Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: [SOLVED] Argh Commercial Certificates after a 4.10 > 5.0 FOSS upgrade!

  1. #11
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    I don't understand why copying the appropriate cert (thawte.pem in my case) into the ca directory and running c_rehash doesn't fix it.

    The "fix" for comment #10 is to set start_tls = no and chattr +i /opt/zimbra/conf/ldap*, so that zmmtainit can't rewrite those files. You'll get errors from postfix/zmcontrol start, but it runs.

  2. #12
    Join Date
    Jan 2008
    Posts
    1
    Rep Power
    7

    Default

    goodpm, i encountered the same problem but was fixed by the workaround you posted guys. (thank you so much for that!) i manually did the certificate installation. just wanted to ask if i will be able to encounter the same problem once my certificate is expired? or can i manually set the certificate expiration to a longer number of dates, let's say 5 yrs at least...

    thanks guys! kudos.
    NovaKartel Monopoly Inc.
    Earn by visiting my site...

  3. #13
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    Still broken for me with 5.0.1 NE.

    Cert works for all purposes except postfix.

    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm
    ** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    XXXXX ERROR: Invalid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=US/ST=Minnesota/L=Northfield/O=Carleton College/OU=Information Te
    chnology Services/CN=mail.carleton.edu
    error 20 at 0 depth lookup:unable to get local issuer certificate
    XXXXX ERROR: provided cert isn't valid.
    strace ldapsearch -Z fails seraching for /opt/zimbra/conf/ca/c33a80d4.0, which does not correspond to the CA hash. I would guess that I somehow got two different keypairs for different services, but openssl s_client -connect mail:443 returns exactly the same cert as /opt/zimbra/conf/slapd.crt.

  4. #14
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    DOH! Resolved. Thawte has several CA certs, and I had the wrong one. All hail The Google for telling me what hashes to c33a80d4.0.

Similar Threads

  1. Upgrade from ZCS 5.0 GA FOSS to ZCA 5.0 NE
    By fcolpron in forum Installation
    Replies: 7
    Last Post: 01-22-2008, 11:44 AM
  2. [SOLVED] Upgrade 4.5.7 > 5.0 GA Failed
    By jimbo in forum Installation
    Replies: 11
    Last Post: 01-13-2008, 04:21 PM
  3. ZCS 5.0 FOSS is Released!!!
    By jholder in forum Announcements
    Replies: 1
    Last Post: 12-21-2007, 11:21 AM
  4. Replies: 2
    Last Post: 07-01-2007, 11:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •