[SOLVED] SSL Certificate Install Error

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
ZimbraTechie
Posts: 3
Joined: Wed Feb 08, 2017 10:30 am

[SOLVED] SSL Certificate Install Error

Postby ZimbraTechie » Wed Feb 08, 2017 10:39 am

My mail server SSL certificate expired, so I brought a new one and attempted to installed it.

I did the usual beforehand.
Generate the CSR.
Give that to the SSL certificate issuer.
Got the certificate key and made a certificate.crt file
I also got the key's from the intermediate and root CAs and created: intermediateca.crt and rootca.crt files.
I then went to the Zimbra Admin Console and imported the files.

But received an error:

"Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/[long strong of letters and numbers] ... with {RemoteManager: mail.domainname.com -> zimbra@mail.domainname.com:22}

Any suggestions welcome!

Thank you! :D


phoenix
Ambassador
Ambassador
Posts: 26334
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: SSL Certificate Install Error

Postby phoenix » Wed Feb 08, 2017 10:54 am

Use the command line tools to install the certificate (details in the wiki) and see how you get on with that.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
vavai
Advanced member
Advanced member
Posts: 154
Joined: Thu Nov 14, 2013 2:41 pm
Location: Indonesia
Contact:

Re: SSL Certificate Install Error

Postby vavai » Wed Feb 08, 2017 9:38 pm

ZimbraTechie wrote:My mail server SSL certificate expired, so I brought a new one and attempted to installed it.

I did the usual beforehand.
Generate the CSR.
Give that to the SSL certificate issuer.
Got the certificate key and made a certificate.crt file
I also got the key's from the intermediate and root CAs and created: intermediateca.crt and rootca.crt files.
I then went to the Zimbra Admin Console and imported the files.

But received an error:

"Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/[long strong of letters and numbers] ... with {RemoteManager: mail.domainname.com -> zimbra@mail.domainname.com:22}

Any suggestions welcome!

Thank you! :D


According to error message, you can check whether you have change SSH port from default 22 into another number? If so, you can adjust the config as well :

Code: Select all

zmprov ms `zmhostname` zimbraRemoteManagementPort SSHNewPort
ZimbraTechie
Posts: 3
Joined: Wed Feb 08, 2017 10:30 am

Re: SSL Certificate Install Error

Postby ZimbraTechie » Mon Feb 13, 2017 10:19 am

Right, after many dead ends, I got it installed.

I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki :oops:)

Thanks for all the help! :D
User avatar
vavai
Advanced member
Advanced member
Posts: 154
Joined: Thu Nov 14, 2013 2:41 pm
Location: Indonesia
Contact:

Re: SSL Certificate Install Error

Postby vavai » Mon Feb 13, 2017 7:57 pm

Hi,
ZimbraTechie wrote:Right, after many dead ends, I got it installed.

I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki :oops:)

Thanks for all the help! :D


CLI Method on Zimbra Wiki : https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools (see on "Single-Node Commercial Certificate")

Glad to hear your problem solved successfully. You can also marks this thread as solved :D
ZimbraTechie
Posts: 3
Joined: Wed Feb 08, 2017 10:30 am

Re: SSL Certificate Install Error

Postby ZimbraTechie » Tue Feb 14, 2017 4:03 am

Thanks vavai. ;)

Eh... I can't find any way to edit the topic title. :?
I tried searching for "edit topic title"
And looking at the FAQ (the question mark icon)

Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.
Thanks! :D
phoenix
Ambassador
Ambassador
Posts: 26334
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: SSL Certificate Install Error

Postby phoenix » Tue Feb 14, 2017 7:17 am

ZimbraTechie wrote:Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.
Just edit the first post and the title will also be editable at that point.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
racerock
Posts: 22
Joined: Tue Sep 20, 2016 10:09 am

Re: SSL Certificate Install Error

Postby racerock » Wed Feb 15, 2017 8:09 pm

I had a very similar problem when I installed a few Startcom certs last year previously in V 8.6, I think it was, they worked fine but with 8.7 onwards I had issues so here is my documented fix I have based this on creating the CSR in the admin web page then when trying to load back the commercial cert files in via web it fails as you describe :

PS BACK IT UP BEFORE YOU START A WRONG CERT DEPLOYMENT CAN BE FATAL !!!
SEE:

https://wiki.zimbra.com/wiki/Installing ... laboration

PS I note that from 8.7 onwards the /opt/zimbra/bin/zmcertmgr actions ( deployment and verification ) should be done as zimbra user (su - zimbra)

( Mine was based on *** Startcom SSL you use the files you obtain in my case "other server zip ** from zip I used the obvious files renamed them to suite, the files as follows:
Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt):
1.. Starting from a failed deployment in the web interface get in to a shell as root PS Most commands are run as root some need user zimbra

2 ** from my starcom files the commercial cert was "name of server.crt" so I renamed and copied to this to /tmp/commercial.crt

3. ** from my starcom files the root ca was called root.crt so I renamed and copied to root.crt to /tmp/ca.crt

4. * from my starcom files the intermediary CA was called intermediate.crt so I renamed this and copied to /tmp/ca_intermediary.crt
4a So in /tmp/ I have 3 files: ca_intermediary.crt ca.crt commercial.crt

5. Combine root and intermediary CAs into a temporary file.

cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt
6. Verify your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
........valid certificate OK
7. Deploy your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
********
******
*******
**Installing CA to /opt/zimbra/conf/ca…done.
8. To finish, verify the certificate was deployed.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

thats it Job done ..

Suggested zmcontrol restart
but I prefer a REBOOT ....recheck should be OK
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2036
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.12 Network Edition
Contact:

Re: [SOLVED] SSL Certificate Install Error

Postby L. Mark Stone » Wed Feb 15, 2017 8:42 pm

FWIW I edited the title of the first post to indicate the thread is [SOLVED].

All the best,
Mark (a Moderator)
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 8 guests