Results 1 to 5 of 5

Thread: cert issue 5.0.18GA to 6.0.1GA

  1. #1
    Join Date
    Oct 2007
    Posts
    39
    Rep Power
    7

    Exclamation cert issue 5.0.18GA to 6.0.1GA

    Upgraded server (Ubuntu 6.06 LTS) from 5.0.18GA to 6.0.1GA. This server has been through a number of upgrades over the last ~2 years, never a problem till this one. Upgrade went fine after I manually installed package sysstat from universe directory (looks like it is a supported package for Ubuntu /after/ 6.06, but is only in Universe for 6.06), but although the SSL certificates at least seemed to be in the comm directory, the system was using a Zimbra self signed certificate that had expired in 2008.

    The proper SSL cert had been installed in thru the web interface originally. Visiting the web interface now gave errors. Tried reinstalling the certificates from the web interface, and then from command line from backups using zmcertmgr. I think the issue might be that the key file for the certificate used to have an address line and zipcode, and the new key file did not have those fields, and adding them from the command line did not seem to work either. I am afraid I did not document all the error messages, but after a couple hours on the Wiki and forums, I reset the crt key, created a new one on the web interface, combined the chain of trust files from the CA, purchased a new cert, and installed it from the command line. Here are a few of the errors I went through:

    Unmatching certificate and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair

    system failure: XXXXX ERROR: Unmatching certificate /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt and private key /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current_comm.key pair

    Post #2 on this page is where I got the commands to manually install the newly purchased cert:

    http://www.zimbra.com/forums/adminis...ion-error.html

    (After cat'ing together the train of trust files, I manually edited the file so that all ---begin--- and --end--- statements would be on their own lines - not sure if this was really needed.)

    I am also having a number of problems with the new zco.msi - only have it installed on one workstation, but I am quiting and may revert to the old Outlook msi. I will document this further in a post to the ZCO forum, just wanted to mention it here should anyone else look at this while considering if they wish to upgrade from 5.0.18 to 6.0.1 - I wish I had waited. (Again, I have been upgrading since the 4. series, and all the previous upgrades had gone extremely well.)

  2. #2
    Join Date
    Apr 2008
    Posts
    17
    Rep Power
    7

    Default

    When I upgraded from 5.0.18 to 6.0.1, my current commercial cert also vanished. Zimbra had reverted to an expired commercial cert from a year earlier.

  3. #3
    Join Date
    Oct 2005
    Posts
    181
    Rep Power
    10

    Default

    same here, mine disappeared to revert to self signed ones expired in 2008. Anyone have a proper answer and solution? I too was on Dapper.

  4. #4
    Join Date
    Oct 2005
    Posts
    181
    Rep Power
    10

    Default

    All I had to do was redeploy the certs that were still in place:

    First just verified them: (on oneline)
    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

    Then redeploy them: (on online)
    /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

  5. #5
    Join Date
    Jul 2007
    Posts
    6
    Rep Power
    8

    Default

    Same here upgrading Zimbra NE from 5.0.16 to 5.0.20. Our current wildcard commercial certificate showed up in the web admin, however imap / pop / smtp clients would be presented an old and expired certificate from over a year ago. We had to redeploy to fix the issue. This seems to happen quite often when upgrading. Why can't we upgrade without these certificate issues.

    Here's how we did it...

    Copy [Private Key File] to /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Copy [Certificate File] to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    Copy [Certificate Authority Chain File] to /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

    Verify certificate and key files:
    /opt/zimbra/bin/zmcertmgr verifycrt comm [Private Key File] [Certificate File]

    Verify certificate and certificate authority files:
    /opt/zimbra/bin/zmcertmgr verifycrtchain [Certificate Authority Chain File] [Certificate File]

    Deploy certificate:
    /opt/zimbra/bin/zmcertmgr deploycrt comm [Certificate File] [Certificate Authority Chain File]

    Verify deployed certificate:
    zmcertmgr viewdeployedcrt

    Administration Console and CLI Certificate Tools - Zimbra :: Wiki
    Last edited by pereljon; 11-23-2009 at 12:00 PM.

Similar Threads

  1. Replies: 13
    Last Post: 12-18-2012, 04:07 PM
  2. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 01:51 AM
  3. Palm Pre SSL Cert issue
    By cornbread in forum Users
    Replies: 5
    Last Post: 06-19-2009, 06:08 AM
  4. Replies: 2
    Last Post: 03-25-2007, 09:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •