Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Can't install ca_cert certificates

  1. #11
    Join Date
    Mar 2010
    Posts
    4
    Rep Power
    5

    Default

    after all I found a related article from "mackoftrack".
    https://www.zimbra.com/forums/admini...p-replica.html
    and
    Installing a Gandi Commercial Certificate on ZCS 5.0.x and 6.0.x - Zimbra :: Wiki

    problem was fixed by importing a ca bundle into a java keystore:
    Code:
    /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

  2. #12
    Join Date
    Mar 2010
    Location
    Scottsdale, AZ
    Posts
    17
    Rep Power
    5

    Default

    It looks like zimbra uses certs for internet process communications and when some commercial certs are installed, zimbra is unable to perform critical internal communications.

    And I stand by my comments about dot zero releases. Any major release involves a tremendous amount of new code and dot zero releases are the first public release of a major release and are invariable buggy to the point of being unusable. I've been in the computer industry for 25 years and have seen precious few dot zero releases that were worth the hassle. Some times it isn't until a point three or point four of the minor release before the major release is usable.

  3. #13
    Join Date
    Nov 2011
    Posts
    2
    Rep Power
    3

    Default

    Here's the solution that worked for me:

    Zimbra Unable to Determine Enabled Services From Ldap. Starting logger…Failed. – CK Web Logs

    *******************Zimbra Unable to Determine Enabled Services From Ldap. Starting logger…Failed.



    [zimbra@ck]$ zmcontrol start
    Host quote.cklog.net
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
    zimbra logger service is not enabled! failed.
    The usual reason for this error is expired SSL certificate..


    This error usually happens if your SSL certificate has expired. There are two solutions for this problem.

    The first solution is renewing your certificate and deploying it with the following command :



    [zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/your_new_ssl.crt /path/to/ca_bundle.crt
    After this you need to restart zmcontrol.

    The second solution is regenerating self-signed certificate.

    [zimbra@ck]$ su - zimbra -c 'zmcontrol stop'
    [zimbra@ck]$ rm -rf /opt/zimbra/ssl/*
    [zimbra@ck]$ rm -rf /opt/zimbra/ssl/.rnd
    [zimbra@ck]$ /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    [zimbra@ck]$ /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
    Than Yo need to edit /opt/zimbra/bin/zmcertmgr file ( you can use ‘vi’ )

    Find validation_days=365 and change to validation_days=3650

    And save /opt/zimbra/bin/zmcertmgr

    [zimbra@ck]$ /opt/zimbra/bin/zmcertmgr createca -new
    [zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deployca -localonly
    [zimbra@ck]$ /opt/zimbra/bin/zmcertmgr createcrt self -new
    [zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deploycrt self

    [zimbra@ck]$ su - zimbra -c 'zmcontrol start'

    [zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deploycrt self
    [zimbra@ck]$ /opt/zimbra/bin/zmcertmgr deployca

    [zimbra@ck]$ su - zimbra -c 'zmupdateauthkeys'
    [zimbra@ck]$ /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    Finally, zimbra back to work


    ******************************

    I followed solution #2 for a self assigned cert. The only modifications I did to the solution was to su directly into zmcontrol for those commands and I used nano as the editor. Hope this helps anyone else who in the future also has this error.


    Cheers!

Similar Threads

  1. install oss fc7 not run well
    By epelaez in forum Installation
    Replies: 1
    Last Post: 03-05-2008, 02:26 PM
  2. Replies: 0
    Last Post: 01-15-2008, 12:33 PM
  3. Replies: 21
    Last Post: 09-27-2007, 11:49 AM
  4. Replies: 16
    Last Post: 11-29-2006, 09:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •