Results 1 to 6 of 6

Thread: [SOLVED] Trouble installing commercial certificates on Zimbra

  1. #1
    Join Date
    Dec 2007
    Location
    Hungary
    Posts
    76
    Rep Power
    7

    Default [SOLVED] Trouble installing commercial certificates on Zimbra

    Hi,

    I am using Zimbra FOSS 5.02. We purchased a commercial certificate from Digicert and wanted to install that onto Zimbra. I received 3 crt files:
    1/
    TrustedRoot.crt
    2/
    DigiCertCA.crt
    3/
    mail_westerlike_com.crt

    I added 3/ as Certificate:, 1/ as Root CA: and 2/ as Intermediate. When I click install I get the following error:

    Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12


    If I only add 3/ and 1/ I get the error:
    Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=hu/ST=Csongrad/L=Szeged/O=Westerlike Informatikai \xE9s Kereskedelmi Kft./OU=Westerlike/CN=mail.westerlike.com

    If I add 3/ and 2/ I get the error:
    Your certificate was not installed due to the error : system failure: XXXXX ERROR: failed to create jetty.pkcs12

    What is wrong? Can someone help me?

  2. #2
    Join Date
    Apr 2006
    Location
    Williamsburg, VA
    Posts
    451
    Rep Power
    9

  3. #3
    Join Date
    Dec 2007
    Location
    Hungary
    Posts
    76
    Rep Power
    7

    Default

    Previously I was running 5.02 as well, so no upgrade. The previous SSL certificate was self signed. I tried downloading the ExportPriv and running it but I couldn't find the commercial.keystore

    root@mail:~/certs# java ExportPriv commercial.keystore tomcat zimbra >commercial.key
    Exception in thread "main" java.io.FileNotFoundException: commercial.keystore (No such file or directory)
    at java.io.FileInputStream.open(Native Method)
    at java.io.FileInputStream.(FileInputStream.java:106)
    at ExportPriv.doit(ExportPriv.java:36)
    at ExportPriv.main(ExportPriv.java:24)
    root@mail:~/certs# find /opt/zimbra -name commercial.keystore -print
    root@mail:~/certs#

    Which is the key file? I am new to SSL so I have no idea as to how to proceed. All I know is that we paid money for the certificate which I cannot install and its getting to be a little frustrating. We wanted to try out the new certificate before migrating over to the Network Edition next week.

    Which files from to 1/ 2/ 3/ would I copy to the locations:
    -From the link you posted-:
    1. Extract my cert and private key from the old Java keystore.
    2. Download my ca's root cert.
    3. Copy these to /opt/zimbra/ssl/zimbra/commercial/{commercial_ca.crt|commercial.crt|commercial.key}
    4. Also copy to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/{current_chain.crt|current.crt}
    5. Run /opt/zimbra/bin/zmcertmgr deploycrt comm
    ------
    I'm guessing commercial_ca.crt is the DigiCertCA.crt or the TrustedRoot.crt Which is the commercial.key?

    Please help.

  4. #4
    Join Date
    Dec 2007
    Location
    Hungary
    Posts
    76
    Rep Power
    7

    Default

    Here's what I did. I reissued a new CSR without the accented characters. I requested the certificates from Digicert. I received the 3 files again.

    I copied the DigiCertCA.crt to commercial_ca.crt under /opt/zimbra/ssl/commercial

    I copied mail_westerlike_com.crt to commercial.crt under
    /opt/zimbra/ssl/commercial

    I copied DigiCertCA.crt to current_chain.crt under
    /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp

    I copied mail_westerlike_com.crt to current.crt under
    /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp

    I then ran:
    /opt/zimbra/bin/zmcertmgr deploycrt comm

    And I got:

    ** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: OK
    ** Copying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080216220025
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.

    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key

    What am I doing wrong? It says that the certificate and the private key match in the above lines. Then later it states that there is no certificate that matches the private key?
    Last edited by Miklos Kalman; 02-16-2008 at 01:09 PM.

  5. #5
    Join Date
    Dec 2007
    Location
    Hungary
    Posts
    76
    Rep Power
    7

    Default

    I found the solution (after searching more and finding that my case wasn't unique for Digicert)

    I created a /opt/zimbra/certs
    I then concatenated DigiCertCA and TrustedRoots into root.crt
    and put and enter at the end of my certificate file
    and then issued:
    /opt/zimbra/bin/zmcertmgr /opt/zimbra/certs/certificate.crt /opt/zimbra/certs/root.crt

    And it worked. I now have a signed SSL file.

  6. #6
    Join Date
    May 2008
    Posts
    8
    Rep Power
    7

    Default Help

    This post was a simple fix for the following issue:
    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key

    http://www.zimbra.com/forums/install...web-gui-2.html
    Last edited by Todd B; 05-21-2008 at 01:42 PM.

Similar Threads

  1. QUE Failure
    By tbullock in forum Administrators
    Replies: 31
    Last Post: 07-30-2008, 12:17 PM
  2. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 08:56 PM
  3. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM
  4. zimbra-core missing
    By kinaole in forum Developers
    Replies: 1
    Last Post: 10-02-2006, 11:59 AM
  5. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 06:18 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •