Platform: 6.0.8_GA_2661.DEBIAN5 DEBIAN5 FOSS edition


I absolutely *cannot* get an existing SSL cert installed on Zimbra. I have followed:


Zimbra SSL Certificate

I have followed advice on

Administration Console and CLI Certificate Tools - Zimbra :: Wiki

and tried combinations of all the different posts here on the forums.

Let me start by saying: the original key and csr were created with Openssl via the command line. The precise command used was:

openssl req -nodes -newkey rsa:2048 -keyout mail_uppercumberlandit_com.key -out mail_uppercumberlandit_com.csr

I used this csr over at Comodo to get a crt. Let me note that the first 2 attempts via the GUI were useless.

I have renamed the files [created with openssl] to "commercial.key" and "commercial.csr" under /opt/zimbra/ssl/zimbra/commercial. I have taken the ca files and concatenated them to a single file called "commercial_ca.crt" and placed this file under /opt/zimbra/ssl/zimbra/commercial as well. I also placed the key in /opt/zimbra/ssl/zimbra.

I have verified the crt as follows:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt

The output states that the cert and keys match. It states the cert IS valid. I have gone a step further and double checked via command-line openssl. The cert is good - as is the concatenated ca bundle.

mail:/certs# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial.key) match.
Valid Certificate: commercial.crt: OK


Now comes the moment of truth:

mail:/certs# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
It may be worth noting at this point that following the guide at, I have done this with and without the following additional command:

/opt/zimbra/java/bin/keytool -import -alias root -keystore opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

Now lets restart....

/etc/init.d/zimbra restart

Heres the output:

Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: PKIX path building failed: xception: unable to find valid certification path to requested target)
zimbra logger service is not enabled! failed.

Starting mailbox...Done.
Starting memcached...Done.
Starting antispam...Done.
Starting antivirus...Failed.
Starting zmmtaconfig...zmmtaconfig is already running.
Starting amavisd...amavisd is already running.
Starting freshclam...done.
Starting clamd...failed.

Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.

Doing a ps ax shows that everything else IS in fact starting as expected.

Let me note that before I installed the cert, everything is working. I have read posts about incorrect resolv.conf and whatnot - not the case here.

I have tried the zmfixperms -v script.

I have completely stopped and started zimbra via zmcontrol and init.d/zimbra.

This makes me feel real stupid that I can hand-configure a postfix/courier-imap/courier-pop3/roundcube/apache setup ALL with SSL in less than an hour but have been stuck with Zimbra for the past 2 days now.

When the csr was submitted, I have generated certs through comodo via both Tomcat AND OpenSSL. Same issue.

Any insight or am I stuck going back to my hand-configured setup?