SSL Certificate Deployment Issue on Zimbra 8.7

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
drzoidberg
Posts: 5
Joined: Fri May 13, 2016 12:06 pm

SSL Certificate Deployment Issue on Zimbra 8.7

Postby drzoidberg » Sun Aug 14, 2016 6:05 pm

Hi all,

I have an issue with deployment of SSL certificate. Anyone same problem? When I use GUI deployment, its says some error about RemoteManager port 22

so I followed Single-Node Commercial Certificate recommended steps from https://wiki.zimbra.com/wiki/Administra ... cate_Tools

I have three files, GeoTrust Global CA (ROOT CA) .pem which renamed into .crt; IntermediateCA.crt and ServerCert.crt
RootCA and Intermediate is merged into one Chain file.

Console output:

Verification is OK

Code: Select all

[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/ca_chain.crt'
Valid certificate chain: /tmp/commercial.crt: OK



Issue:

Code: Select all

[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Fixing newlines in '/tmp/commercial.crt'
Can't rename /tmp/commercial.crt to /tmp/commercial.crt.bak: Operation not permitted, skipping file at /opt/zimbra/bin/zmcertmgr line 1225.
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/ca_chain.crt'
Valid certificate chain: /tmp/commercial.crt: OK
** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/tmp/ca_chain.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/tmp/ca_chain.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.domain.tld...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.domain.tld...ok
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):
unable to load certificates
140604730992320:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:809:


Something with Jetty (what is it?) or PEM bad end of file, I check it many times and end files are OK.
I also check empty lines or merged headings, and It is OK

-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----

Thank you very much for any help,
Dave


Veidit
Posts: 32
Joined: Fri Sep 12, 2014 10:45 pm
Location: Stockholm, Sweden

Re: SSL Certificate Deployment Issue on Zimbra 8.7

Postby Veidit » Tue Aug 16, 2016 8:29 am

Have you tried to do it as root?
drzoidberg
Posts: 5
Joined: Fri May 13, 2016 12:06 pm

Re: SSL Certificate Deployment Issue on Zimbra 8.7

Postby drzoidberg » Tue Aug 16, 2016 3:56 pm

Veidit wrote:Have you tried to do it as root?


Code: Select all

[root@mail tmp]# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
zmcertmgr: ERROR: no longer runs as root!
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2028
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: SSL Certificate Deployment Issue on Zimbra 8.7

Postby L. Mark Stone » Tue Aug 16, 2016 6:03 pm

Looks like the zimbra user account doesn't have sufficient permissions over the crt files in /tmp.

You may want, as the root user, and before trying again to deploy the certs, running:

Code: Select all

chown zimbra.zimbra /tmp/*.crt
chmod 666 /tmp/*.crt


Then try deploying again.

Keep us posted!

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
drzoidberg
Posts: 5
Joined: Fri May 13, 2016 12:06 pm

Re: SSL Certificate Deployment Issue on Zimbra 8.7

Postby drzoidberg » Wed Aug 17, 2016 2:18 pm

L. Mark Stone wrote:Looks like the zimbra user account doesn't have sufficient permissions over the crt files in /tmp.

Code: Select all

chown zimbra.zimbra /tmp/*.crt
chmod 666 /tmp/*.crt

Solved that! Amazing!
What a newbie mistake..., thank you very much for help.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2028
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: SSL Certificate Deployment Issue on Zimbra 8.7

Postby L. Mark Stone » Thu Aug 18, 2016 2:53 pm

drzoidberg wrote:
L. Mark Stone wrote:Looks like the zimbra user account doesn't have sufficient permissions over the crt files in /tmp.

Code: Select all

chown zimbra.zimbra /tmp/*.crt
chmod 666 /tmp/*.crt

Solved that! Amazing!
What a newbie mistake..., thank you very much for help.


Lucky guess, but glad it worked for you!

:roll:

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 3 guests