letsencrypt issue: openssl x509 -hash failed(1)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
rosole
Posts: 31
Joined: Thu Jul 05, 2018 4:45 pm

letsencrypt issue: openssl x509 -hash failed(1)

Post by rosole »

Hello.

I went through https://wiki.zimbra.com/wiki/Installing ... ertificate procedure and stopped on final deployment.
Command /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem give me below:

zimbra@zimbra:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying 'cert.pem' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'cert.pem' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
** Copying 'cert.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain 'chain.pem' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra.isteam.pl...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra.isteam.pl...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 6 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/b46ce07a.0
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'b46ce07a.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
ERROR: openssl x509 -hash failed(1):
unable to load certificate
139859327575704:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1200:
139859327575704:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509_CERT_AUX
139859327575704:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

Can you help me with that?

Thank you.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: letsencrypt issue: openssl x509 -hash failed(1)

Post by phoenix »

Why don't you use the easy method and try this: viewtopic.php?f=15&t=60781
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
rosole
Posts: 31
Joined: Thu Jul 05, 2018 4:45 pm

Re: letsencrypt issue: openssl x509 -hash failed(1)

Post by rosole »

Hello Phoenix.

I'd like to finish official method, it's almost done :-)
Perhaps good people help me with teh issue.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: letsencrypt issue: openssl x509 -hash failed(1)

Post by phoenix »

rosole wrote:I'd like to finish official method, it's almost done :-)
Fine, you can certainly do that but the wiki article is not official Zimbra documentation. This is from the wiki article:
This article is a Community contribution and may include unsupported customizations.
Zimbra do not provide support for that article. ;)
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
rosole
Posts: 31
Joined: Thu Jul 05, 2018 4:45 pm

Re: letsencrypt issue: openssl x509 -hash failed(1)

Post by rosole »

Hello.

How to restore ssl certificates?
I did backup as in artictle stand.

Thank you for help.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: letsencrypt issue: openssl x509 -hash failed(1)

Post by phoenix »

Why don't you try the LetsEncrypt article in the forum thread, it's easy. If you want to regenerate the certificates there's a (Zimbra Certified) wiki article on the subject.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
rosole
Posts: 31
Joined: Thu Jul 05, 2018 4:45 pm

Re: letsencrypt issue: openssl x509 -hash failed(1)

Post by rosole »

Hello.

I did as in this article:
https://wiki.zimbra.com/wiki/Regenerate ... gle-Server

and got the same error after put command: /opt/zimbra/bin/zmcertmgr createca -new:

zimbra@zimbra:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr createca -new
** Recreating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Creating CA with existing private key /opt/zimbra/ssl/zimbra/ca/ca.key
zimbra@zimbra:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20180706124519
** Recreating /opt/zimbra/conf/zmssl.cnf
** Generating a server CSR of type 'self' for download
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Using Commercial CA cert in '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr with keysize=2048 digest=sha256
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra.isteam.pl...ok
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr
zimbra@zimbra:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zimbra.isteam.pl...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zimbra.isteam.pl...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 6 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/b46ce07a.0
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink 'b46ce07a.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
ERROR: openssl x509 -hash failed(1):
unable to load certificate
140148852520600:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1200:
140148852520600:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509_CERT_AUX
140148852520600:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

And it looks like my Zimbra won't work until i fix it :-(
rosole
Posts: 31
Joined: Thu Jul 05, 2018 4:45 pm

Re: letsencrypt issue: openssl x509 -hash failed(1)

Post by rosole »

I've fixed it.
I didn't copied properly priv.key as commercial.key needed by Zimbra.

Thank you for help.
Post Reply