Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Certificate question

  1. #1
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    10

    Default Certificate question

    Zimbra beta on RHEL4. The install went extremely well. Very impressive.

    Everything seems to be working OK except that I am getting complaints about:

    Nov 16 12:14:16 newmail postfix/smtpd[19821]: warning: cannot get certificate from file /opt/zimbra/conf/smtpd.crt

    The file is indeed not there. Tried the create certificate tool but apparently that's for a different cert. This isn't causing any problems but it's generating a lot of error messages. What needs to be done to create this crt file?

    TIA!

  2. #2
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default cert install

    after zmcreatecert

    zmcertinstall mta /opt/zimbra/ssl/ssl/smtpd.crt /opt/zimbra/ssl/ssl/smtpd.key

    postfix stop
    postfix start

  3. #3
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    10

    Default

    I believe zmcreatecert ran during the install but I ran it again anyway:
    zmcertinstall failed. The default shell for the zimbra account is bash

    [zimbra@newmail ~]$ zmcreatecert
    ** Importing CA

    keytool error: java.lang.Exception: Certificate not imported, alias already exists
    ** Creating keystore

    ** Creating server cert request

    Generating a 1024 bit RSA private key
    ......++++++
    .........++++++
    unable to write 'random state'
    writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
    -----
    ** Signing cert request

    Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 8 (0x8)
    Validity
    Not Before: Nov 16 19:23:31 2005 GMT
    Not After : Nov 16 19:23:31 2006 GMT
    Subject:
    countryName = US
    stateOrProvinceName = N/A
    organizationName = Zimbra Collaboration Suite
    commonName = newmail.designtechnica.com
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    AB:57:91:DB:FE:DE:D4:0F:D4:86:8F:1B:5C:D3:A2:D1:69 :8F:61:E7
    X509v3 Authority Key Identifier:
    DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=newmail.d
    esigntechnica.com
    serial:00

    Certificate is to be certified until Nov 16 19:23:31 2006 GMT (365 days)

    Write out database with 1 new entries
    Data Base Updated
    unable to write 'random state'
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=newmail.designtechnica.com
    Getting CA Private Key
    unable to write 'random state'
    [zimbra@newmail ~]$ zmcertinstall mta /opt/zimbra/ssl/ssl/smtpd.crt /opt/zimbra/
    ssl/ssl/smtpd.key
    /opt/zimbra/bin/zmcertinstall: line 47: print: command not found
    [zimbra@newmail ~]$

  4. #4
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default bug

    Sorry, that one slipped by. It's not finding the cert file you specified.

    And the syntax I gave you was wrong:

    should be
    zmcertinstall mta /opt/zimbra/ssl/ssl/server/smtpd.crt /opt/zimbra/ssl/ssl/ca/ca.key

  5. #5
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    10

    Default

    Same failure

    [root@plain log]# su - zimbra
    [zimbra@newmail ~]$ zmcertinstall mta mta /opt/zimbra/ssl/ssl/server/smtpd.crt /
    opt/zimbra/ssl/ssl/ca/ca.key
    /opt/zimbra/bin/zmcertinstall: line 47: print: command not found
    [zimbra@newmail ~]$

  6. #6
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default file not found

    Does /opt/zimbra/ssl/ssl/server/smtpd.crt exist? (Are you running M2?)

  7. #7
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    10

    Default

    I'm running the latest release of the "build it yourself" version downloaded from your site yesterday. Ran install.sh, answered a couple of questions and boom, everything worked.

    smtpd.crt does not exist anywhere on the system. I have:

    /opt/zimbra/ssl/ssl/server/tomcat.crt
    /opt/zimbra/ssl/ssl/server/server.crt
    /opt/zimbra/conf/slapd.crt

  8. #8
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default no cert

    Well, that's strange - I'll try to duplicate that, but for now:

    as root:
    cd ~zimbra
    mv ssl foo
    mkdir ssl
    chown zimbra ssl

    as zimbra:
    zmcreateca
    zmcreatecert

    find ssl/

    Should have:
    ssl/
    ssl/ssl
    ssl/ssl/ca
    ssl/ssl/ca/ca.pem
    ssl/ssl/ca/ca.srl.old
    ssl/ssl/ca/ca.key
    ssl/ssl/ca/ca.csr
    ssl/ssl/ca/ca.srl
    ssl/ssl/zmssl.cnf
    ssl/ssl/cert
    ssl/ssl/server
    ssl/ssl/server/tomcat.crt
    ssl/ssl/server/server.csr
    ssl/ssl/server/tomcat.csr
    ssl/ssl/server/server.key
    ssl/ssl/server/server.crt
    ssl/ssl/newCA
    ssl/ssl/newCA/index.txt
    ssl/ssl/newCA/newcerts
    ssl/ssl/newCA/newcerts/02.pem
    ssl/ssl/newCA/index.txt.old

    zmcertinstall mailbox
    zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key

  9. #9
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    10

    Default

    I think that may have fixed it. I'll know for sure in a few minutes.

    FYI, /opt/zimbra had root/root ownership and a 755 mask.

    I had to change it to root/zimbra (chgrp) and give group write access. I'm wondering if this is why install.sh failed to create this stuff when I built it...

  10. #10
    Join Date
    Nov 2005
    Location
    Portland, Oregon USA
    Posts
    8
    Rep Power
    10

    Default

    A related problem (I think..)

    I think this happened after changing the hostname from the generic name that the ISP used when building the server. Everything seems to be working ok though.

    The key does exist:
    [root@plain named]# ls -l /opt/zimbra/conf/smtpd.key
    -rw-rw-r-- 1 zimbra zimbra 887 Nov 16 15:21 /opt/zimbra/conf/smtpd.key
    [root@plain named]#

    Nov 20 22:52:17 plain postfix/smtpd[18752]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
    Nov 20 22:52:17 plain postfix/smtpd[18752]: warning: TLS library problem: 18752:
    error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:
    Nov 20 22:52:45 plain postfix/smtpd[18752]: warning: 209.190.15.3: hostname mx1.reg4you.com verification failed: Name or service not known
    Nov 20 22:54:49 plain postfix/smtpd[19114]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
    Nov 20 22:54:49 plain postfix/smtpd[19114]: warning: TLS library problem: 19114:
    error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:389:

Similar Threads

  1. Install a commercial SSL certificate ??
    By nick20 in forum Installation
    Replies: 6
    Last Post: 06-23-2010, 04:08 AM
  2. tomcat certificate question
    By 3RiversTechAdmin in forum Administrators
    Replies: 0
    Last Post: 11-13-2006, 12:27 PM
  3. SSL Certificate - Keytool Question
    By 3RiversTechAdmin in forum Administrators
    Replies: 0
    Last Post: 11-02-2006, 12:59 PM
  4. Certificate problem following 3.1.0 -> 4.0 upgrade
    By simonellistonball in forum Migration
    Replies: 5
    Last Post: 09-26-2006, 02:56 PM
  5. Certificate Question - Best practices
    By shankwc in forum Administrators
    Replies: 1
    Last Post: 03-04-2006, 11:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •