[SOLVED] Installation Comodo cert

[posterberg]

Hi

I am trying to to install a newly issued Comodo cert but am stuck with this error message:
root@mail2:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/openssl/bin/openssl verify -CAfile ca_bundle.crt commercial.crt
commercial.crt: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
error 2 at 2 depth lookup:unable to get issuer certificate

So I started reordering the crts in the bundle file without luck. There are only two so it wasn't that hard.

I have in detailed traced that I have all the certs in the bundle needed. The topmost (the root in the bundle) points to OU=AddTrust External TTP Network, CN=AddTrust External CA Root

My crt points to COMODO RSA Domain Validation Secure Server CA, that one points to COMODO RSA Certification Authority, which in turn is issued by the AddTrust cert previously mentioned.

So I have them all and in correct order.

I then just out of curiousity tried running:
root@mail2:/opt/zimbra/ssl/zimbra/commercial# openssl verify -CAfile ca_bundle.crt commercial.crt
commercial.crt: OK
root@mail2:/opt/zimbra/ssl/zimbra/commercial# which openssl
/usr/bin/openssl


I turns out that there are different versions of openssl in Zimbra and one of them seem to gladly accept my crt and the ca_bundle...

root@mail2:/opt/zimbra/ssl/zimbra/commercial# /opt/zimbra/openssl/bin/openssl
OpenSSL> version
OpenSSL 1.0.1j 15 Oct 2014
OpenSSL> ^C
root@mail2:/opt/zimbra/ssl/zimbra/commercial# openssl
OpenSSL> version
OpenSSL 1.0.1f 6 Jan 2014
OpenSSL> ^C


Why is this? Can I safely replace the /opt/zimbra/openssl/bin/openssl with /usr/bin/openssl?

It will probably solve my problem, would I get other issues except living with an older version?

BR,
Peter

[posterberg]

Made a snapshot in ESXi and the copied openssl from /usr/bin/ to /opt/zimbra/openssl/bin/

(I am running Ubuntu 14.04.4 LTS on the host so what I now have in Zimbra is the Ubuntu version of openssl)

I then re-ran /opt/zimbra/bin/zmcertmgr deploycrt comm star.domain.com.crt ca_bundle.crt

It completed without errors and my connection verify properly now both in the mail clients and web browser.

Why didn't this work with the Zimbra version of openssl?

[jorgedlcruz]

Hello,
Zimbra is very picky with the commercial_ca.crt, which needs to contain the rootCA as well, you can find more information here:

• https://wiki.zimbra.com/wiki/Installing ... laboration

Let us know the exact Comodo SSL you are trying to install, PositiveSSL, etc if that Wiki doesn't helps you

Best regards

[posterberg]

Well I did solve it by replacing openssl but it's probably not the correct solution...

Anyway this was a positivessl. The wiki article didn't help at all. I did create the ca_bundle as explained, I also tried reordering the crts within the bundle. Didn't help...

BR,
Peter

[posterberg]

I think I just found the problem...

I seems like the certfile delivered actually included the entire bundle as well... I guess this is the problem and that the bundle part should be removed from the actual certificate file.

I didn't even bother looking in that file before, completely focused on the bundle file.

Just guessing and won't test since it is already working for me and I will loose new mails that have arrived if I revert to the snapshot...

/Peter

[jorgedlcruz]

I think I just found the problem...

I seems like the certfile delivered actually included the entire bundle as well... I guess this is the problem and that the bundle part should be removed from the actual certificate file.

I didn't even bother looking in that file before, completely focused on the bundle file.

Just guessing and won't test since it is already working for me and I will loose new mails that have arrived if I revert to the snapshot...

/Peter

Hi Peter, like I said, because I bought so many Comodo SSL Certificates, and in the Wiki said, you need the commercial_ca.crt with the next content, and in this order:

• AddTrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSADomainValidationSecureServerCA.crt

By experience, Comodo didn't add the CARoot on the ca_bundle.crt they sent. And of course the commercial_ca.crt must contain just the CRT, anything else. If you receive this error while trying to verify the files (error 2 at 2 depth lookup:unable to get issuer certificate), you can fix the errors with the wiki I've sent to you.

If I was you, I will not install the SSL using the openssl of the machine, and yes following the official instructions that Zimbra provide:

• /opt/zimbra/bin/zmcertmgr deploycrt comm star.domain.com.crt ca_bundle.crt

Best regards

[mhammett]

By experience, Comodo didn't add the CARoot on the ca_bundle.crt they sent. And of course the commercial_ca.crt must contain just the CRT, anything else. If you receive this error while trying to verify the files (error 2 at 2 depth lookup:unable to get issuer certificate), you can fix the errors with the wiki I've sent to you.

That was it. I downloaded the right bundle from Comodo and all is well.