Page 1 of 1

[SOLVED] SSL Certificate Install Error

Posted: Wed Feb 08, 2017 10:39 am
by ZimbraTechie
My mail server SSL certificate expired, so I brought a new one and attempted to installed it.

I did the usual beforehand.
Generate the CSR.
Give that to the SSL certificate issuer.
Got the certificate key and made a certificate.crt file
I also got the key's from the intermediate and root CAs and created: intermediateca.crt and rootca.crt files.
I then went to the Zimbra Admin Console and imported the files.

But received an error:

"Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/[long strong of letters and numbers] ... with {RemoteManager: mail.domainname.com -> zimbra@mail.domainname.com:22}

Any suggestions welcome!

Thank you! :D

Re: SSL Certificate Install Error

Posted: Wed Feb 08, 2017 10:54 am
by phoenix
Use the command line tools to install the certificate (details in the wiki) and see how you get on with that.

Re: SSL Certificate Install Error

Posted: Wed Feb 08, 2017 9:38 pm
by vavai
ZimbraTechie wrote:My mail server SSL certificate expired, so I brought a new one and attempted to installed it.

I did the usual beforehand.
Generate the CSR.
Give that to the SSL certificate issuer.
Got the certificate key and made a certificate.crt file
I also got the key's from the intermediate and root CAs and created: intermediateca.crt and rootca.crt files.
I then went to the Zimbra Admin Console and imported the files.

But received an error:

"Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/[long strong of letters and numbers] ... with {RemoteManager: mail.domainname.com -> zimbra@mail.domainname.com:22}

Any suggestions welcome!

Thank you! :D


According to error message, you can check whether you have change SSH port from default 22 into another number? If so, you can adjust the config as well :

Code: Select all

zmprov ms `zmhostname` zimbraRemoteManagementPort SSHNewPort

Re: SSL Certificate Install Error

Posted: Mon Feb 13, 2017 10:19 am
by ZimbraTechie
Right, after many dead ends, I got it installed.

I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki :oops:)

Thanks for all the help! :D

Re: SSL Certificate Install Error

Posted: Mon Feb 13, 2017 7:57 pm
by vavai
Hi,
ZimbraTechie wrote:Right, after many dead ends, I got it installed.

I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki :oops:)

Thanks for all the help! :D


CLI Method on Zimbra Wiki : https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools (see on "Single-Node Commercial Certificate")

Glad to hear your problem solved successfully. You can also marks this thread as solved :D

Re: SSL Certificate Install Error

Posted: Tue Feb 14, 2017 4:03 am
by ZimbraTechie
Thanks vavai. ;)

Eh... I can't find any way to edit the topic title. :?
I tried searching for "edit topic title"
And looking at the FAQ (the question mark icon)

Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.
Thanks! :D

Re: SSL Certificate Install Error

Posted: Tue Feb 14, 2017 7:17 am
by phoenix
ZimbraTechie wrote:Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.
Just edit the first post and the title will also be editable at that point.

Re: SSL Certificate Install Error

Posted: Wed Feb 15, 2017 8:09 pm
by racerock
I had a very similar problem when I installed a few Startcom certs last year previously in V 8.6, I think it was, they worked fine but with 8.7 onwards I had issues so here is my documented fix I have based this on creating the CSR in the admin web page then when trying to load back the commercial cert files in via web it fails as you describe :

PS BACK IT UP BEFORE YOU START A WRONG CERT DEPLOYMENT CAN BE FATAL !!!
SEE:

https://wiki.zimbra.com/wiki/Installing ... laboration

PS I note that from 8.7 onwards the /opt/zimbra/bin/zmcertmgr actions ( deployment and verification ) should be done as zimbra user (su - zimbra)

( Mine was based on *** Startcom SSL you use the files you obtain in my case "other server zip ** from zip I used the obvious files renamed them to suite, the files as follows:
Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt):
1.. Starting from a failed deployment in the web interface get in to a shell as root PS Most commands are run as root some need user zimbra

2 ** from my starcom files the commercial cert was "name of server.crt" so I renamed and copied to this to /tmp/commercial.crt

3. ** from my starcom files the root ca was called root.crt so I renamed and copied to root.crt to /tmp/ca.crt

4. * from my starcom files the intermediary CA was called intermediate.crt so I renamed this and copied to /tmp/ca_intermediary.crt
4a So in /tmp/ I have 3 files: ca_intermediary.crt ca.crt commercial.crt

5. Combine root and intermediary CAs into a temporary file.

cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt
6. Verify your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
........valid certificate OK
7. Deploy your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
********
******
*******
**Installing CA to /opt/zimbra/conf/ca…done.
8. To finish, verify the certificate was deployed.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

thats it Job done ..

Suggested zmcontrol restart
but I prefer a REBOOT ....recheck should be OK

Re: [SOLVED] SSL Certificate Install Error

Posted: Wed Feb 15, 2017 8:42 pm
by L. Mark Stone
FWIW I edited the title of the first post to indicate the thread is [SOLVED].

All the best,
Mark (a Moderator)