Page 4 of 4 FirstFirst ... 234
Results 31 to 32 of 32

Thread: SAN failure - recovery advice

  1. #31
    Join Date
    Nov 2009
    Posts
    102
    Rep Power
    6

    Default

    There may be an easier way, but here is how I got the SSL certs setup on all of the machines in the environment.

    First I set it up on one server. Since I use Comodo, I had several certificate files I had to work with. You must make sure they're in the right order. The subject on one must match the issuer on the next.

    Code:
    AddTrustExternalCARoot.crt
    issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    
    UTNAddTrustSGCCA.crt
    issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
    
    ComodoUTNSGCCA.crt
    issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
    subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
    
    EssentialSSLCA_2.crt
    issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
    subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
    
    STAR_ics-il_net.crt
    issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
    subject= /OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.ics-il.net
    You then have to build a bundled CRT so that Zimbra processes the certificates in the proper order.

    Code:
    [root@mailbox1 SSL]# openssl x509 -in EssentialSSLCA_2.crt -subject -issuer > bundle.crt
    [root@mailbox1 SSL]# openssl x509 -in ComodoUTNSGCCA.crt -subject -issuer >> bundle.crt
    [root@mailbox1 SSL]# openssl x509 -in UTNAddTrustSGCCA.crt -subject -issuer >> bundle.crt
    [root@mailbox1 SSL]# openssl x509 -in AddTrustExternalCARoot.crt -subject -issuer >> bundle.crt
    Then you have to edit out the first two lines of the bundle (subject= and issuer=). I heard the bundle also has to ahve a blank line at the end.
    Code:
    [root@mailbox1 SSL]# nano bundle.crt
    Deploy!
    Code:
    [root@mailbox1 SSL]# /opt/zimbra/bin/zmcertmgr deploycrt comm STAR_ics-il_net.crt bundle.crt
    ** Verifying STAR_ics-il_net.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (STAR_ics-il_net.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: STAR_ics-il_net.crt: OK
    ** Copying STAR_ics-il_net.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
    ** NOTE: mailboxd must be restarted in order to use the imported certificate.
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    [root@mailbox1 SSL]# su - zimbra -c 'zmcontrol restart'
    Host mailbox1.ics-il.net
            Stopping stats...Done.
            Stopping spell...Done.
            Stopping snmp...Done.
            Stopping cbpolicyd...Done.
            Stopping archiving...Done.
            Stopping antivirus...Done.
            Stopping antispam...Done.
            Stopping imapproxy...Done.
            Stopping memcached...Done.
            Stopping mailbox...Done.
            Stopping logger...Done.
            Stopping zmconfigd...Done.
    Host mailbox1.ics-il.net
            Starting zmconfigd...Done.
            Starting logger...Done.
            Starting mailbox...Done.
            Starting snmp...Done.
            Starting spell...Done.
            Starting stats...Done.
    Now you need to copy some files to each server in the environment. You would replace 10.1.8.9 with the IP of every Zimbra server you want to deploy this certificate on.

    Code:
    scp /root/SSL/STAR_ics-il_net.crt /root/SSL/bundle.crt /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.csr root@10.1.8.9:/root/
    You then run the following on each server.
    Code:
    mkdir /root/SSL
    mv -f /root/commercial.* /opt/zimbra/ssl/zimbra/commercial/
    mv -f *.crt /root/SSL
    cd /root/SSL
    /opt/zimbra/bin/zmcertmgr deploycrt comm STAR_ics-il_net.crt bundle.crt
    su - zimbra -c 'zmcontrol restart'
    Your certificate should now be on every server. Enjoy!
    Release 7.1.4_GA_2555.RHEL5_64_20120105094627 CentOS5_64 FOSS edition.

  2. #32
    Join Date
    Nov 2009
    Posts
    102
    Rep Power
    6

    Default

    I don't know how many times I've referred back to this thread when troubleshooting one problem or another. Past-self has been a great asset to present-self.
    Release 7.1.4_GA_2555.RHEL5_64_20120105094627 CentOS5_64 FOSS edition.

Similar Threads

  1. ubuntu 8.04 zimbra 6.0.7 FAILURE need restore advice
    By cornbread in forum Administrators
    Replies: 2
    Last Post: 11-10-2011, 05:16 AM
  2. Replies: 0
    Last Post: 11-10-2011, 04:59 AM
  3. Recovery after disk failure
    By pingwin in forum Administrators
    Replies: 16
    Last Post: 01-14-2011, 03:24 AM
  4. Replies: 1
    Last Post: 08-19-2010, 12:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •