Results 1 to 3 of 3

Thread: [SOLVED] Deploy Zimbra Certificate error

  1. #1
    Join Date
    Oct 2008
    Location
    Portugal, Castelo Branco
    Posts
    63
    Rep Power
    7

    Default [SOLVED] Deploy Zimbra Certificate error

    Hi all !

    I'm trying to deploy a "commercial" certificate in zimbra, but with no sucess.

    I've used Zimbra Administration Console to generate the server CSR.
    After sending it to the authority, they've sent the certificate.
    Until here, no problem.

    The problem is, the authority is not some commercial per say...

    My email server is inside a private network and these guys are the responsible entity for the private network. If i want to have a server visible in the outside world, they must create the certificate and then i deploy it in the server i want.

    I've generated the CSR and send it to them.

    They sent me two files - the CER file of my Zimbra server (the one generated against my CSR file) and another one from them, as an authority.

    How do i deploy them in zimbra ?

    Every time i go to the zimbra administration console and try to deploy the certificate, this is how i do it:

    Install Certificate -> Select Server -> Install the Commercially Signed Certificate -> (I review the CSR) ->
    Now, i have 3 options :
    The Certificate
    The Root CA
    Intermediate CA

    I try to use the certificate with the one sent to me, but i don't have anything like Root CA and Intermediate CA.

    The Intermediate CA i remove it because i don't think i need it.
    I use their certificate has the Root CA and press NEXT and i get the following error:

    Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: Message: Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: XXXXX ERROR: Invalid Certificate Chain:

    Am I missing the root CA or am i doing something wrong ?

    They have an ISA server and probably they think we have Exchange server...

    How can i solve this ?

    Cheers,

    Bruno Santos

  2. #2
    Join Date
    Oct 2008
    Location
    Portugal, Castelo Branco
    Posts
    63
    Rep Power
    7

    Default

    No answer?

    Well, i'm doing this over CLI now.

    I've made some progress, but now i have zimbra complaining about the comercial_ca.crt file.

    I don't have this one... I only have a .cer file given me by the authority who created my certificate. This is the output of zmcertmgr:

    Code:
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/<my_certificate_after_sent_to_authority>.cer 
    ** Verifying /root/<my_certificate_after_sent_to_authority>.cer against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/<my_certificate_after_sent_to_authority>.cer) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    25681:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt','r')
    25681:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:
    25681:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
    usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
    recognized usages:
        sslclient     SSL client
        sslserver     SSL server
        nssslserver    Netscape SSL server
        smimesign     S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign       CRL signing
        any           Any Purpose
        ocsphelper    OCSP helper
    XXXXX ERROR: Invalid Certificate:
    How can i convert my .cer file from my authority into the .crt file requested by zimbra?

    I know that cer and crt are interchangeable, but this cer file is binary....should it?

  3. #3
    Join Date
    Oct 2008
    Location
    Portugal, Castelo Branco
    Posts
    63
    Rep Power
    7

    Default

    Well, i solved it !

    i've converted the authority .cer file to pem using openssl:
    Code:
    openssl x509          -inform der          -in MYCERT.cer          -out MYCERT.pem
    In /opt/zimbra/ssl/zimbra/commercial i've renamed the .pem to commercial_ca.crt and executed the following commands:

    Code:
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/<my_certificate_signed_by_authority>.cer
    They matched and next i deployed it:
    Code:
    /opt/zimbra/bin/zmcertmgr deploycrt comm /root/<my_certificate_signed_by_authority>.cer /root/<the_authority_certificate_in_pem_format>.pem
    Restarted mailboxd (as zimbra user).

    Working fine !

    Cheers,

    Hope it helps someone

    I've used the this page in zimbra wiki as reference

Similar Threads

  1. Issues after upgrading from 6.0.10 to 7
    By rhorist in forum Administrators
    Replies: 8
    Last Post: 02-25-2011, 08:38 AM
  2. Cleanup after many upgrades
    By tobru in forum Installation
    Replies: 1
    Last Post: 12-23-2007, 09:21 AM
  3. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  4. Unable to start tomcat
    By chanck in forum Administrators
    Replies: 11
    Last Post: 06-11-2006, 01:58 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •