I have a problem installing commercial certificate to our new Zimbra Server OSE 8.8.8
GUI import always returns an error.
I do not have the original CSR and have tried via "zmcertmgr", and when I try via I also get an error
certificates are uploaded to the server and proper permissions are given 640
here is the log printout - i have switched our domain to the example.comž
Thanks everyone in advance
Code: Select all
[zimbra@mx3 root]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt /opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt
** Verifying '/opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt'
Valid certificate chain: /opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt: OK
** Copying '/opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mx3.example.com...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mx3.example.com...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/626fc9e6.0
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/ca.key
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '626fc9e6.0' -> 'ca.pem'
zmcertmgr: ERROR deploycrt(comm /opt/zimbra/ssl/zimbra/commercial/store_cert/commercial.crt /opt/zimbra/ssl/zimbra/commercial/store_cert/comodo_bundle.crt) failed:
chdir(/root) failed: Permission denied
when I try to restart services after this I get
Code: Select all
[zimbra@mx3 root]$ zmcontrol restart
Host mx3.example.com
Stopping zmconfigd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting
[zimbra@mx3 root]$ /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- imapd: /opt/zimbra/conf/imapd.crt
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com
- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com
- mta: /opt/zimbra/conf/smtpd.crt
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com
- proxy: /opt/zimbra/conf/nginx.crt
notBefore=May 12 00:00:00 2017 GMT
notAfter=May 11 23:59:59 2020 GMT
subject= /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
SubjectAltName=*.example.com, example.com