I successfully installed a cert from StartSSL on my old Zimbra 6 server last September so I can't figure out why I can't get this right again. I just replaced the old server with a brand new install on new hardware and I can't get this working properly.
I followed the below instructions as best as I could understand from this link:
What I am not clear on is what is the "private key?" Everyone talks about it in the instructions as if it is plain to all. But I'm not sure what that is. I 'thought' that when I created the request, maybe that was considered the key. I also 'thought' that Zimbra automatically put it in /opt/zimbra/ssl/zimbra/commercial/commercial.key since it was there with the time stamp from when I generated the CSR.
At first I got ldap and logger errors when restarting Zimbra, but I followed the instructions at the bottom and another restart got rid of the errors.1. At this point, the csr and the private key should have been created by Zimbra in /opt/zimbra/ssl/zimbra/commercial directory and name them: commercial.csr and commercial.key.
2. Make sure the permissions are set to 740 root:root (you can skip this step, I did)
3. Make a new directory, ex: /root/certs
4. Place the singed cert and the bundle cert in /root/certs (these are the files you downloaded from your CA)
5. Verify that the cert and the key match via this command run As ROOT
# cd /root/certs
# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./host.yourdomain.com.crt ./bundle.crt
6. If the output looks good, you can deploy the certificate via this command:
# /opt/zimbra/bin/zmcertmgr deploycrt comm ./your.hostname.com.crt ./bundle.crt
7. The final step would be to restart the zimbra services for the change to take effect (see the end of this post)
IF step 7 gives you errors such as "logger service cannot start" or "ldap service" can't start.
Then you need to do the following:
The commercial certs were deployed fine. However you must also as ROOT run:
/opt/zimbra/bin/zmcertmgr addcacert /opt/zimbra/ssl/zimbra/commercial/commercial.crt
Now, I get this e-mail from StartSSL and when I connect via a browser I get a warning message:
Firefox Error:It seems, that the installation of your server certificate with serial number xxxxxx for mymail.mydomain.com is not complete! You should add the intermediate CA certificate to your installation. This is important, because most browsers will issue an error if this is not properly done. Please consult the installation instructions at StartSSLâ„¢ Certificates & Public Key Infrastructure on how to do that. The missing CA certificate sub.class1.server.ca.pem can be obtained from Index of /certs
Also, if I run the following command from this post:Unable to identify the identity of mymail.mydomain.com as a trusted site.
I get:/opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
So it seems I did that already.keytool error: java.lang.Exception: Certificate not imported, alias <new> already exists
I also scoured the forums and the wiki regarding this problem and I can't seem to get any of these instructions to work properly for me. Any help would be appreciated.