Results 1 to 2 of 2

Thread: SSL cert install fails (ver 6)

Hybrid View

  1. #1
    Join Date
    Dec 2010
    Posts
    5
    Rep Power
    4

    Default SSL cert install fails (ver 6)

    I am at the end of my rope here.

    I just purchased a new cert from Godaddy and I am completely unable to install it on my server.

    I have followed every advice/recommendation I found in the wiki, the forums but nothing has worked.

    I get the following error
    Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair.
    Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair. Error code: ZaCertWizard.prototype.in...
    I have re-keyed the cert so many times by now that I wouldn't be surprised if godaddy calls me to laugh at me.

    A little background:
    - I changed the hostname of the server (could this affect the commercial.key?)
    - I had a self signed cert there for the previous name.
    - I generated a request from the GUI
    - I got a standard SSL cert from Godaddy
    - downloaded it as Apache, Tomcat, Other
    - I tried using the gui to upload the crt (got the errors above)
    - I tried all the tricks here: Installing_a_GoDaddy_Commercial_Certificate_on_ZCS _5.0.x, 21659-solved-godaddy-certificate.html and many more like this none of them works.


    I am open to ANY advice.

    Is there a way to totally remove the requests that are pending in Zimbra?
    right now I have so many folders under the /opt/zimbra/ssl/ from all the attempts that if I could just format the box and restart from scratch I would be tempted but I have 8 mailboxes for people who would hate to lose their stuff.

    Thoughts?

  2. #2
    Join Date
    Dec 2010
    Posts
    1
    Rep Power
    4

    Default

    I've struggeled with the same problem. My suggestin is - try to install the cert using CLI command zmcertmgr. I installed my commercila cert from Verisign. I think it should be similar procdure for godaddy.
    1. Backup commercial.csr and commercial.key.
    2. Stop zimbra
    3. Remove all from /opt/zimbra/ssl/zimbra/ca/* and /opt/zimbra/ssl/zimbra/commercial/*
    4. Copy backuped commerccommercial.csr and commercial.key to /opt/zimbra/ssl/zimbra/commercial/
    5. Copy cert you'v download from Godaddy to /tmp
    $cp godaddy_cert.crt /tmp/commercial.crt
    6. Download root cert (CA) and intermediate cert from Godaddy (I found a bunch of the certs on Verisign I hope Godaddy has the same)
    7. Copy root CA and Intermediate cert to /tmp as one file:
    $cat ca_root.crt ca_intermediate.crt > /tmp/ca_chain.crt
    8. Verify the cert chain:
    $sudo /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
    If chain is OK, you'll get a message like:
    "“** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/commercial.crt: OK

    If you have eror messages, it means the certificate path or chain is broken and you are missing certificate files. In most cases the intermediate cert is the path or chain that is affected. For more info on certificate path verification, please take a look at Cryptography Tutorials - Herong's Tutorial Notes - OpenSSL - Certification Path and Validation
    9. Create Self-Sign CA files
    $sudo /opt/zimbra/bin/zmcertmgr createca
    New files ca.pem, ca.key, zmssl.cnf will be created in /opt/zimbra/ssl/zimbra/ca/ folder
    10. Install the commercial certificate with the command
    $sudo /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
    11. Verify the certificate was deployed
    $sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    12. Fix /opt/zimbra permissions
    $sudo /opt/zimbra/libexec/zmfixperms
    13. Start Zimbra

Similar Threads

  1. ZD untrusted Verisign SSL cert
    By JaymeH in forum General Questions
    Replies: 10
    Last Post: 01-12-2012, 06:39 AM
  2. SSL certificate installation fails
    By TheInfinity in forum Administrators
    Replies: 0
    Last Post: 12-09-2010, 04:06 AM
  3. Replies: 23
    Last Post: 05-06-2008, 03:24 PM
  4. fresh install (both OS and Zimbra) but zimbra-spell fails
    By xtremetoonz in forum Installation
    Replies: 14
    Last Post: 09-09-2007, 01:34 AM
  5. Replies: 2
    Last Post: 03-25-2007, 10:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •