[SOLVED] Commercial certificate installation error

[machine12]

Hi Everyone

I have a problem installing commercial certificate to our new Zimbra Server OSE 8.8.8
GUI import always returns an error.

I do not have the original CSR and have tried via "zmcertmgr", and when I try via I also get an error
certificates are uploaded to the server and proper permissions are given 640

here is the log printout - i have switched our domain to the example.comž
Thanks everyone in advance

Code: Select all

[zimbra@mx3 root]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt /opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt
** Verifying '/opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt'
Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt: OK
** Copying '/opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mx3.example.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mx3.example.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/626fc9e6.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/ca.key
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '626fc9e6.0' -> 'ca.pem'
zmcertmgr: ERROR deploycrt(comm /opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt /opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt) failed:
 chdir(/root) failed: Permission denied

when I try to restart services after this I get

Code: Select all

[zimbra@mx3 root]$ zmcontrol restart
Host mx3.example.com
        Stopping zmconfigd...Done.
        Stopping zimlet webapp...Done.
        Stopping zimbraAdmin webapp...Done.
        Stopping zimbra webapp...Done.
        Stopping service webapp...Done.
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping cbpolicyd...Done.
        Stopping archiving...Done.
        Stopping opendkim...Done.
        Stopping amavis...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping proxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping dnscache...Done.
        Stopping ldap...

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting
[zimbra@mx3 root]$  /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com

[L. Mark Stone]

Please put the certs to be deployed in /tmp as per the wiki; the entire ssl directory gets moved as part of the installation.

Hope that helps,
Mark

[JDunphy]

Probably this bug [bug]107454[/bug]. That code at line 1300 shouldn't even be there IMO. The script has access to the files but then feels the need to chdir at the end of that function and aborting. That is why it verifies but won't complete the install as that code path has remained from a time when it ran as root and as a result this issue never surfaced. The amount of wasted admin hours and operational outages continues to amplify. The community has come up with workarounds, wiki articles, forum posts and best practices to avoid some of these fragile code paths.

[machine12]

Hi Mark

did that first, same result, that's why I posted

Please put the certs to be deployed in /tmp as per the wiki; the entire ssl directory gets moved as part of the installation.

Hope that helps,
Mark

[L. Mark Stone]

Hi Mark

did that first, same result, that's why I posted

Please put the certs to be deployed in /tmp as per the wiki; the entire ssl directory gets moved as part of the installation.

Hope that helps,
Mark

Hmmm...

So are you running the certificate verify and certificate installation commands as the Zimbra user from /opt/zimbra as the current directory?

The bits from your original post make it look like you were in /root (maybe).

Also, once you become root, to become the zimbra user are you using the hyphen to ensure your environment is configured correctly? IOW, are you running as root "su - zimbra" or are you running "su zimbra"?

Mark

[machine12]

I am running as "su zimbra"

cert in /tmp permissions 640 group and user zimbra
I have "cd" to /opt/zimbra and done it again and it worked like a charm

holy smokes...thanks a lot Mark! No errors on ldap or anything

Its a wildcard cert

mark it as solved

Hi Mark

did that first, same result, that's why I posted

Please put the certs to be deployed in /tmp as per the wiki; the entire ssl directory gets moved as part of the installation.

Hope that helps,
Mark

Hmmm...

So are you running the certificate verify and certificate installation commands as the Zimbra user from /opt/zimbra as the current directory?

The bits from your original post make it look like you were in /root (maybe).

Also, once you become root, to become the zimbra user are you using the hyphen to ensure your environment is configured correctly? IOW, are you running as root "su - zimbra" or are you running "su zimbra"?

Mark

[L. Mark Stone]

I am running as "su zimbra"

cert in /tmp permissions 640 group and user zimbra
I have "cd" to /opt/zimbra and done it again and it worked like a charm

holy smokes...thanks a lot Mark! No errors on ldap or anything

Its a wildcard cert

mark it as solved

Marked as solved! Glad I could help!

All the best,
Mark