Results 1 to 10 of 13

Thread: SSL problems

Hybrid View

  1. #1
    Join Date
    Aug 2006
    Posts
    11
    Rep Power
    9

    Default SSL problems

    For a couple of reasons, I decided to use a commercial SSL certificate from godaddy instead of the self-signed certificate that was created during the install.

    I found this page: http://wiki.zimbra.com/index.php?tit...l_Certificates and followed the instructions for godaddy certificate at the bottom of the page. Everything seemed to be going fine all the way up until I restarted tomcat. I ran 'tomcat restart' and it took awhile but didn't give me any errors. 'zmcontrol status', however, is showing that tomcat is down. I tried 'zmcontrol stop' and 'zmcontrol start' and got the same results.

    I copied the old /opt/zimbra/apache-tomcat-5.5.15/conf/keystore back into place and it started back up fine.

    I then found a couple of posts that said that I needed to run this:

    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    Both said they had an error running the second command. One said the error was "Alias my_ca does not exist", which is the same error I saw when I ran the command. A couple of questions about this:
    1. Am I supposed to be replacing my_ca with something else? If so, what?
    2. Are these commands just modifying something in the file /opt/zimbra/tomcat/conf/keystore? If so and I am replacing that file with a new one, is it even necessary to run those commands?

    Finally, since tomcat is failing to start up, what log file do I look in to see what errors are causing the problem. I didn't see anything obvious in /opt/zimbra/tomcat/logs/

    Any help or suggestions would be greatly appreciated.

    dcm

  2. #2
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default

    Quote Originally Posted by dcm
    I then found a couple of posts that said that I needed to run this:

    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    Both said they had an error running the second command. One said the error was "Alias my_ca does not exist", which is the same error I saw when I ran the command. A couple of questions about this:
    1. Am I supposed to be replacing my_ca with something else? If so, what?
    2. Are these commands just modifying something in the file /opt/zimbra/tomcat/conf/keystore? If so and I am replacing that file with a new one, is it even necessary to run those commands?
    The second command should read
    keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

    but you shouldn't need to run it.
    Finally, since tomcat is failing to start up, what log file do I look in to see what errors are causing the problem. I didn't see anything obvious in /opt/zimbra/tomcat/logs/

    Any help or suggestions would be greatly appreciated.

    dcm
    /opt/zimbra/tomcat/logs/catalina.out

    Chances are that your keypass or storepass is wrong (both should be zimbra) or your keystore is just fubar - did you import the godaddy cert into the same keystore you used to create the cert request? DId you import the godaddy root and intermediate certs?
    Bugzilla - Wiki - Downloads - Before posting... Search!

  3. #3
    Join Date
    Aug 2006
    Posts
    11
    Rep Power
    9

    Default

    OK, I see an error in catalina.out. It does look like it is a password problem. When I was going through the steps to create the csr, etc., I did use a different password. Does that mean that I have to go back and have godaddy reisue the certificate or can I change that stuff after the fact?

    Thanks,

    dcm

  4. #4
    Join Date
    Jun 2006
    Posts
    72
    Rep Power
    9

    Default

    I think I'm going to have the same problem, I generated my ssl cert with

    openssl req -new -newkey rsa:1024 -nodes -subj '/CN=myhost.domain.com/O=My Company/C=US/ST=Alabama/L=Birmingham' -keyout webmail1.pem -out webmail1.pem

    If this is going to cause a problem, is there a way to fix this so that I can use the already generated (and submitted) certificate?

    Thanks,
    Kyle

  5. #5
    Join Date
    Aug 2006
    Posts
    11
    Rep Power
    9

    Default

    I re-keyed mine and everything is fine now.

    dcm

  6. #6
    Join Date
    Jun 2006
    Posts
    72
    Rep Power
    9

    Default

    Will I need to run
    keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra

    before generating my new certificate? I get
    keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists

    When I try to generate it without running that, I just want to be sure I'm not going to break the existing self-signed ssl cert.

    Thanks,
    kyle
    Last edited by kechols; 09-13-2006 at 01:58 PM. Reason: had the wrong command in my clipboard Ooops ! :D

Similar Threads

  1. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 05:16 PM
  2. Disable SSL on the Admin Port 7071
    By rasputin in forum Installation
    Replies: 2
    Last Post: 04-06-2008, 04:29 AM
  3. SSL certificate format problems
    By didde in forum Installation
    Replies: 0
    Last Post: 07-02-2007, 12:03 PM
  4. Help with tomcat ssl errors...
    By sgtstadanko in forum Administrators
    Replies: 4
    Last Post: 03-19-2007, 10:13 PM
  5. Smartphone preference for zimbra?
    By jonnyRo in forum Zimbra Mobile
    Replies: 5
    Last Post: 10-27-2006, 09:04 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •