Results 1 to 5 of 5

Thread: [SOLVED] SSL installation is next to impossible.

  1. #1
    Join Date
    Sep 2010
    Location
    Gainesboro, TN
    Posts
    6
    Rep Power
    5

    Default [SOLVED] SSL installation is next to impossible.

    Platform: 6.0.8_GA_2661.DEBIAN5 DEBIAN5 FOSS edition

    Overview:

    I absolutely *cannot* get an existing SSL cert installed on Zimbra. I have followed:

    http://www.zimbra.com/forums/install...rtificate.html

    and

    Zimbra SSL Certificate

    I have followed advice on

    Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    and tried combinations of all the different posts here on the forums.

    Let me start by saying: the original key and csr were created with Openssl via the command line. The precise command used was:

    openssl req -nodes -newkey rsa:2048 -keyout mail_uppercumberlandit_com.key -out mail_uppercumberlandit_com.csr

    I used this csr over at Comodo to get a crt. Let me note that the first 2 attempts via the GUI were useless.

    I have renamed the files [created with openssl] to "commercial.key" and "commercial.csr" under /opt/zimbra/ssl/zimbra/commercial. I have taken the ca files and concatenated them to a single file called "commercial_ca.crt" and placed this file under /opt/zimbra/ssl/zimbra/commercial as well. I also placed the key in /opt/zimbra/ssl/zimbra.

    I have verified the crt as follows:

    /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt

    The output states that the cert and keys match. It states the cert IS valid. I have gone a step further and double checked via command-line openssl. The cert is good - as is the concatenated ca bundle.
    -------------------------------

    mail:/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial.key) match.
    Valid Certificate: commercial.crt: OK

    ----------------------------------

    Now comes the moment of truth:

    -----------------------------------
    mail:/certs# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
    ** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: commercial.crt: OK
    ** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
    ** NOTE: mailboxd must be restarted in order to use the imported certificate.
    ** Saving server config key zimbraSSLCertificate...done.
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    mail:/certs#
    ---------------------------------------------------
    It may be worth noting at this point that following the guide at http://www.zimbra.com/forums/adminis...rtificate.html, I have done this with and without the following additional command:

    /opt/zimbra/java/bin/keytool -import -alias root -keystore opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

    Now lets restart....

    /etc/init.d/zimbra restart

    Heres the output:
    -----------------------------------------

    Host mail.uppercumberlandit.com
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping archiving...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping imapproxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
    Host mail.uppercumberlandit.com
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)
    zimbra logger service is not enabled! failed.


    Starting mailbox...Done.
    Starting memcached...Done.
    Starting antispam...Done.
    Starting antivirus...Failed.
    Starting zmmtaconfig...zmmtaconfig is already running.
    Starting amavisd...amavisd is already running.
    Starting freshclam...done.
    Starting clamd...failed.


    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.
    -------------------------------------------------------

    Doing a ps ax shows that everything else IS in fact starting as expected.

    Let me note that before I installed the cert, everything is working. I have read posts about incorrect resolv.conf and whatnot - not the case here.

    I have tried the zmfixperms -v script.

    I have completely stopped and started zimbra via zmcontrol and init.d/zimbra.

    This makes me feel real stupid that I can hand-configure a postfix/courier-imap/courier-pop3/roundcube/apache setup ALL with SSL in less than an hour but have been stuck with Zimbra for the past 2 days now.

    When the csr was submitted, I have generated certs through comodo via both Tomcat AND OpenSSL. Same issue.

    Any insight or am I stuck going back to my hand-configured setup?

  2. #2
    Join Date
    Sep 2010
    Location
    Gainesboro, TN
    Posts
    6
    Rep Power
    5

    Default Paid support?

    I really hate to pay for support during the 'test feasibility' phase of this venture, but is this what I am gonna have to do?

    This is looking like the only option..

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by deanrantala View Post
    I really hate to pay for support during the 'test feasibility' phase of this venture, but is this what I am gonna have to do?

    This is looking like the only option..
    Paid support is only available for the Network Edition, if you have a trial of NE then you can ask for support during the trial.

    Meanwhile, how about this format of the keytool command: http://www.zimbra.com/forums/adminis...tml#post168482
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Join Date
    Sep 2010
    Location
    Gainesboro, TN
    Posts
    6
    Rep Power
    5

    Default --solved--

    phoenix - thanks for the link.

    I actually tried the advice there already but it did not work, however - re-visiting that advice got me thinking:

    The is a java error that is evidently causing the problem - java's keystore (whatever the hell that is) is messed up.

    So, first lets DELETE all the old crap that the import scripts did NOT (but should of).. Note to Zimbra development team: may wanna add this on your to-do list of minor patches...

    /opt/zimbra/java/bin/keytool -delete -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts

    [ enter 'changeit' for the actual password ]

    /opt/zimbra/java/bin/keytool -delete -alias new -keystore /opt/zimbra/java/jre/lib/security/cacertsf

    [ enter 'changeit' for the actual password ]

    *NOW* that the old crap is out of the way, lets import the ca and crt freshly:

    /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /certs/commercial_ca.crt

    /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /certs/commercial.crt

    Restart zimbra and we have liftoff

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Glad you've fixed it.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. [SOLVED] SSL Installation Error
    By MTecknology in forum Administrators
    Replies: 6
    Last Post: 07-17-2013, 01:23 PM
  2. SSL Certificate installation
    By premoddev in forum Administrators
    Replies: 1
    Last Post: 10-24-2012, 09:37 AM
  3. SSL Certificate Installation for Multidomain name
    By syedbilalmasaud in forum Installation
    Replies: 4
    Last Post: 10-05-2009, 07:07 AM
  4. Failed SSL installation on Mac OS X Server
    By istvan in forum Installation
    Replies: 3
    Last Post: 03-27-2009, 08:34 AM
  5. Commercial SSL certtificate installation
    By Daryl Jones in forum Installation
    Replies: 6
    Last Post: 02-13-2006, 11:55 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •