanks for your post but I am just so frustrated by this process. I've created a new CSR and got a new SSL123 cert from thawte. Here is what I did:

    1. Backup/remove 2009's key/crt/csr in /opt/zimbra/ssl/zimbra/commercial
    2. Zimbra Admin panel - generate CSR - verified they created in /opt/zimbra/ssl/zimbra/commercial on server
    3. Issued/received new certificate from Thawte with new CSR
    4. Uploaded it to /opt/zimbra/ssl/zimbra/commercial.crt
    5. Ran /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt thawte-bundle.ca

    Error:
    Code:
    ** Verifying commercial.crt against commercial.key
    Certificate (commercial.crt) and private key (commercial.key) match.
    XXXXX ERROR: Invalid Certificate: commercial.crt: /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
    error 2 at 2 depth lookup:unable to get issuer certificate
    I am pretty sure I have the wrong "thawte-bundle". There are like a thousand different bundles on thawte's site I can't figure out what in the world to download for this. Anyone know?

    Also, should I be using the admin panel for this? It asks me for the certificate, the root ca and the intermeidate ca. I don't know what to upload for the root and intermediate.

    Could someone please explain what I need to do to renew this certificate? What thawte root CAs I need to download? Should I be using the command line or the admin panel? Please help I am so exhausted from this. Thanks.
    5.0.7_GA_2444.RHEL5_64_20080626020449 RHEL5_64 FOSS edition

  4. #4
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    you've got the wrong ca bundle. i gave you precise links and instructions above to get the right ones!

  5. #5
    Join Date
    May 2006
    Posts
    33
    Rep Power
    9

    Default

    Thank you so much. Those two bundles were my entire problem. There are all kinds of bundles on Thawte's site and how you figured out which ones to use is beyond my mere mortal knowledge. I never could have figured that out on my own. Thankfully we purchased a 2 year cert and I don't have to deal with this crap for a while.
    5.0.7_GA_2444.RHEL5_64_20080626020449 RHEL5_64 FOSS edition

  6. #6
    Join Date
    Jul 2012
    Posts
    12
    Rep Power
    3

    Default

    Quote Originally Posted by dijichi2 View Post
    well i've just spent 3 hours wiki'ing, forum'ing and googl'ing and eventually found the answer to this - it's pretty cryptic (no pun intended)

    request the cert in tomcat format, download the signed cert in x.509 format (you have to cut and paste into a file, call it commercial.crt).

    download the root ca cert from here:
    https://search.thawte.com/support/ss...INK&id=AR1470#
    again, cut and paste into a file, call it ca.root

    download the ssl intermediate bundle cert from here:
    https://search.thawte.com/support/ss...LINK&id=AR1372
    you'll want to choose the 'Apache, Plesk & CPanel' option 1, ie 'Download the Bundled CA version' - save it to ca.inter

    now concatenate the two:
    cat ca.root ca.inter >commercial_ca.crt

    edit the newly created commercial_ca.crt and make sure that the ---BEGIN and ---END lines are all on their own line, and there are no empty gap lines anywhere.

    then verify:
    /opt/zimbra/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt commercial_ca.crt

    hopefully this goes ok - if you get any wierd errors you either have requested the cert wrong or have not quite got the above steps 100% correct.

    then install:
    /opt/zimbra/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

    then restart zimbra
    I did pretty much exactly this but with a GeoTrust DV (not EV "extended verification") cert from Tucows/OpenSRS. This actually works, mind the carriagereturns and no linefeeds in the cert files. You need to download the GeoTrust root (and guess which one of 15 of them is the right one, in this case it's http://www.geotrust.com/resources/ro..._Global_CA.pem )

    Cat the cert files together (after editing them to insert newlines, dont mess up any of the alphanum text data in the cert!), save, cat them as per above, verify, and install.

    Works fine. So just another confirmation that this works/still works. Am on Zimbra 7.0whatever is current as of July 5 2012.

  7. #7
    Join Date
    Mar 2012
    Posts
    3
    Rep Power
    3

    Default

    Quote Originally Posted by mathx View Post
    I did pretty much exactly this but with a GeoTrust DV (not EV "extended verification") cert from Tucows/OpenSRS. This actually works, mind the carriagereturns and no linefeeds in the cert files. You need to download the GeoTrust root (and guess which one of 15 of them is the right one, in this case it's http://www.geotrust.com/resources/ro..._Global_CA.pem )

    Cat the cert files together (after editing them to insert newlines, dont mess up any of the alphanum text data in the cert!), save, cat them as per above, verify, and install.

    Works fine. So just another confirmation that this works/still works. Am on Zimbra 7.0whatever is current as of July 5 2012.
    Hi, I am having the same problems. I got a GeoTrust DV QuickSSL cert through OpenSRS. I have pasted the CA and intermediate files into one file, but I am still getting:

    Code:
    # /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
    ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: /tmp/commercial.crt: serialNumber = /wJqvrIOj1IlanTxsmgW7M7Z5rdcHpx3, OU = GT24244572, OU = See www.geotrust.com/resources/cps (c)12, OU = Domain Control Validated - QuickSSL(R), CN = mail.tcp.net
    error 20 at 0 depth lookup:unable to get local issuer certificate
    I chose "other" in the certificate type when I got it, but it came emailed as x.205 with the intermediate so I guess thats fine?

    Also I created the CSR through the webUI, but when I try and do this through the browser I get the error:

    Code:
    Your certificate was not installed due to the following error: system failure: exception executing command: zmcertmgr deploy comm /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt . . .
    Anyone have any pointers? I have tried loads of things I found on Google and on here with no luck...

Similar Threads

  1. export account from Web Admin Panel
    By elisa in forum Administrators
    Replies: 13
    Last Post: 08-09-2011, 10:22 AM
  2. [SOLVED] Unable to Login to Admin Panel (urgent)
    By mek in forum Administrators
    Replies: 4
    Last Post: 05-14-2010, 05:51 AM
  3. problems with language on admin panel
    By azer in forum Administrators
    Replies: 0
    Last Post: 08-02-2008, 09:57 AM
  4. Replies: 8
    Last Post: 02-23-2008, 06:01 AM
  5. messed up, can't access admin panel
    By kamina in forum Installation
    Replies: 1
    Last Post: 05-12-2006, 09:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •