Results 1 to 10 of 10

Thread: Zimbra on Debian - keytool issues

Hybrid View

  1. #1
    Join Date
    Nov 2005
    Location
    Israel
    Posts
    13
    Rep Power
    9

    Default Zimbra on Debian - keytool issues

    I am trying to build Zimbra on Debian (sarge/sid). I run on a AMD64 machine. I use Zimbra CVS.

    I installed basic Debian, with no server application. Then before going to build ThirdParty tools, I did the following:
    Code:
    # DEBIAN
    #========
    # get for Debian:
    # ant ant-optional
    # libxml2 libxml2-dev
    # libcurl3-openssl-dev
    #
    # Links:
    # ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.5 
    # ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so.5
    # ln -s /usr/lib/libpcre.so.3.12.0 /usr/lib/libpcre.so.0
    I also upgraded MySQL version to 4.1.15, and fooled Zimbra to think I am on BUILD_PLATFORM:=DEBIAN3.1 - with this, the ThirdParty builds went on quite well.

    In the CVS there is a missmatch regarding the PostFix version: 2.2.3 (old) or 2.2.5 - I resolved it to 2.2.5 in all relevant files.

    Also, after managing version numbers, ZimbraBuild also went quite well. the "make dev-install" MAkefiles are very fragile. Here are some points:
    * You better replace all instances of "ln -s" with "ln -s -i" (or something similar) so failing makes won't force you to restart everything. Currently, whenever the Makefile encounters an already existing link, it quits. One has to manually remove all links (or allclean).
    * In some occasions, when you copy whole directories (like to /opt/zimbra/bin), the Makefile fails because it tries to copy the "CVS" directory.
    * There is a wrong source file for $(ZIMBRA_BIN_DIR)/../../conf/zmlogrotate

    ... Now come the problems

    Following a tip I got from Marc, I am trying to crate authentications (before running zmmyinit and zmldapinit). It always fails. It used to fail in the same way when I was trying to build on FC4 (same AMD64 machine). Needless to say that zmldapinit also fails afterwards.

    Here is the output:
    Code:
    shohaml@aio:/opt/zimbra$ ./bin/zmcreateca
    ** Creating CA private key
    
    Generating a 1024 bit RSA private key
    ...................................++++++
    ..........................................................++++++
    writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
    -----
    ** Creating CA cert
    
    Signature ok
    subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=aio.shoham.com
    Getting Private key
    
    ================
    
    shohaml@aio:/opt/zimbra$ ./bin/zmcreatecert
    ** Importing CA
    
    keytool error: java.lang.Exception: Certificate not imported, alias  already exists
    ** Creating keystore
    
    ** Creating server cert request
    
    Generating a 1024 bit RSA private key
    .......++++++
    .......++++++
    writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
    -----
    ** Signing cert request
    
    Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 2 (0x2)
            Validity
                Not Before: Dec 16 01:05:56 2005 GMT
                Not After : Dec 16 01:05:56 2006 GMT
            Subject:
                countryName               = US
                stateOrProvinceName       = N/A
                organizationName          = Zimbra Collaboration Suite
                commonName                = aio.shoham.com
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    82:F2:5B:C5:FC:2A:C8:0F:18:24:CA:03:2C:D7:C9:37:FD:20:5D:79
                X509v3 Authority Key Identifier:
                    DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=aio.shoham.com
                    serial:80:91:0E:F8:5F:3D:8E:CE
    
    Certificate is to be certified until Dec 16 01:05:56 2006 GMT (365 days)
    
    Write out database with 1 new entries
    Data Base Updated
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=aio.shoham.com
    Getting CA Private Key
    
    ================
    
    shohaml@aio:/opt/zimbra$ ./bin/zmcertinstall mailbox
    ./bin/zmcertinstall: line 57: /opt/zimbra/bin/get_plat_tag.sh: No such file or directory
    ** Importing server cert
    
    keytool error: java.lang.Exception: Public keys in reply and keystore don't match
    What can I do to fix the keytool problems?

  2. #2
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

  3. #3
    Join Date
    Nov 2005
    Location
    Israel
    Posts
    13
    Rep Power
    9

    Default Doesn't work.

    Hi.

    I tried everything that you said. I did it as my user (this is dev install), and also as the zimbra user.
    First of all, the keytool requires that the user invoking the commands has write permissions to:
    keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
    Why is it so - that I need write permissions in the JAVA library?
    Code:
    zimbra@aio:~$ ./bin/zmcreatecert
    ** Importing CA
    
    Certificate was added to keystore
    keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
    ** Creating keystore
    
    ** Creating server cert request
    ...
    Then I keep getting the error:
    Code:
    zimbra@aio:~$ ./bin/zmcertinstall mailbox
    ** Importing server cert
    
    keytool error: java.lang.Exception: Public keys in reply and keystore don't match

  4. #4
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default Creating a CA

    You need write access in order to install the CA in the java library's CA file. Change permissions on the file, and it should work.

  5. #5
    Join Date
    Nov 2005
    Location
    Israel
    Posts
    13
    Rep Power
    9

    Default Trying to understand keytool

    I figured out, and changed, the write access on the file "java/jre/lib/security/cacerts". I am still not sure why Zimbra's script point to the Java release, and don't create a separate "cacerts", but I am not a keytool expers, so I don't mind.

    I still get the error "keytool error: java.lang.Exception: Public keys in reply and keystore don't match". I tried to google this error, but there is no relevant data available. Am I the only one with keytool problems?

    I though it had something to do with AMD64, but I can't find any reference to that either. Maybe it is somthing in the way I work?
    * as root: "make dev-install"
    * as root: chown -R shohaml:shohaml /opt/zimbra
    * as root: chown shohaml:shohaml java/jre/lib/security/cacerts
    * as root: chmod 544 java/jre/lib/security/cacerts (in the clean Java instalation it is 444)
    * as shohaml: bin/zmcreateca (OK)
    * as shohaml: bin/zmcreatecert (OK)
    * as shohaml: bin/zmcertinstall mailbox (keys don't match)

    Any idea?

  6. #6
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default keytool error

    Clean up the my_ca alias from cacerts again, and also delete tomcat/conf/keystore - that may be the problem.

  7. #7
    Join Date
    Nov 2005
    Location
    Israel
    Posts
    13
    Rep Power
    9

    Default

    It worked, thanks!

    I am not sure why, but after numerous reinstaling the certificates - it worked.

    Thanks for your help - I will see if everything else works now on Debian.

  8. #8
    Join Date
    Nov 2005
    Location
    Israel
    Posts
    13
    Rep Power
    9

    Default ...I was too soon to be happy.

    I think I have found some bugs/issues in the source setup (from CVS) and in the certificating process.

    point 1
    In the script "zmcreatecert" you generate the tomcat alias (in function createKeyStore). You later create a certificate for that alias, which you import back into the Tomcat keystore - in the certinsatll script (function importCert). It is always in that stage that I get the error: "Public keys in reply and keystore don't match".

    I don't really care about that error, because I can easily remove the tomcat alias "keytool -delete", and manually re-add it as certified. But isn't there a security problem in the flow to begin with? The purpose of certificates is to get a 3rd party approval - and your script's flow simply "self-approves" itself. I don't know if this should cause issues to others, because I am not that proficient in keytool and certificates, but maybe this is what was causing my problems to start with?

    point 2
    In dev-install you miss copying a script:
    cp ZimbraBuild/rpmconf/Build/get_plat_tag.sh /opt/zimbra/bin
    This script is needed for other Zimbra scripts.

    point 3
    When I finaly run LDAP (zmldapinit) - it fails to find the database:
    bdb(): /opt/zimbra/openldap-data/__db.001: No such file or directory
    Of course, I don't have this directory. I fail to find the DB initialization script in the CVS tree. How should I initialize the LDAP database?

    Thanks,
    Shoham.

  9. #9
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default self signed certificate

    Quote Originally Posted by shohamlevy
    I think I have found some bugs/issues in the source setup (from CVS) and in the certificating process.

    point 1
    In the script "zmcreatecert" you generate the tomcat alias (in function createKeyStore). You later create a certificate for that alias, which you import back into the Tomcat keystore - in the certinsatll script (function importCert). It is always in that stage that I get the error: "Public keys in reply and keystore don't match".

    I don't really care about that error, because I can easily remove the tomcat alias "keytool -delete", and manually re-add it as certified. But isn't there a security problem in the flow to begin with? The purpose of certificates is to get a 3rd party approval - and your script's flow simply "self-approves" itself. I don't know if this should cause issues to others, because I am not that proficient in keytool and certificates, but maybe this is what was causing my problems to start with?
    The whole point of the createcert script is to create a self-signed certificate, to make it easier to get zimbra up and running with ssl - we don't cover 3rdparty certs.

    Self signed certs work fine, though they will generate a warning to clients.

    Quote Originally Posted by shohamlevy
    point 2
    In dev-install you miss copying a script:
    cp ZimbraBuild/rpmconf/Build/get_plat_tag.sh /opt/zimbra/bin
    This script is needed for other Zimbra scripts.
    I'll take a look at this.

    Quote Originally Posted by shohamlevy
    point 3
    When I finaly run LDAP (zmldapinit) - it fails to find the database:
    bdb(): /opt/zimbra/openldap-data/__db.001: No such file or directory
    Of course, I don't have this directory. I fail to find the DB initialization script in the CVS tree. How should I initialize the LDAP database?

    Thanks,
    Shoham.
    Initialize the db with zmldapinit - if it's failing with that error, you'll need to pre-create the openldap-data directory before running it.

  10. #10
    Join Date
    Nov 2005
    Location
    Israel
    Posts
    13
    Rep Power
    9

    Default openldap-data - now OK

    The LDAP DB is created successfully when the "/opt/zimbra/open-ldap" directory is manually created. Can you modify the zmldapinit script to also create the directory, or at least warn of it does not exist?

Similar Threads

  1. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM
  2. huge log size
    By rmvg in forum Administrators
    Replies: 5
    Last Post: 01-02-2007, 09:39 AM
  3. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM
  4. zimbra-core missing
    By kinaole in forum Developers
    Replies: 1
    Last Post: 10-02-2006, 11:59 AM
  5. Zimbra server crashed
    By goetzi in forum Administrators
    Replies: 6
    Last Post: 03-25-2006, 12:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •