Results 1 to 2 of 2

Thread: Multi-server and Commercial cert

  1. #1
    Join Date
    Jun 2007
    Location
    Halmstad, Sweden
    Posts
    58
    Rep Power
    8

    Default Multi-server and Commercial cert

    I have set up a test environment of a multi-server Zimbra, looking like this:

    Zimbra 8.0.0/Open Source, CentOS 6.3

    1 x LDAP
    2 x MTA/Proxy
    2 x Mail store

    One DNS-alias resolving to the two ip-adresses of the MTA/Proxy-machines (ie DNS round-robin). The name is mail.example.com and this name is to be used by end-users.

    Everything was working as expected until I tried to install a Commercial Certificate...

    I followed this wiki: Administration Console and CLI Certificate Tools - Zimbra :: Wiki
    (and my own notes of previous, successful installations in 7.x/NE/single-server).

    The wiki do not show the procedure for Multi-server + Commercial cert but I did like this:

    Code:
    # /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject '/C=COM/ST=Example/L=Someware/O=Some Site/OU=IT/CN=mail.example.com' -subjectAltNames 'z-ldap1.example.com, z-gw.1.exampl.com, ...' (all server names as AltNames)
    
    # openssl req -noout -text -in /opt/zimbra/ssl/zimbra/commercial/commercial.csr (Looking good. Got it signed.)
    # /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /root/SSL/cert.crt /root/SSL/chain.crt (Looking good. After signing.)
    
    # /opt/zimbra/bin/zmcertmgr deploycrt comm /root/SSL/mail.example.com.crt /root/SSL/chain.crt -allserver
    The last step started the installation on all machines in the system, but failed big time... se below:

    Did I guess wrong on how to do this for multi-server + comm cert?

    I ran this on one of the mail-stores (the wiki do not specify this). Was this correct?

    Output:
    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt comm /root/SSL/mail.example.com.crt /root/SSL/chain.crt -allserver
    ** Verifying /root/SSL/mail.example.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/root/SSL/mail.example.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: /root/SSL/mail.example.com.crt: OK
    ** Copying /root/SSL/mail.example.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain /root/SSL/chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
    ** NOTE: mailboxd must be restarted in order to use the imported certificate.
    ** Saving global config key zimbraSSLCertificate...done.
    ** Saving global config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Warning: Permanently added 'z-gw-1.example.com,192.168.18.188' (RSA) to the list of known hosts.
    STARTCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver
    
    ** Retrieving global config key zimbraSSLCertificate...done.
    ** Retrieving global config key zimbraSSLPrivateKey...done.
    ENDCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver
    
    STARTCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm
    
    ** Retrieving server config key zimbraSSLCertificate...done.
    ** Retrieving server config key zimbraSSLPrivateKey...done.
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
    recognized usages:
            sslclient       SSL client
            sslserver       SSL server
            nssslserver     Netscape SSL server
            smimesign       S/MIME signing
            smimeencrypt    S/MIME encryption
            crlsign         CRL signing
            any             Any Purpose
            ocsphelper      OCSP helper
            timestampsign   Time Stamp signing
    XXXXX ERROR: Invalid Certificate:
    XXXXX ERROR: provided cert isn't valid.
    ENDCMD: z-gw-1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm
    
    Warning: Permanently added 'z-gw-2.example.com,192.168.18.189' (RSA) to the list of known hosts.
    STARTCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver
    
    ** Retrieving global config key zimbraSSLCertificate...done.
    ** Retrieving global config key zimbraSSLPrivateKey...done.
    ENDCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver
    
    STARTCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm
    
    ** Retrieving server config key zimbraSSLCertificate...done.
    ** Retrieving server config key zimbraSSLPrivateKey...done.
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
    recognized usages:
            sslclient       SSL client
            sslserver       SSL server
            nssslserver     Netscape SSL server
            smimesign       S/MIME signing
            smimeencrypt    S/MIME encryption
            crlsign         CRL signing
            any             Any Purpose
            ocsphelper      OCSP helper
            timestampsign   Time Stamp signing
    XXXXX ERROR: Invalid Certificate:
    XXXXX ERROR: provided cert isn't valid.
    ENDCMD: z-gw-2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm
    
    Warning: Permanently added 'z-ldap1.example.com,192.168.18.187' (RSA) to the list of known hosts.
    STARTCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver
    
    ** Retrieving global config key zimbraSSLCertificate...done.
    ** Retrieving global config key zimbraSSLPrivateKey...done.
    ENDCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver
    
    STARTCMD: z-ldap1.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm
    
    Warning: Permanently added 'z-store2.example.com,192.168.18.186' (RSA) to the list of known hosts.
    STARTCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver
    
    ** Retrieving global config key zimbraSSLCertificate...done.
    ** Retrieving global config key zimbraSSLPrivateKey...done.
    ENDCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr getcrt comm -allserver
    
    STARTCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm
    
    ** Retrieving server config key zimbraSSLCertificate...done.
    ** Retrieving server config key zimbraSSLPrivateKey...done.
    ** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-attime timestamp] [-engine e] cert1 cert2 ...
    recognized usages:
            sslclient       SSL client
            sslserver       SSL server
            nssslserver     Netscape SSL server
            smimesign       S/MIME signing
            smimeencrypt    S/MIME encryption
            crlsign         CRL signing
            any             Any Purpose
            ocsphelper      OCSP helper
            timestampsign   Time Stamp signing
    XXXXX ERROR: Invalid Certificate:
    XXXXX ERROR: provided cert isn't valid.
    ENDCMD: z-store2.example.com sudo /opt/zimbra/bin/zmcertmgr deploycrt comm

  2. #2
    Join Date
    Jun 2007
    Location
    Halmstad, Sweden
    Posts
    58
    Rep Power
    8

    Default

    Anyone ?

    I did run the "Multi-Node Self-Signed Certificate" installation from the wiki and that one installed a self-signed cert on all 5 machines with no errors. This indicates that my setup is functional. But now I am back at square one...

    I rephrase the question:

    How do I install a commercial certificate on a 5 node multi-server ZCS (details in post #1) ?

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  2. Commercial Certs for Multi-Server Install
    By jterhune in forum Administrators
    Replies: 5
    Last Post: 09-08-2009, 03:21 PM
  3. Installing Commercial Cert From Old Server
    By martin.beauchamp in forum Installation
    Replies: 1
    Last Post: 07-14-2008, 10:42 AM
  4. [SOLVED] Commercail Cert/Multi-server Install
    By rsharpe in forum Administrators
    Replies: 1
    Last Post: 03-03-2008, 08:00 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •