Dear all,
I made upgrade to zimbra 6.0.5. When I tried to install a new certificate
I received this error.
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial
commercial_ca.crt commercial.crt commercial.csr commercial.key
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt root.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
[root@mailhost certs]# cat class3.crt root.crt >> commercial_ca.crt
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/comm
ercial/commercial.key ./commercial.crt commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial.crt commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...failed.
XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key
I saw the same error in another post but I didn´t find the solution.
How do I fix this?
Best regards,
Bibo
[SOLVED] Certificate problem with 6.0.5
[SOLVED] Certificate problem with 6.0.5
I run the zmcertmgr command in debug mode to help me and I found out that my problem was the commercial.crt file. This file finish in that line.
-----END CERTIFICATE-----
Then I added new line (
) and the script run without problem.
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mailhost certs]#
Best regards,
Bibo
-----END CERTIFICATE-----
Then I added new line (
) and the script run without problem.
[root@mailhost certs]# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: ./commercial.crt: OK
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ./commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mailhost certs]#
Best regards,
Bibo
[SOLVED] Certificate problem with 6.0.5
bibo I want to say a big THANK YOU for posting this.
Spent 5 hours trying to get this going and that newline character was the problem all along. Thanks!
Cheers, B
Spent 5 hours trying to get this going and that newline character was the problem all along. Thanks!
Cheers, B
[SOLVED] Certificate problem with 6.0.5
bibo - My thanks as well. I've been struggling getting my cert installed and I thought I had it fixed until I started receiving the same error that you wrote in your first post. 
[SOLVED] Certificate problem with 6.0.5
This worked for me. Very simple
First Generate CSR in GUI
Save resulting Cert file as commercial.crt
Download Thawte Root Certs:
Find">https://www.thawte.com/roots/index.html
Find Thawte Server CA.pem in folder "Thawte SSL123 Roots" and rename to commercial_ca.crt
Upload commercial.crt and commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial
Verify Certificate
As root run: /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
[QUOTE]
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK
[/QUOTE]
Install Certificate
As root run: /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
[QUOTE]
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[/QUOTE]
Restart Zimbra services zmcontrol restart as zimbra user.
****
One more Note:
Zimbra recommends that you place those files (Trusted Root and commercial.crt) elsewhere and let the zmcertmgr tool copy them to the proper location and install them into ldap. Like the following:
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
****
First Generate CSR in GUI
Save resulting Cert file as commercial.crt
Download Thawte Root Certs:
Find">https://www.thawte.com/roots/index.html
Find Thawte Server CA.pem in folder "Thawte SSL123 Roots" and rename to commercial_ca.crt
Upload commercial.crt and commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial
Verify Certificate
As root run: /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
[QUOTE]
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
** Verifying commercial.crt against commercial.key
Certificate (commercial.crt) and private key (commercial.key) match.
Valid Certificate: commercial.crt: OK
[/QUOTE]
Install Certificate
As root run: /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
[QUOTE]
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are the same file
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
cp: `commercial_ca.crt' and `/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are the same file
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[/QUOTE]
Restart Zimbra services zmcontrol restart as zimbra user.
****
One more Note:
Zimbra recommends that you place those files (Trusted Root and commercial.crt) elsewhere and let the zmcertmgr tool copy them to the proper location and install them into ldap. Like the following:
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
****
-
terencelhl
- Posts: 7
- Joined: Fri Sep 12, 2014 11:39 pm
[SOLVED] Certificate problem with 6.0.5
Dear bibo,
A big thank you to your valuable guides here!!!
A big thank you to your valuable guides here!!!