[SOLVED] SSL Certificate Install Error

[ZimbraTechie]

My mail server SSL certificate expired, so I brought a new one and attempted to installed it.

I did the usual beforehand.
Generate the CSR.
Give that to the SSL certificate issuer.
Got the certificate key and made a certificate.crt file
I also got the key's from the intermediate and root CAs and created: intermediateca.crt and rootca.crt files.
I then went to the Zimbra Admin Console and imported the files.

But received an error:

"Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/[long strong of letters and numbers] ... with {RemoteManager: mail.domainname.com -> zimbra@mail.domainname.com:22}

Any suggestions welcome!

Thank you!

[phoenix]

Use the command line tools to install the certificate (details in the wiki) and see how you get on with that.

[vavai]

My mail server SSL certificate expired, so I brought a new one and attempted to installed it.

I did the usual beforehand.
Generate the CSR.
Give that to the SSL certificate issuer.
Got the certificate key and made a certificate.crt file
I also got the key's from the intermediate and root CAs and created: intermediateca.crt and rootca.crt files.
I then went to the Zimbra Admin Console and imported the files.

But received an error:

"Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/[long strong of letters and numbers] ... with {RemoteManager: mail.domainname.com -> zimbra@mail.domainname.com:22}

Any suggestions welcome!

Thank you!

According to error message, you can check whether you have change SSH port from default 22 into another number? If so, you can adjust the config as well :

Code: Select all

zmprov ms `zmhostname` zimbraRemoteManagementPort SSHNewPort

[ZimbraTechie]

Right, after many dead ends, I got it installed.

I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki )

Thanks for all the help!

[vavai]

Hi,

Right, after many dead ends, I got it installed.

I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki )

Thanks for all the help!

CLI Method on Zimbra Wiki : https://wiki.zimbra.com/wiki/Administra ... cate_Tools (see on "Single-Node Commercial Certificate")

Glad to hear your problem solved successfully. You can also marks this thread as solved

[ZimbraTechie]

Thanks vavai.

Eh... I can't find any way to edit the topic title.
I tried searching for "edit topic title"
And looking at the FAQ (the question mark icon)

Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.
Thanks!

[phoenix]

Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.

Just edit the first post and the title will also be editable at that point.

[racerock]

I had a very similar problem when I installed a few Startcom certs last year previously in V 8.6, I think it was, they worked fine but with 8.7 onwards I had issues so here is my documented fix I have based this on creating the CSR in the admin web page then when trying to load back the commercial cert files in via web it fails as you describe :

PS BACK IT UP BEFORE YOU START A WRONG CERT DEPLOYMENT CAN BE FATAL !!!
SEE:

https://wiki.zimbra.com/wiki/Installing ... laboration

PS I note that from 8.7 onwards the /opt/zimbra/bin/zmcertmgr actions ( deployment and verification ) should be done as zimbra user (su - zimbra)

( Mine was based on *** Startcom SSL you use the files you obtain in my case "other server zip ** from zip I used the obvious files renamed them to suite, the files as follows:
Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt):
1.. Starting from a failed deployment in the web interface get in to a shell as root PS Most commands are run as root some need user zimbra

2 ** from my starcom files the commercial cert was "name of server.crt" so I renamed and copied to this to /tmp/commercial.crt

3. ** from my starcom files the root ca was called root.crt so I renamed and copied to root.crt to /tmp/ca.crt

4. * from my starcom files the intermediary CA was called intermediate.crt so I renamed this and copied to /tmp/ca_intermediary.crt
4a So in /tmp/ I have 3 files: ca_intermediary.crt ca.crt commercial.crt

5. Combine root and intermediary CAs into a temporary file.

cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt
6. Verify your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
........valid certificate OK
7. Deploy your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
********
******
*******
**Installing CA to /opt/zimbra/conf/ca…done.
8. To finish, verify the certificate was deployed.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

thats it Job done ..

Suggested zmcontrol restart
but I prefer a REBOOT ....recheck should be OK

[L. Mark Stone]

FWIW I edited the title of the first post to indicate the thread is [SOLVED].

All the best,
Mark (a Moderator)