Another "Unable to find valid cerificate"...

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Erik-NA
Posts: 23
Joined: Wed Dec 14, 2016 1:06 pm
Location: Sweden
ZCS/ZD Version: Zimbra Collaboration 8.8.11

Another "Unable to find valid cerificate"...

Postby Erik-NA » Sun Dec 18, 2016 5:37 pm

Just installed Zimbra version 8.7.1_GA_1670.NETWORK on Ubuntu 16.04 using my own private single-Node Commercial Certificate according to the Tech center, https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools

I am also using a http/https-proxy in my network, which affects the install using a intermediary http proxy CA

Single-Node Commercial Certificate
First I created a Certificate Signing Request (CSR) for my server (using my own config of course, host.example.com is only an example here)

Code: Select all

opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Zimbra/OU=Zimbra Collaboration Suite/CN=host.example.com" -subjectAltNames host.example.com

And then I signed the CSR with my own private root CA (using XCA on Windows). Exported the following cert from XCA
  • The signed cert into a pem file, "commercial.crt"
  • My private Root CA into a pem file, "ca.crt"
  • My http proxy CA (which is signed with my private root CA and accordingly is a intermediary CA) into a pem file, "proxy_ca.crt"
I combined the two files "ca.crt" and "proxy_ca.crt" into one file, "ca_chain.crt"

Verification went fine so I deployed them

Code: Select all

 /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt

At last I checked if all went well,

Code: Select all

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

And it did. So Zimbra is now running. Web interface is responding and is using my private root CA.

But when I want to manually run a backup job I am getting the dreadful error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Code: Select all

/opt/zimbra/bin/zmbackup -f -s host.example.com -a all
Error occurred: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


host.example.com is also defined in the hosts file

Have looked around and sadly I cannot find any straight answer what to do. So any help is appreciated.


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 482
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Another "Unable to find valid cerificate"...

Postby JDunphy » Mon Dec 19, 2016 4:40 pm

Do you get the same message when you do the following:

Code: Select all

/opt/zimbra/bin/zmbackup -f -a all


If that worked, does this look correct?

Code: Select all

zmlocalconfig -s -q -x |grep zimbra_server_hostname
Erik-NA
Posts: 23
Joined: Wed Dec 14, 2016 1:06 pm
Location: Sweden
ZCS/ZD Version: Zimbra Collaboration 8.8.11

Re: Another "Unable to find valid cerificate"...

Postby Erik-NA » Mon Dec 19, 2016 6:31 pm

Here is the result:

Code: Select all

zimbra@host:~/bin$ zmbackup -f -a all
Error occurred: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


Code: Select all

zimbra@host:~/bin$ zmlocalconfig -s -q -x |grep zimbra_server_hostname
zimbra_server_hostname = host.example.com
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 482
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Another "Unable to find valid cerificate"...

Postby JDunphy » Mon Dec 19, 2016 7:53 pm

Sorry I don't have much more to offer. It is confusing to me that it works for everything else but backup. The message seems to indicate that the keystore doesn't have your CA which if true... then why does everything else work? Odd. I do my certs much differently so I have exhausted the little knowledge that I have on this.

I don't know if this would yield additional information for you about your cert?

Code: Select all

 echo QUIT | openssl s_client -connect mail.example.com:443 | openssl x509 -noout -text |more


You say
Erik-NA wrote:I am also using a http/https-proxy in my network, which affects the install using a intermediary http proxy CA
I guess that means you have a longer full chain. If that commercial CA gets it authority from another entity, you would add that I suppose but that can't be because you said zimbra was able to validate it? Unless this is java specific problem and that CA that issued your SSL certificate is not in the default Java keystore/registry. If that is true, then running zmmailbox from the command line should also fail.

Code: Select all

zmmailbox -z -m user@example.com gms
Erik-NA
Posts: 23
Joined: Wed Dec 14, 2016 1:06 pm
Location: Sweden
ZCS/ZD Version: Zimbra Collaboration 8.8.11

Re: Another "Unable to find valid cerificate"...

Postby Erik-NA » Mon Dec 19, 2016 8:50 pm

The CA is my own private root cert, created on my own. Could that be the problem? But I have also imported the CA.

This JAVA-key store thing is not easy when you don't work with it very much. I also have imported my CA and my proxy CA in the OS, but I do not think java considers the OS certificates?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 482
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Another "Unable to find valid cerificate"...

Postby JDunphy » Mon Dec 19, 2016 10:20 pm

I know what you mean about JAVA... I know nothing about how or even if it has a different keystore location. I take it that the zmmailbox command failed for you?

This link might offer some guidance: http://tech.sid3windr.be/2012/10/configuring-zimbra-to-use-your-own-commercial-ssl-certificate/ They seem to use the keytool command in addition to the zmcertmgr. Given the age of the article, I wonder if its still valid?

I like your chances however:

Code: Select all

file  /opt/zimbra/common/bin/keytool
/opt/zimbra/common/bin/keytool: symbolic link to `../lib/jvm/java/bin/keytool'


From this link https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html you should be able to list your CA's.
Erik-NA
Posts: 23
Joined: Wed Dec 14, 2016 1:06 pm
Location: Sweden
ZCS/ZD Version: Zimbra Collaboration 8.8.11

Re: Another "Unable to find valid cerificate"...

Postby Erik-NA » Tue Dec 20, 2016 6:40 pm

Sorry, I am lost... Now I have two commercial certs,

/opt/zimbra/conf/ca/commercial_ca_1.crt (the old one)
/opt/zimbra/conf/ca/commercial_ca_2.crt (the new one)

First I apparently must delete my old commercial certificates? How do I do that? There are information about to do it in earlier versions, but not how to do it in 8.7.1. I also think I must delete it in Zimbra and also in tomcat webservers keyring? How do I do that? Or is tomcat not used anymore, I am seeing nginx stuff?

Basically, what I think I want to do is (against better knowledge...):
  • Reset the cert install to a known state. Like after first installation.
  • Import my own private root CA. I believe zimbra must have this cert for validation purposes?
  • Import my own created intermediate proxy CA which zimbra can use to connect to the Internet via my https proxy (not sure if this is correct way?).
    It is used for downloading updates or other https stuff zimbra must access on the Internet?
  • Import my own certificate which zimbra uses for web, smtpd etc. This is a commercial certificate. CN=host.example.com (in this example)
Is there anyone out there who has successfully done this on Ubuntu 16.04?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 482
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Another "Unable to find valid cerificate"...

Postby JDunphy » Tue Dec 20, 2016 9:21 pm

Very confusing for sure.

If you look at /opt/zimbra/ssl... there are a lot of backups there. zmcertmgr has code to backup those SSLDirs and will call keytool and openssl to perform its function. You can enable debugging with -debug to watch what it is doing. I see some comments in the code in relation to CertAuthorityCertSelfSigned that is missing from that deploycrt comm pathways I think. I am not familiar with adding your own private CA using the commercial method that you have attempted and my review of their code kind of looks like it might be incomplete for what your trying. If you do a:

Code: Select all

pod2text /opt/zimbra/bin/zmcertmgr |more


They show some additional documentation and examples ... but back to making zmbackup work with your method. ;-)

This is what I have found thus far in relation to the java keystore with 8.7+.

Code: Select all

%pwd
/opt/zimbra/common/lib/jvm/openjdk-1.8.0_92-zimbra/jre/lib/security/opt/zimbra/common/etc/java
ls -l cacerts
lrwxrwxrwx 1 root root 35 Oct 26 13:46 cacerts -> /opt/zimbra/common/etc/java/cacerts

%ls -l cacerts
-rw-r--r-- 1 zimbra zimbra 221026 Oct 28 16:56 cacerts

%file /opt/zimbra/common/etc/java/cacerts
/opt/zimbra/common/etc/java/cacerts: Java KeyStore



Password is "changeit". This should list the CA's.

Code: Select all

keytool -list -keystore /opt/zimbra/common/etc/java/cacerts -storepass "changeit"


And if its not there, you can add it according to a wiki entry. https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools

Code: Select all

keytool -import -alias root -keystore /opt/zimbra/common/etc/java/cacerts -file /opt/zimbra/conf/ca/commercial_ca.pem


I am very interested if you can get this working... it seems like you are close.
Erik-NA
Posts: 23
Joined: Wed Dec 14, 2016 1:06 pm
Location: Sweden
ZCS/ZD Version: Zimbra Collaboration 8.8.11

Re: Another "Unable to find valid cerificate"...

Postby Erik-NA » Thu Dec 22, 2016 3:03 pm

Reinstalled zimbra.

Followed instructions here: https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools for Multi-Node Commercial Certificate.

Code: Select all

zimbra@mail:/root$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/ca_chain.crt'
Valid certificate chain: /tmp/commercial.crt: OK
** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/tmp/ca_chain.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/tmp/ca_chain.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer host.example.com...failed (rc=1)
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 2 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/2523b3cb.0
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Copying CA to /opt/zimbra/conf/ca
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '2523b3cb.0' -> 'commercial_ca_1.crt'
zmcertmgr: ERROR deploycrt(comm /tmp/commercial.crt /tmp/ca_chain.crt) failed: chdir(/root) failed: Permission denied
Hit two errors:
  1. Saving config key 'zimbraSSLCertificate' via zmprov modifyServer host.example.com...failed (rc=1)
  2. zmcertmgr: ERROR deploycrt(comm /tmp/commercial.crt /tmp/ca_chain.crt) failed: chdir(/root) failed: Permission denied
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 482
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.7.11_P14 RHEL6 Network Edition
Contact:

Re: Another "Unable to find valid cerificate"...

Postby JDunphy » Thu Dec 22, 2016 3:31 pm

Code: Select all

ls -ald /root


zmcertmgr is running as zimbra in 8.7+ and it does this:

my $odir = Cwd::cwd();
chdir($odir) or die("chdir($odir) failed: $!\n");

Fix permissions on /root or rerun from different locations that has zimbra access and it should work. That is my guess anyway. :-)

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 6 guests