Page 2 of 2

Re: Another "Unable to find valid cerificate"...

Posted: Thu Dec 22, 2016 4:27 pm
by Erik-NA
Okey. So here is the solution for my problem for Ubuntu 16.04. I want to do the following:
  • Reset the cert install to a known state. Like after first installation.
  • Import my own private root CA. I believe zimbra must have this cert for validation purposes?
  • Import my own created intermediate proxy CA which zimbra can use to connect to the Internet via my https proxy (not sure if this is correct way?).
    It is used for downloading updates or other https stuff zimbra must access on the Internet?
  • Import my own certificate which zimbra uses for web, smtpd etc. This is a commercial certificate. (in this example)

And here is what I did.

On a clean zimbra install, copy the following certificates to /tmp on Zimbra server:
  • Your private certificate for your mail server host as /tmp/commercial.crt
  • Your private key for your mail server host as /tmp/commercial.key
  • Your provate Root Certificate as /tmp/ca.crt
  • Web proxy intermediate CA as/tmp/intermediate.crt (I am using a https proxy so I have to insert the proxy CA here as an intermediate CA)

Combine root and intermediary CAs into a temporary file.

Code: Select all

cat /tmp/intermediate.crt /tmp/ca.crt > /tmp/ca_chain.crt

Stop zimbra. Run as user zimbra:

Code: Select all

/opt/zimbra/bin/zmcontrol stop

Remove old certs in zimbra:

Code: Select all

sudo rm -R  /opt/zimbra/ssl/zimbra

Then recreate the directories:

Code: Select all

sudo mkdir /opt/zimbra/ssl/zimbra
sudo mkdir /opt/zimbra/ssl/zimbra/ca
sudo mkdir /opt/zimbra/ssl/zimbra/commercial
supo mkdir /opt/zimbra/ssl/zimbra/server
sudo chmod 750 /opt/zimbra/ssl/zimbra
sudo chmod 750 /opt/zimbra/ssl/zimbra/*
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/zimbra

Now copy the commercial.key to /opt/zimbra/ssl/zimbra/commercial.

Code: Select all

sudo cp /tmp/commercial.key /opt/zimbra/ssl/zimbra/commercial/
sudo chmod 640 /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

Verify your commercial certificate. Run as user zimbra:

Code: Select all

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt

Deploy your commercial certificate. Run as user zimbra:

Code: Select all

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt

To finish, verify the certificate was deployed. Run as user zimbra:

Code: Select all

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

In case of any issues in the Java keystore, check that the Intermediate CA was added to the keystore. First, you should find out the sh1 fingerprint of your root CA:

Code: Select all

openssl x509 -in /tmp/ca.crt -text -noout -fingerprint
It shall output a SHA1 fingerprint like:
SHA1 Fingerprint=43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8
Copy your fingerprint section (in this example 43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8) and insert it below. Run as user zimbra:

Code: Select all

keytool -list -keystore /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass changeit | grep <sha1 fingerprint>

If not found, import the CA into the keystore:

Code: Select all

keytool -import -alias root -keystore /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -file /tmp/ca.crt

Do the same for your intermediate CA.

Done! Now is Zimbra installed with your private root CA any intermediate CA and your private zimbra server certificate.

Start server end enjoy. Run as user zimbra:

Code: Select all

/opt/zimbra/bin/zmcontrol start

Do not forget to add the Root CA and intermediate CA (in my case the proxy CA) in the OS. How to do that is not described here.