Page 1 of 1

Unmatching certificate

Posted: Sun Jan 31, 2016 3:14 pm
by Martinwiertz

Hi,



I need your assistance, please.


I generated a CSR to mij server zimbra.A.local and have an external internet domain called zimbra.A.info. The only difference is .local and .info.


The CSR check with Symantec provides an error. Invalid subject alternative name (SAN). The names zimbra.A.local and www.A.info are displayed.



My analisys is that is should change my Zimbra servername and reapply for a certificate without .local name. Correct?


Verificrt:


/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.


Versie 8.6.0_GA_1191.NETWORK 16 dec 2015


Unmatching certificate

Posted: Mon Feb 01, 2016 1:39 am
by imanudin11

Hi


[quote user="Martinwiertz"]


Hi,



I need your assistance, please.


I generated a CSR to mij server zimbra.A.local and have an external internet domain called zimbra.A.info. The only difference is .local and .info.


The CSR check with Symantec provides an error. Invalid subject alternative name (SAN). The names zimbra.A.local and www.A.info are displayed.



My analisys is that is should change my Zimbra servername and reapply for a certificate without .local name. Correct?


[/quote]


I think it's could be the reason :)


[quote]


Verificrt:


/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Unmatching certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.


Versie 8.6.0_GA_1191.NETWORK 16 dec 2015



[/quote]


Are you generate CSR in same server (Zimbra) or from other server? if from other server, please copy commercial.key and placed in /opt/zimbra/ssl/zimbra/commercial/ folder


Unmatching certificate

Posted: Mon Feb 01, 2016 1:47 am
by Martinwiertz
Ahmad,



Thanks for your reply... so change servername is key. Hmm, hoped this wouldn't be necessary due to impact. Everything has to be ok or Zimbra won't run anymore. I have a daily backup. :-)



I am administering at the machine. File location is ok. Commercial.key is not a file which is provided by certificate CA. only CRT-files.

Unmatching certificate

Posted: Mon Feb 01, 2016 11:37 am
by Martinwiertz
Hello,



It's solved!!



Solution was comparison of the original commercial.key with the new commercial certificate. The stdin code must be equal. With some much appreciated help from www.sslcertificaten.nl it worked.



https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools



/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt



/opt/zimbra/bin/zmcertmgr viewdeployedcrt



Thanks!