My mail server SSL certificate expired, so I brought a new one and attempted to installed it.
I did the usual beforehand.
Generate the CSR.
Give that to the SSL certificate issuer.
Got the certificate key and made a certificate.crt file
I also got the key's from the intermediate and root CAs and created: intermediateca.crt and rootca.crt files.
I then went to the Zimbra Admin Console and imported the files.
But received an error:
"Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/[long strong of letters and numbers] ... with {RemoteManager: mail.domainname.com -> zimbra@mail.domainname.com:22}
Any suggestions welcome!
Thank you!
[SOLVED] SSL Certificate Install Error
Re: SSL Certificate Install Error
Use the command line tools to install the certificate (details in the wiki) and see how you get on with that.
- vavai
- Advanced member
- Posts: 174
- Joined: Thu Nov 14, 2013 2:41 pm
- Location: Indonesia
- ZCS/ZD Version: 0
- Contact:
Re: SSL Certificate Install Error
According to error message, you can check whether you have change SSH port from default 22 into another number? If so, you can adjust the config as well :ZimbraTechie wrote:My mail server SSL certificate expired, so I brought a new one and attempted to installed it.
I did the usual beforehand.
Generate the CSR.
Give that to the SSL certificate issuer.
Got the certificate key and made a certificate.crt file
I also got the key's from the intermediate and root CAs and created: intermediateca.crt and rootca.crt files.
I then went to the Zimbra Admin Console and imported the files.
But received an error:
"Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/[long strong of letters and numbers] ... with {RemoteManager: mail.domainname.com -> zimbra@mail.domainname.com:22}
Any suggestions welcome!
Thank you!
Code: Select all
zmprov ms `zmhostname` zimbraRemoteManagementPort SSHNewPort
-
- Posts: 3
- Joined: Wed Feb 08, 2017 10:30 am
Re: SSL Certificate Install Error
Right, after many dead ends, I got it installed.
I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki )
Thanks for all the help!
I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki )
Thanks for all the help!
- vavai
- Advanced member
- Posts: 174
- Joined: Thu Nov 14, 2013 2:41 pm
- Location: Indonesia
- ZCS/ZD Version: 0
- Contact:
Re: SSL Certificate Install Error
Hi,
Glad to hear your problem solved successfully. You can also marks this thread as solved
CLI Method on Zimbra Wiki : https://wiki.zimbra.com/wiki/Administra ... cate_Tools (see on "Single-Node Commercial Certificate")ZimbraTechie wrote:Right, after many dead ends, I got it installed.
I used the command line method from here:
https://knowledge.symantec.com/support/ ... id=SO20541
(I couldn't seem to find the CLI method from the Zimbra Wiki )
Thanks for all the help!
Glad to hear your problem solved successfully. You can also marks this thread as solved
-
- Posts: 3
- Joined: Wed Feb 08, 2017 10:30 am
Re: SSL Certificate Install Error
Thanks vavai.
Eh... I can't find any way to edit the topic title.
I tried searching for "edit topic title"
And looking at the FAQ (the question mark icon)
Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.
Thanks!
Eh... I can't find any way to edit the topic title.
I tried searching for "edit topic title"
And looking at the FAQ (the question mark icon)
Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.
Thanks!
Re: SSL Certificate Install Error
Just edit the first post and the title will also be editable at that point.ZimbraTechie wrote:Could someone tell me how, or please just add "[SOLVED]" to the topic title and close it.
Re: SSL Certificate Install Error
I had a very similar problem when I installed a few Startcom certs last year previously in V 8.6, I think it was, they worked fine but with 8.7 onwards I had issues so here is my documented fix I have based this on creating the CSR in the admin web page then when trying to load back the commercial cert files in via web it fails as you describe :
PS BACK IT UP BEFORE YOU START A WRONG CERT DEPLOYMENT CAN BE FATAL !!!
SEE:
https://wiki.zimbra.com/wiki/Installing ... laboration
PS I note that from 8.7 onwards the /opt/zimbra/bin/zmcertmgr actions ( deployment and verification ) should be done as zimbra user (su - zimbra)
( Mine was based on *** Startcom SSL you use the files you obtain in my case "other server zip ** from zip I used the obvious files renamed them to suite, the files as follows:
Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt):
1.. Starting from a failed deployment in the web interface get in to a shell as root PS Most commands are run as root some need user zimbra
2 ** from my starcom files the commercial cert was "name of server.crt" so I renamed and copied to this to /tmp/commercial.crt
3. ** from my starcom files the root ca was called root.crt so I renamed and copied to root.crt to /tmp/ca.crt
4. * from my starcom files the intermediary CA was called intermediate.crt so I renamed this and copied to /tmp/ca_intermediary.crt
4a So in /tmp/ I have 3 files: ca_intermediary.crt ca.crt commercial.crt
5. Combine root and intermediary CAs into a temporary file.
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt
6. Verify your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
........valid certificate OK
7. Deploy your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
********
******
*******
**Installing CA to /opt/zimbra/conf/ca…done.
8. To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
thats it Job done ..
Suggested zmcontrol restart
but I prefer a REBOOT ....recheck should be OK
PS BACK IT UP BEFORE YOU START A WRONG CERT DEPLOYMENT CAN BE FATAL !!!
SEE:
https://wiki.zimbra.com/wiki/Installing ... laboration
PS I note that from 8.7 onwards the /opt/zimbra/bin/zmcertmgr actions ( deployment and verification ) should be done as zimbra user (su - zimbra)
( Mine was based on *** Startcom SSL you use the files you obtain in my case "other server zip ** from zip I used the obvious files renamed them to suite, the files as follows:
Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt):
1.. Starting from a failed deployment in the web interface get in to a shell as root PS Most commands are run as root some need user zimbra
2 ** from my starcom files the commercial cert was "name of server.crt" so I renamed and copied to this to /tmp/commercial.crt
3. ** from my starcom files the root ca was called root.crt so I renamed and copied to root.crt to /tmp/ca.crt
4. * from my starcom files the intermediary CA was called intermediate.crt so I renamed this and copied to /tmp/ca_intermediary.crt
4a So in /tmp/ I have 3 files: ca_intermediary.crt ca.crt commercial.crt
5. Combine root and intermediary CAs into a temporary file.
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt
6. Verify your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
........valid certificate OK
7. Deploy your commercial certificate.
as zimbra user if 8.7 >
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
********
******
*******
**Installing CA to /opt/zimbra/conf/ca…done.
8. To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
thats it Job done ..
Suggested zmcontrol restart
but I prefer a REBOOT ....recheck should be OK
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: [SOLVED] SSL Certificate Install Error
FWIW I edited the title of the first post to indicate the thread is [SOLVED].
All the best,
Mark (a Moderator)
All the best,
Mark (a Moderator)
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate