Results 1 to 3 of 3

Thread: Zimbra 5.08 SSL Certificate Instalation

  1. #1
    Join Date
    Jun 2008
    Posts
    4
    Rep Power
    7

    Default Zimbra 5.08 SSL Certificate Instalation

    The certificate verification goes ok:
    Code:
    root@zimbra:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key  zimbra_amazis_pl.crt commercial.crt
    ** Verifying zimbra_amazis_pl.crt against commercial.key
    Certificate (zimbra_amazis_pl.crt) and private key (commercial.key) match.
    Valid Certificate: zimbra_amazis_pl.crt: OK
    But when I try to load the certificate, it fails:

    Code:
    root@zimbra:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.key  zimbra_amazis_pl.crt commercial.crt
    ** Verifying commercial.key against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    unable to load certificate
    26328:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
    XXXXX ERROR: Unmatching certificate (commercial.key) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
    unable to load certificate
    26332:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
    XXXXX ERROR: Invalid Certificate:
    XXXXX ERROR: provided cert isn't valid.
    Thanks for any help with this
    - Andrew

  2. #2
    Join Date
    Jul 2006
    Location
    Australia, ACT
    Posts
    197
    Rep Power
    9

    Smile I had problems too using the Zimbra SSL Wizard - but found a solution

    IMHO the instructions in the Zimbra Wiki are WRONG and need to be updated.

    I found a solution by searching the forums & trial / error. Wasted two hours on this one, this should have been a simple process. I expect that the error in the Zimbra SSL Wizard was caused by either permissions of a failed file copy (ie. Zimbra does not copy the CA file correctly). So I've included our solution below at the bottom of this page.

    THE PROBLEM
    I have found that using the Zimbra SSL Wizard or the command-line steps from Commercial Certificate in 5.x - Zimbra :: Wiki to install SSL certs DOES NOT WORK (ZCS 5.0.8), see below:

    Code:
    root@mail:~# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ~/commercial.crt  ~/commercial_ca.crt
    ** Verifying /root/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/commercial.crt: OK
    root@mail:~# /opt/zimbra/bin/zmcertmgr deploycrt comm ~/commercial.crt  ~/commercial_ca.crt
    ** Verifying /root/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/commercial.crt: OK
    ** Copying /root/commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain /root/commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
     
    XXXXX ERROR: failed to create jetty.pkcs12
    No certificate matches private key
     
    root@mail:~#                     
    zimbra@mail:~$ zmcontrol start
    Host mail.zimbra.net
            Starting ldap...Done.
    FAILED
    Failed to start slapd.  Attempting debug start to determine error.
    TLS: error:0906D066:PEM routines:PEM_read_bio:bad end line pem_lib.c:746
    TLS: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib ssl_                                 rsa.c:491
    main: TLS init def ctx failed: -1
    THE SOLUTION
    Based on http://www.zimbra.com/forums/install...es-zimbra.html

    I found the solution to be the following steps:
    1. As root, creating /opt/zimbra/certs directory
    2. Copying the certificate and root certificate into /opt/zimbra/certs directory
    3. Changing ownership of /opt/zimbra/certs to zimbra:zimbra
    4. Adding an extra line at the end of the signed certificate
    5. As root execute:
    Code:
    zmcertmgr deploycrt comm /opt/zimbra/certs/commercial.crt  /opt/zimbra/certs/commercial_ca.crt
    6. Certificates should install OK now
    7. Start Zimbra

    This even worked with RapidSSL certificates - the real cheap'n nasty ones

    Woo hoo!

  3. #3
    Join Date
    Dec 2007
    Posts
    20
    Rep Power
    7

    Default

    I am going to add to this, hoping to help with the searching.

    I upgrading from an earlier release to 5.0.11 and it broke my commercial ssl certs. The quick fix was to use zmcertmgr to re-issue some self-signned certs, this allowed me to get e-mail flow working. Otherwise I was having zmmailboxdctl die on me with something about ldap, startssl and dict lookups.

    When I tried to re-install the commercial SSL, i was getting -

    Unmatching certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key) pair.

    the problem was as stated above, it was missing a blank line at the end of the issued cert. I didn't have to do all the other steps to install the comm cert, just had to open the file, add a blank line and then re-install with Zimbra Certificates Manager.

    I was using CACert (cacert.org) as my CA. I will try to add this to the wiki page to help see if this catches it.

Similar Threads

  1. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  2. Zimbra spam system
    By rajahd in forum Administrators
    Replies: 9
    Last Post: 04-16-2008, 07:25 PM
  3. [SOLVED] Install Problem in Ubuntu 6.06 Server
    By xtimox in forum Installation
    Replies: 16
    Last Post: 03-27-2008, 09:36 AM
  4. Replies: 12
    Last Post: 02-25-2008, 06:28 PM
  5. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •