Zimbra on Debian - keytool issues
I am trying to build Zimbra on Debian (sarge/sid). I run on a AMD64 machine. I use Zimbra CVS.
I installed basic Debian, with no server application. Then before going to build ThirdParty tools, I did the following:
I also upgraded MySQL version to 4.1.15, and fooled Zimbra to think I am on BUILD_PLATFORM:=DEBIAN3.1 - with this, the ThirdParty builds went on quite well.
# get for Debian:
# ant ant-optional
# libxml2 libxml2-dev
# ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.5
# ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so.5
# ln -s /usr/lib/libpcre.so.3.12.0 /usr/lib/libpcre.so.0
In the CVS there is a missmatch regarding the PostFix version: 2.2.3 (old) or 2.2.5 - I resolved it to 2.2.5 in all relevant files.
Also, after managing version numbers, ZimbraBuild also went quite well. the "make dev-install" MAkefiles are very fragile. Here are some points:
* You better replace all instances of "ln -s" with "ln -s -i" (or something similar) so failing makes won't force you to restart everything. Currently, whenever the Makefile encounters an already existing link, it quits. One has to manually remove all links (or allclean).
* In some occasions, when you copy whole directories (like to /opt/zimbra/bin), the Makefile fails because it tries to copy the "CVS" directory.
* There is a wrong source file for $(ZIMBRA_BIN_DIR)/../../conf/zmlogrotate
... Now come the problems
Following a tip I got from Marc, I am trying to crate authentications (before running zmmyinit and zmldapinit). It always fails. It used to fail in the same way when I was trying to build on FC4 (same AMD64 machine). Needless to say that zmldapinit also fails afterwards.
Here is the output:
What can I do to fix the keytool problems?
** Creating CA private key
Generating a 1024 bit RSA private key
writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
** Creating CA cert
subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=aio.shoham.com
Getting Private key
** Importing CA
keytool error: java.lang.Exception: Certificate not imported, alias <my_ca> already exists
** Creating keystore
** Creating server cert request
Generating a 1024 bit RSA private key
writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
** Signing cert request
Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
Check that the request matches the signature
Serial Number: 2 (0x2)
Not Before: Dec 16 01:05:56 2005 GMT
Not After : Dec 16 01:05:56 2006 GMT
countryName = US
stateOrProvinceName = N/A
organizationName = Zimbra Collaboration Suite
commonName = aio.shoham.com
X509v3 Basic Constraints:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=aio.shoham.com
Certificate is to be certified until Dec 16 01:05:56 2006 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Getting CA Private Key
shohaml@aio:/opt/zimbra$ ./bin/zmcertinstall mailbox
./bin/zmcertinstall: line 57: /opt/zimbra/bin/get_plat_tag.sh: No such file or directory
** Importing server cert
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Trying to understand keytool
I figured out, and changed, the write access on the file "java/jre/lib/security/cacerts". I am still not sure why Zimbra's script point to the Java release, and don't create a separate "cacerts", but I am not a keytool expers, so I don't mind.
I still get the error "keytool error: java.lang.Exception: Public keys in reply and keystore don't match". I tried to google this error, but there is no relevant data available. Am I the only one with keytool problems?
I though it had something to do with AMD64, but I can't find any reference to that either. Maybe it is somthing in the way I work?
* as root: "make dev-install"
* as root: chown -R shohaml:shohaml /opt/zimbra
* as root: chown shohaml:shohaml java/jre/lib/security/cacerts
* as root: chmod 544 java/jre/lib/security/cacerts (in the clean Java instalation it is 444)
* as shohaml: bin/zmcreateca (OK)
* as shohaml: bin/zmcreatecert (OK)
* as shohaml: bin/zmcertinstall mailbox (keys don't match)
...I was too soon to be happy.
I think I have found some bugs/issues in the source setup (from CVS) and in the certificating process.
In the script "zmcreatecert" you generate the tomcat alias (in function createKeyStore). You later create a certificate for that alias, which you import back into the Tomcat keystore - in the certinsatll script (function importCert). It is always in that stage that I get the error: "Public keys in reply and keystore don't match".
I don't really care about that error, because I can easily remove the tomcat alias "keytool -delete", and manually re-add it as certified. But isn't there a security problem in the flow to begin with? The purpose of certificates is to get a 3rd party approval - and your script's flow simply "self-approves" itself. I don't know if this should cause issues to others, because I am not that proficient in keytool and certificates, but maybe this is what was causing my problems to start with?
In dev-install you miss copying a script:
cp ZimbraBuild/rpmconf/Build/get_plat_tag.sh /opt/zimbra/bin
This script is needed for other Zimbra scripts.
When I finaly run LDAP (zmldapinit) - it fails to find the database:
bdb(): /opt/zimbra/openldap-data/__db.001: No such file or directory
Of course, I don't have this directory. I fail to find the DB initialization script in the CVS tree. How should I initialize the LDAP database?