Results 1 to 2 of 2

Thread: certificate renew on multi server installation on production

Hybrid View

  1. #1
    Join Date
    May 2011
    Posts
    9
    Rep Power
    4

    Default certificate renew on multi server installation on production

    hi guys, i hope that someone can help me with this issue:

    i have multiple zcs 7.1 server installation(1 server mailbox,ldap;1 server mta spam, proxy)

    today the servers certificate has been expired..then i follow the istruction on Administration Console and CLI Certificate Tools and i was able to resolve the problem in the mailbox server but not in the mta server. here the output of the deploycrt:

    Code:
    root@zmailbox:/opt/zimbra/ssl/zimbra/ca# /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
    ** Saving global config key zimbraSSLCertificate...done.
    ** Saving global config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    STARTCMD: mta.gullio.it sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
    
    ** Retrieving global config key zimbraSSLCertificate...failed.
    ** Retrieving global config key zimbraSSLPrivateKey...failed.
    ENDCMD: mta.gullio.it sudo /opt/zimbra/bin/zmcertmgr getcrt self -allserver
    
    STARTCMD: mta.amapspa.it sudo /opt/zimbra/bin/zmcertmgr deploycrt self
    
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/mta.gullio.it.pkcs12...failed.
    
    XXXXX ERROR: failed to create mta.gullio.it.pkcs12
    unable to load private key
    140504767506088:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
    
    ENDCMD: mta.gullio.it sudo /opt/zimbra/bin/zmcertmgr deploycrt self
    on the mta server when i try to verify the certs it show this output:

    Code:
    root@mta:/opt/zimbra# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    ::service mta::
    unable to load certificate
    140718467270312:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
    unable to load certificate
    139883959674536:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
    SubjectAltName=
    ::service proxy::
    unable to load certificate
    140275570091688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
    unable to load certificate
    140074771527336:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
    SubjectAltName=
    ::service mailboxd::
    XXXXX ERROR: failed to export /opt/zimbra/mailboxd/etc/mailboxd.pem from keystore.
    
    keytool error: java.lang.RuntimeException: Usage error, /opt/zimbra/conf/keystore is not a legal command
    
    XXXXX ERROR: /opt/zimbra/mailboxd/etc/mailboxd.pem does not exist
    ::service ldap::
    unable to load certificate
    140146101458600:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
    unable to load certificate
    139950821123752:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
    SubjectAltName=
    can someone suggest me how i can solve the problem, it is very urgent pls

    thanks
    Giulio

  2. #2
    Join Date
    May 2011
    Posts
    9
    Rep Power
    4

    Default

    hi guys i was able to resolve the issue alone with all those steps:

    on all hosts i have deleted
    Code:
    /opt/zimbra/ssl
    directory(i have done a backup 1st) then issue this commands:

    Code:
    /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
     
    /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
    (the last only on mailboxd)

    next i have created the ca with self certificate and after that i have issued those commands on mailboxd:

    Code:
    /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
    that operation fill the ssl directory on all servers, then i have run an scp to Mta and copied the ca.pem and ca.key from mailboxd server in
    Code:
    /opt/zimbra/conf/ca
    and run only on mta:
    Code:
    /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem
    after that i run:
    Code:
    zmupdateauthkeys
    and at the end restart zimbra services with zmcontrol.

    hope that help someone with the same problem

Similar Threads

  1. multi-node commercial certificate installation?
    By tiger2000 in forum Administrators
    Replies: 3
    Last Post: 01-06-2013, 07:12 PM
  2. Replies: 3
    Last Post: 06-01-2010, 04:33 AM
  3. Renew a certificate
    By Billy in forum Administrators
    Replies: 3
    Last Post: 09-07-2009, 02:20 AM
  4. Renew of GoDaddy SSL Certificate
    By phatbyte in forum Administrators
    Replies: 4
    Last Post: 10-07-2008, 09:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •