SSL Cert Installs--but does not work. :-(

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
izrunas
Posts: 35
Joined: Sat Sep 13, 2014 1:01 am

SSL Cert Installs--but does not work. :-(

Postby izrunas » Tue Mar 04, 2014 11:33 am

I have been working with Comodo (the commercial supplier of my SSL cert to resolve this and I have gotten to the point where the cert installs). Now that the cert is installed, it "does not work" and thus I am here asking for help, if possible. I am running:
[zimbra@zim commercial]$ zmcontrol version

Release 8.0.6_GA_5922.RHEL6_64_20131203103705 RHEL6_64 FOSS edition.

First, I verify my commercial cert:
[root@zim commercial]# /opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt commercial.crt: OK

OpenSSL is happy, now how about Zimbra:
[root@zim commercial]# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt

** Verifying commercial.crt against commercial.key

Certificate (commercial.crt) and private key (commercial.key) match.

Valid Certificate: commercial.crt: OK

Great! Now that I know that both my cert and my CA bundle work and mesh with .key, I go on to deploy:
[root@zim commercial]# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key

Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.

Valid Certificate: commercial.crt: OK

** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt

cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file

** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt

cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file

** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.

** NOTE: mailboxd must be restarted in order to use the imported certificate.

** Saving server config key zimbraSSLCertificate...done.

** Saving server config key zimbraSSLPrivateKey...done.

** Installing mta certificate and key...done.

** Installing slapd certificate and key...done.

** Installing proxy certificate and key...done.

** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.

** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.

** Installing CA to /opt/zimbra/conf/ca...done.

So I know the cert installs correctly... and now I must restart Mailbox to apply the cert...
[root@zim commercial]# su zimbra
[zimbra@zim commercial]$ zmcontrol stop
Host zim.REDACTED.com

Stopping vmware-ha...Done.

Stopping zmconfigd...Done.

Stopping stats...Done.

Stopping mta...Done.

Stopping spell...Done.

Stopping snmp...Done.

Stopping cbpolicyd...Done.

Stopping archiving...Done.

Stopping opendkim...Done.

Stopping antivirus...Done.

Stopping antispam...Done.

Stopping proxy...Done.

Stopping memcached...Done.

Stopping mailbox...Done.

Stopping logger...Done.

Stopping ldap...Done.
[zimbra@zim commercial]$ zmcontrol start
Host zim.REDACTED.com

Starting ldap...Done.

Starting zmconfigd...Done.

Starting logger...Done.

Starting mailbox...Done.

Starting memcached...Done.

Starting proxy...Done.

Starting antivirus...Done.

Starting opendkim...Done.

Starting snmp...Done.

Starting spell...Done.

Starting mta...Done.

Starting stats...Done.

Now to make sure the certs are in place:
[root@zim commercial]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

::service mta::

notBefore=Feb 26 00:00:00 2014 GMT

notAfter=Feb 26 23:59:59 2015 GMT

subject= /OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.REDACTED.com

issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA

SubjectAltName= *.REDACTED.com, REDACTED.com

::service proxy::

notBefore=Feb 26 00:00:00 2014 GMT

notAfter=Feb 26 23:59:59 2015 GMT

subject= /OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.REDACTED.com

issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA

SubjectAltName= *.REDACTED.com, REDACTED.com

::service mailboxd::

notBefore=Feb 26 00:00:00 2014 GMT

notAfter=Feb 26 23:59:59 2015 GMT

subject= /OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.REDACTED.com

issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA

SubjectAltName= *.REDACTED.com, REDACTED.com

::service ldap::

notBefore=Feb 26 00:00:00 2014 GMT

notAfter=Feb 26 23:59:59 2015 GMT

subject= /OU=Domain Control Validated/OU=COMODO SSL Wildcard/CN=*.REDACTED.com

issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA

SubjectAltName= *.REDACTED.com, REDACTED.com

Now to doublecheck my firewall rules:
[root@zim commercial]# iptables -L
Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT all -- REDACTEDDNS anywhere

DROP tcp -- REDACTEDIP/24 anywhere tcp dpt:imap

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- REDACTEDIP/24 anywhere tcp dpt:smtp state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:imap state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:7071 state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- REDACTED/24 anywhere tcp dpt:ndmp state NEW,RELATED,ESTABLISHED

ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:ldap state NEW,RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere tcp dpt:ldaps state NEW,RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)

target prot opt source destination
Chain OUTPUT (policy ACCEPT)

target prot opt source destination

So, I am certain the SSL (443) is open and accepting connections--yet, when I try to use https://zim.REDACTED.com to connect, I get the typical web browser rejection: "Unable to connect. Firefox can't establish a connection to the server at zim.REDACTED.com."
Perhaps I am missing something basic? Any help will be greatly appreciated! Thank you!


izrunas
Posts: 35
Joined: Sat Sep 13, 2014 1:01 am

SSL Cert Installs--but does not work. :-(

Postby izrunas » Tue Mar 04, 2014 1:51 pm

Ok, so it WAS something simple... like needing to turn on SSL...
[zimbra@zim log]$ zmtlsctl redirect
Setting ldap config zimbraMailMode redirect for zim.REDACTED.com...done.

Rewriting config files for cyrus-sasl, webxml and mailboxd...done.

After that, simply "zmcontrol stop" and "zmcontrol start" to activate the settings and you're all good. If you prefer http:// OR https://" as a user choice use "zmtlsctl both" instead of "redirect"

Return to “Administrators”

Who is online

Users browsing this forum: semster and 4 guests