Trying to install QuickSSL certificate without any luck

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
Priyantha Bleeker
Posts: 32
Joined: Fri Sep 12, 2014 11:10 pm

Trying to install QuickSSL certificate without any luck

Post by Priyantha Bleeker »

Hi folks,
I am trying to install a QuickSSL certificate on a Zimbra 5.0.5 OSS Edition installation, installed on CentOS 4.5.
With the GUI I am getting the following error message:


Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=NL/O=mail.domainname.tld/OU=GT17839061/OU=See http://www.geotrust.com/resources/cps"> ... ources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.domainname.tld


When I try it on the console I get the following error:


sudo zmcertmgr deploycrt comm
** Verifying /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key

Certificate (/opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.

XXXXX ERROR: Invalid Certificate: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=NL/O=mail.domainname.tld/OU=GT17839061/OU=See http://www.geotrust.com/resources/cps"> ... ources/cps (c)08/OU=Domain Control Validated - QuickSSL(R)/CN=mail.domainname.tld

error 20 at 0 depth lookup:unable to get local issuer certificate

XXXXX ERROR: provided cert isn't valid.


PS. I changed the real hostname in 'mail.domainname.tld' in the errors above here.
I have downloaded the certificates statet here:

SSL Certificate, SSL, Server Certificates, Web Server Certificates

Without any luck.

Maybe some of the zimbra dev's or somebody else with the right knowledge may help me with this case ?
Thanks in advance
Priyantha Bleeker
Posts: 32
Joined: Fri Sep 12, 2014 11:10 pm

Trying to install QuickSSL certificate without any luck

Post by Priyantha Bleeker »

Somebody who may help me and maybe others with the same problems ?
Priyantha Bleeker
Posts: 32
Joined: Fri Sep 12, 2014 11:10 pm

Trying to install QuickSSL certificate without any luck

Post by Priyantha Bleeker »

Well, let's try it again...

It can't be true that I am the only one with this problem, isn't it ?
visualsoftspace
Posts: 8
Joined: Fri Sep 12, 2014 11:12 pm

Trying to install QuickSSL certificate without any luck

Post by visualsoftspace »

I have had the same problems in my attempts to load a commercial certificate. There are some comments on a couple of posts in the wiki about how to load the certs, and modify the zmcertmgr file. Check out this link in the wiki:
Commercial Certificate in 5.x - Zimbra :: Wiki
I attempted the install earlier in the week and it screwed up startup of Zimbra because of certificate failures when LDAP tried to load. I was able to correct the error by creating new certs and deploying them via the CLI.
This Saturday I will attempt to more closely follow the wiki link, and start over. If I am successful, then I will post my notes for you. In the meantime, if you figure it out first, please post your success.
Thanks...and goodluck.
Priyantha Bleeker
Posts: 32
Joined: Fri Sep 12, 2014 11:10 pm

Trying to install QuickSSL certificate without any luck

Post by Priyantha Bleeker »

Nope I didn't succeed :(

I did try to follow the howto but didn't worked out.
visualsoftspace
Posts: 8
Joined: Fri Sep 12, 2014 11:12 pm

Trying to install QuickSSL certificate without any luck

Post by visualsoftspace »

I did my best to follow the wiki over the weekend, and I could not get the certs to install. I don't know if this is a bug in the 5.05 that I am running or something else, but it failed on attempts to install either Verisign trial cert or FreeSSL trial cert.
I will try to do some more research this week and let you know if I come up with a working solution.
warmbowski
Posts: 36
Joined: Fri Sep 12, 2014 11:28 pm

Trying to install QuickSSL certificate without any luck

Post by warmbowski »

I got the 'Invalid Certificate Chain' error as well when using the certificate wizard in the admin interface to install a commercial cert from godaddy.com. I followed the wiki instructions to no avail.


Your certificate was not installed due to the error : system failure: XXXXX ERROR: Invalid Certificate Chain: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt: /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority


These are the files that I tried uploading via the certificate wizard after sending the generated csr to godaddy. I had to download these files from here: https://certs.godaddy.com/Repository.go[/url], except for the server cert which was copied and pasted from my godaddy cert account into a text file (named with extention .cer via the godaddy instructions). I was forced to do the manual downloads because our spam filter service blocked the email with the attached certificate files.
Certificate: my_server.cer (from my account)

Root CA: gd-class2-root.crt (from the godaddy repository)

Intermediate CA: gd_intermediate.crt (from the godaddy repository)

Intermediate CA: gd_cross_intermediate.crt (from the godaddy repository)
--ZCS OSS 5.0.4 on CentOS 5--
Any help would be appreciated.
-Paul
warmbowski
Posts: 36
Joined: Fri Sep 12, 2014 11:28 pm

Trying to install QuickSSL certificate without any luck

Post by warmbowski »

Well I got the godaddy cert installed without the 'invalid cert chain' error (with the help of this thread). It turns out that I WAS installing the incorrect intermediate cert thus the cert chain wasn't going back to the CA. So this is officially what I uploaded in the web interface:
Certificate: my_server.crt (copy/paste from my account)

Root CA: gd-class2-root.crt (from the godaddy repository)

Intermediate CA: gd_intermediate_bundle.crt (from the godaddy repository)
the differences being that: 1. I changed the file extension of my server cert from cer to crt, and 2. that the gd_intermediate_bundle.crt is a concantination of the gd_intermediate.crt, gd_cross_intermediate.crt, and a third cert that matches no other cert that I had come across.
If you want, you can go to the repository, download them and compare yourselves. Anyway, hope that helps a little for the original poster and the QuickSSL problem.
16213sjobeck
Posts: 41
Joined: Fri Sep 12, 2014 10:11 pm

Trying to install QuickSSL certificate without any luck

Post by 16213sjobeck »

Thx for the very good extra notes on what made goDaddy fall in to line. The quickSSL product from geoTrust does not typically use an intermediate CA though. Just a tiny clarification is all.
Post Reply