Severe problems when creating self-signed certificate from CLI

[mmenaz]

Hi, Zimbra 6.0.7 OSE 64 bit debian 5.

I need to do it from a script, so I can't use ZWC (where it works flawlessy).

I've been followed these instructions:

Administration Console and CLI Certificate Tools - Zimbra :: Wiki

but I got 2 errors when deploying the CA and then zimbra becomes severe broken. Is not a problem since is a test environment in a VM, but I have to find a reliable solution for "the real stuff".

I've googled for many hours, and found a pair of semi-functional solutions to the problem, but no idea about how to create the certificate from CLI without these troubles at all (I repeat, if done from ZWC works fine, but I need to do from script).

Note the 2 "failed" lines at the end:

** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.

** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.

and then I got a tons of "(system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)" in the logs.
The sequence I've used, that seem to be the same of the wiki, is this one (yes, 3650 days=10years, but I have the same problems with just 365):

mxz:~# /opt/zimbra/bin/zmcertmgr createca -new

** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done

** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.

** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

mxz:~# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650

Validation days: 3650

** Creating /opt/zimbra/conf/zmssl.cnf...done

** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100822174536

** Generating a server csr for download self -new -keysize 1024

** Creating /opt/zimbra/conf/zmssl.cnf...done

** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100822174536

** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

** Saving server config key zimbraSSLPrivateKey...done.

** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

mxz:~# /opt/zimbra/bin/zmcertmgr deploycrt self

** Saving server config key zimbraSSLCertificate...done.

** Saving server config key zimbraSSLPrivateKey...done.

** Installing mta certificate and key...done.

** Installing slapd certificate and key...done.

** Installing proxy certificate and key...done.

** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.

** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.

** Installing CA to /opt/zimbra/conf/ca...done.

mxz:~# /opt/zimbra/bin/zmcertmgr deployca

** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.

** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.

** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.

** Copying CA to /opt/zimbra/conf/ca...done.

mxz:~#
Where am I (or the wiki) wrong?

Thanks a lot!

[fusillator]

After the commands:

zmcertmgr createca -new

zmcertmgr createcrt -new -days 365

zmcertmgr deploycrt self

zmcertmgr deployca
Restart the services:
su - zimbra -c "zmcontrol stop"

su - zimbra -c "zmcontrol start"



and reenter the command to deploy the certificate on ldap:
zmcertmgr deploycrt self

zmcertmgr deployca


I'm not sure if the first (failed) deploy commands can be leave out at all.

Regards.

[mmenaz]

Ok, first I've tried avoiding the first, failing, zmcertmgr deployca.

The server failed to restart with error like this:

Host mxz.mytesthost.it

Starting ldap...Done.

Unable to determine enabled services from ldap.

Enabled services read from cache. Service list may be inaccurate.

Starting logger...Failed.

Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)

zimbra logger service is not enabled! failed.
Starting mailbox...Done.

etc.
The I started again from scratch including that command (so with the sequence you suggested) and it worked fine, at least as far as I can tell so far (seems I've no more errors in the logs).

The "problem" is: ZWC does not restart itself, tells the admin to do, so I dubt it will re-deploy certificate and ca after the manual restart.

So what you suggested (thanks a lot anyway) is a workaround, or the right way to procede?

In the latter case, someone better fix the wiki!

I will consider this "solved" after some more investigations

[fusillator]

It's a workaround... I'm a new user.. and i had your same problem a week ago.
Best regards

[mmenaz]

Well, with 6.0.8 things seem to have worsened a little, with random behaviour. Still error, even if different message, but sometime everything seems OK after a restart, sometime everything is blocked due to wrong certificate
mxz:~# /opt/zimbra/bin/zmcertmgr createca -new

** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done

** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.

** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

mxz:~# /opt/zimbra/bin/zmcertmgr createcsr self -new

** Generating a server csr for download self -new

** Creating /opt/zimbra/conf/zmssl.cnf...done

** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235107

** Retrieving Commercial CA cert from ldap...done.

** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

** Saving server config key zimbraSSLPrivateKey...done.

mxz:~# /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650

Validation days: 3650

** Creating /opt/zimbra/conf/zmssl.cnf...done

** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235136

** Generating a server csr for download self -new -keysize 1024

** Creating /opt/zimbra/conf/zmssl.cnf...done

** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100827235136

** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

** Saving server config key zimbraSSLPrivateKey...done.

** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

mxz:~# /opt/zimbra/bin/zmcertmgr deploycrt self

** Saving server config key zimbraSSLCertificate...done.

** Saving server config key zimbraSSLPrivateKey...done.

** Installing mta certificate and key...done.

** Installing slapd certificate and key...done.

** Installing proxy certificate and key...done.

** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.

** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.

** Installing CA to /opt/zimbra/conf/ca...unable to load certificate

19889:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

done.

mxz:~# /opt/zimbra/bin/zmcertmgr deployca

** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.

** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.

** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.

** Copying CA to /opt/zimbra/conf/ca...done.

unable to load certificate

21323:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

#

Hope a kind Zimbra developer is willing to have a look at this mess

[dgcurtis]

I too am having this problem in 6.0.8 and have filed a support case to try and get it resolved.
Doug

[6131auanton]

... i had the same problem while migrating from 6.0.8-32bit/debian4 to 6.0.8-64bit/debiian5.

after hours ( and after repeating iwith growing desperation all recipes in the wiki ) the sequence mentioned by fusillator solved the problem:

zmcertmgr deploycrt self

zmcertmgr deployca
Restart the services:
su - zimbra -c "zmcontrol stop"

su - zimbra -c "zmcontrol start"
and reenter the command to deploy the certificate on ldap:
zmcertmgr deploycrt self

zmcertmgr deployca
the good side of it: it was the only one problem in the migration process


anton

[dgcurtis]

Yeah. The workaround does work even though I still get the "Expecting: TRUSTED CERTIFICATE" error message.
Doug

[todd_dsm]

I'll throw my 2 cents in...
I've automated the install and configuration of the zimbra/samba solution. Moving to ZCS6 I've found most everything is the same except ldap and generating a self-signed certificate. Running the same script from ZCS5 on ZCS6 - it still works on 5 does not work on 6. When deploying:


** Installing CA to /opt/zimbra/conf/ca...unable to load certificate

28551:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

done.


By default the The Global zimbraSmtpHostname resolves to:

zimbraSmtpHostname: localhost
The Server zimbraSmtpHostname resolves to:

zimbraSmtpHostname: mail.domain.tld
When making both the Global and Server settings mail.domain.tld there are many problems and ldap will not restart. It wouldn't be a big deal but the first time I showed it to the client, he a) loved it, and b) clicked on the yellow highlighted button next to SERVER > MTA > Hostname (make same as Global). he didn't even think about it - just did it.
This is somewhat problematic, after that:

ldap wouldn't restart

when reloading the Admin UI there was an error "Failed to initialize the posix zimlet".
I can imagine the eyes rolling now but from a design stand-point a users eye shouldn't be drawn to the only thing on the screen that will cripple the server. And, the server shouldn't be so inflexible that it breaks so easily.
Q1: is there a bug for this?
Q2: is there a work-around that can be scripted?
My ZCS5 installs will generate a self-signed cert automatically every year till the drives go out. I can't think of one plausible reason ZCS6 shouldn't be able to do the same thing.
Please throw us a bone. You know how we all get a big rubbery one deploying a server without any cost at all - even certificates
Thanks in advance,

todd_dsm
Don't forget to Vote for this bug:

RFE: A place To Display the contents of 'My Documents'

Reasoning: It's new, bold, and cool.