Results 1 to 10 of 10

Thread: LDAP certificate error

Hybrid View

  1. #1
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default Installing self-signed cert from Admin web page breaks server

    I'm running Zimbra 8.0.4 Open Source Edition on CentOS 6.4, and when I login to the Zimbra Administration web page and tell it to create a new self-signed certificate, I get this error:

    Code:
    Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr deploycrt self with {RemoteManager: [domain]->zimbra@[domain]:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr deploycrt self with {RemoteManager: [domain]->zimbra@[domain]:22}
    When I SSH into the server and run the command manually, this is what I get:

    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
    
    XXXXX ERROR: failed to create jetty.pkcs12
    unable to load certificates
    The next time I reboot the server, ldap fails to start with this message:

    Code:
    Host [hostname]
            Starting ldap...Done.
    Failed.
    Failed to start slapd.  Attempting debug start to determine error.
    TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:703
    TLS: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib ssl_rsa.c:491
    51c3b682 main: TLS init def ctx failed: -1
    After a bit of digging, I came across the following procedure, which seems to have fixed my problem of zimbra not starting:

    Code:
    Source (forum post): http://www.zimbra.com/forums/administrators/23065-solved-problem-install-self-signed-certificate-zimbra-5-0-10_ga_2638-rh.html#post111124
    Source (forum post info was based on): http://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate
    
    As Root:
    rm -rf /opt/zimbra/ssl
    mkdir /opt/zimbra/ssl
    chown zimbra:zimbra /opt/zimbra/ssl
    chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
    chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
    
    As zimbra:
    keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass $(zmlocalconfig -s -m nokey mailboxd_keystore_password)
    
    As root:
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca -localonly
    /opt/zimbra/bin/zmcertmgr createcrt self -new
    /opt/zimbra/bin/zmcertmgr deploycrt self
    
    As zimbra
    zmcontrol start
    But if I try to create a self-signed certificate from the Admin page again, the same thing happens.

    Has anyone else experienced the same problem?
    Last edited by hellspawn; 06-24-2013 at 05:13 PM.

  2. #2
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default

    Any ideas?

  3. #3
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    You fail to note the version of Zimbra you are using, which is generally important information to provide.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  4. #4
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default

    Quote Originally Posted by quanah View Post
    You fail to note the version of Zimbra you are using, which is generally important information to provide.
    Fixed. Thanks

    As an alternative to having the Admin web page generate the self-signed certificate, I had it generated on another system following this procedure (from http://www.akadia.com/services/ssh_t...rtificate.html):

    Code:
    openssl genrsa -aes256 -out server.key 2048
    openssl req -new -key server.key -out server.csr
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
    at which point I copied both the server.key and server.crt to zimbra's:

    Code:
    /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    /opt/zimbra/ssl/zimbra/commercial/commercial.key
    The problem here is that this procedure also required a

    /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt, which I didn't have, so all I did was copy commercial.crt to commercial_ca.crt, and ran:

    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt
    which seems to have worked. Are there any problems doing it this way? Do I need to generate an actual commercial_ca.crt with openssl or is this fine?

  5. #5
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    I would just go with what you did via the command line. It sounds like there is a bug in the admin console generating and deploying self-signed certs that needs to be filed and fixed. I will contact the responsible individuals and let them know.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  6. #6
    Join Date
    Jan 2011
    Posts
    14
    Rep Power
    4

    Default

    Quote Originally Posted by quanah View Post
    I would just go with what you did via the command line. It sounds like there is a bug in the admin console generating and deploying self-signed certs that needs to be filed and fixed. I will contact the responsible individuals and let them know.
    Awesome

    I'm happy with the command line solution, as long as someone can confirm that the commercial_ca.crt file can just be a copy of the commercial.crt file. Can anyone confirm this please?

Similar Threads

  1. SMIME: LDAP to GAL certificate syncronization.
    By inigoml in forum Administrators
    Replies: 0
    Last Post: 03-12-2013, 05:13 AM
  2. Zimbra LDAP Certificate
    By peter76 in forum Developers
    Replies: 0
    Last Post: 04-20-2010, 04:19 PM
  3. Zimbra LDAP Certificate
    By peter76 in forum Administrators
    Replies: 0
    Last Post: 04-20-2010, 04:19 PM
  4. ldap error after certificate change
    By martinx in forum Installation
    Replies: 9
    Last Post: 10-21-2008, 08:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •