Certificate private key and commercial.key do not match

[cenk]

I received the following error when installing a certificate for my newly installed zimbra. I contacted the place where I got the certificate, they gave me a coupon code to purchase a new certificate. I was using Ubuntu 20.04, I reinstalled Zimbra on Ubuntu 18.04 with the new certificate and re-created the certificate, but I get the same error again. What am I doing wrong?

Code: Select all

cat USERTrustRSAAAACA.crt SectigoRSADomainValidationSecureServerCA.crt AAACertificateServices.crt > /tmp/commercial_ca.crt

Code: Select all

cp mail_domain_com.crt /tmp/commercial.crt

Code: Select all

zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
unable to load certificate
140292168742016:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
ERROR: Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.

[Klug]

The error says "unable to load certificate".
Is the owner of the files correct (not root but zimbra) ?

[fealdazn]

I have the same error, and no is for the user, some one found the solution? I need help please!!

[oetiker]

Hi

If you have a new private key you have to copy it manually to the zimbra
directory before you can run the deployment command.

And first run the checks if all is ok.

Code: Select all

/opt/zimbra/bin/zmcertmgr verifycrtchain ca_chain.crt certificat.crt
/opt/zimbra/bin/zmcertmgr verifycrt comm privat.key certificat.crt ca_chain.crt

Code: Select all

cp privat.key /opt/zimbra/ssl/zimbra/commercial/commercial.key

Code: Select all

/opt/zimbra/bin/zmcertmgr deploycrt comm certificat.crt ca_chain.crt

Might be a good idea to first make a backup from the current commecial.key before
you override it ...

[LAB3W.ORJ]

Hi,

perhaps because your certificate is not correctly entered - The certificate "ISRG-X1.pem" is missing

Code: Select all

# Take ISRG Root X1
wget -O /root/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
# Add it to your fullchain file
cat /root/ISRG-X1.pem | tee -a  /opt/zimbra/ssl/mail.mydomain.tld/fullchain.pem

The fullchain.pem looks like this :

Code: Select all

-----BEGIN CERTIFICATE-----
MIIGRjCCBS6gAwIBAgISBAO2RR2xXxEujKzQr5wV6Wf+MA0GCSqGSIb3DQEBCwUA
[....]
2qAdtLT7EypMLxFAXAKB5uwr0mYf0mihwQs=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
[....]
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
[....]
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

Info here

viewtopic.php?t=69645 and viewtopic.php?t=72381

Greets,
Romain