Zimbra using old certificate
Zimbra using old certificate
Hi,
I've bought new Wildcard certificate. I did deployed it on the server. Everything went smooth and without errors. Unfortunately server is still showing old and expired certificate. I' ve tried all the instructions I' ve found in google and on forums. No luck. I've implemented this server 2 years ago and as I can recall I did use VirtualIPAdresses to separate domains. I've tried deploying certificate for domains but still no luck. What can I check? Where can I find old certificates and remove/replace them? I have done this operation many times on other instances of Zimbra and always with no trouble at all working from day one.
Please help. I've check whole /opt/ catalog searching for certificates/replacing/deleting and still no luck.
I've bought new Wildcard certificate. I did deployed it on the server. Everything went smooth and without errors. Unfortunately server is still showing old and expired certificate. I' ve tried all the instructions I' ve found in google and on forums. No luck. I've implemented this server 2 years ago and as I can recall I did use VirtualIPAdresses to separate domains. I've tried deploying certificate for domains but still no luck. What can I check? Where can I find old certificates and remove/replace them? I have done this operation many times on other instances of Zimbra and always with no trouble at all working from day one.
Please help. I've check whole /opt/ catalog searching for certificates/replacing/deleting and still no luck.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: Zimbra using old certificate
Hi Sebas,
Can you please let us know your Zimbra version? Also the requirements you have like 5 domains, and the SSL you have for example one SSL per each domain? or it's a multi-SAN?
Best regards
Can you please let us know your Zimbra version? Also the requirements you have like 5 domains, and the SSL you have for example one SSL per each domain? or it's a multi-SAN?
Best regards
Re: Zimbra using old certificate
Hi,
Thanks for reply.
I'm using Release 8.6.0.GA.1153.UBUNTU14.64.
I have 6 domains and one Wildcard multidomain certificate for 3 domains - one file.
Server runs on domain1.com.
Additionally I have 5 virtual domains.
Certificate is for domain1.com + domain2.com + domain3.com.
Thanks!
Thanks for reply.
I'm using Release 8.6.0.GA.1153.UBUNTU14.64.
I have 6 domains and one Wildcard multidomain certificate for 3 domains - one file.
Server runs on domain1.com.
Additionally I have 5 virtual domains.
Certificate is for domain1.com + domain2.com + domain3.com.
Thanks!
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: Zimbra using old certificate
So,
Do you have your SSL only for that 3 domains, and what happened to the rest? They will receive the usual error?
Best regards
Do you have your SSL only for that 3 domains, and what happened to the rest? They will receive the usual error?
Best regards
Re: Zimbra using old certificate
Yes. Exactly. I do not really care about the 3 others. We are not using them on daily basis.
They can get usual error.
They can get usual error.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: Zimbra using old certificate
Then it's easier:
If you have the private key from other server, because it's a wildcard and you could have generated the private key in other then first this and paste your private key:
Put on /tmp the next files commercial.crt and commercial_ca.crt where you add the ssl and the root and ca on the next file, and run
Then a restart and that's it
If you have the private key from other server, because it's a wildcard and you could have generated the private key in other then first this and paste your private key:
Code: Select all
vi /opt/zimbra/ssl/zimbra/commercial/commercial.key
Code: Select all
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Code: Select all
zmcontrol restart
Re: Zimbra using old certificate
Hi,
This is brand new certificate generated based on new private.key - based on new csr. Do you still need that key?
I have tried all of the commends you mentioned in the first place. I'm using them all the time on other servers and Zimbra instances with other certificates and its working all the time.
No luck.
After that I did some other thing I've found in google and forums:
No luck.
And then again deployed my certificate. Unfortunately it still shows old certificate. I could even force Zimbra to show self deployed certificate.
Then I did deployed certificates for each domain with zmdomaincertmgr deplycert based on tutorial I have found:
https://wiki.zimbra.com/wiki/SSL_certif ... per_domain
No luck.
Then I did some checks based on:
viewtopic.php?t=59203
https://wiki.zimbra.com/wiki/Multiple_S ... _for_HTTPS
No luck.
I have tried to implement this certificate through Admin Web console but still no luck.
I the end to be honest I wouldn't bother you if this was simple - really spend many hours of looking for the reason and I'm out of ideas
This is brand new certificate generated based on new private.key - based on new csr. Do you still need that key?
I have tried all of the commends you mentioned in the first place. I'm using them all the time on other servers and Zimbra instances with other certificates and its working all the time.
No luck.
After that I did some other thing I've found in google and forums:
Code: Select all
mv /opt/zimbra/ssl/zimbra/jetty.pkcs12 /tmp/jetty.pkcs12
mv /opt/zimbra/mailboxd/etc/keystore /tmp/keystore
/opt/zimbra/bin/zmcertmgr deploycrt self
And then again deployed my certificate. Unfortunately it still shows old certificate. I could even force Zimbra to show self deployed certificate.
Then I did deployed certificates for each domain with zmdomaincertmgr deplycert based on tutorial I have found:
https://wiki.zimbra.com/wiki/SSL_certif ... per_domain
No luck.
Then I did some checks based on:
viewtopic.php?t=59203
https://wiki.zimbra.com/wiki/Multiple_S ... _for_HTTPS
No luck.
I have tried to implement this certificate through Admin Web console but still no luck.
I the end to be honest I wouldn't bother you if this was simple - really spend many hours of looking for the reason and I'm out of ideas
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: Zimbra using old certificate
Hi,
Super weird, try the next:
What do you see there? You are not sharing any feedback about the code you see once used the commands I provided.
Best regards
Super weird, try the next:
Code: Select all
zmcertmgr viewdeployedcrt all
Best regards
Re: Zimbra using old certificate
Ok. Sorry for not sharing. So let's start with:
Output:
Then:
Output:
What is more weird I did check the status of certificate via Web Admin Console and when i clicked on View Certificate it was there - good certificate but still not working as it should be but still not working.
I've tried via web access and through mail client and it still shows old certificate.
Thanks!
Code: Select all
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Code: Select all
root@domain1:/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Code: Select all
zmcertmgr viewdeployedcrt all
Code: Select all
root@domain1:/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
::service mta::
notBefore=Apr 10 17:57:49 2017 GMT
notAfter=Apr 10 17:57:49 2018 GMT
subject= /C=PL/CN=*.domain1.com
issuer= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2
SubjectAltName= *.domain1.com, domain1.com, domain3.com, *.domain2.com, *.domain3.com, domain2.com
::service proxy::
notBefore=Apr 10 17:57:49 2017 GMT
notAfter=Apr 10 17:57:49 2018 GMT
subject= /C=PL/CN=*.domain1.com
issuer= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2
SubjectAltName= *.domain1.com, domain1.com, domain3.com, *.domain2.com, *.domain3.com, domain2.com
::service mailboxd::
notBefore=Apr 10 17:57:49 2017 GMT
notAfter=Apr 10 17:57:49 2018 GMT
subject= /C=PL/CN=*.domain1.com
issuer= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2
SubjectAltName= *.domain1.com, domain1.com, domain3.com, *.domain2.com, *.domain3.com, domain2.com
::service ldap::
notBefore=Apr 10 17:57:49 2017 GMT
notAfter=Apr 10 17:57:49 2018 GMT
subject= /C=PL/CN=*.domain1.com
issuer= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2
SubjectAltName= *.domain1.com, domain1.com, domain3.com, *.domain2.com, *.domain3.com, domain2.com
I've tried via web access and through mail client and it still shows old certificate.
Thanks!
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: Zimbra using old certificate
What's the result if you run from the server, and from external:
Best regards
Code: Select all
openssl s_client -showcerts -connect mail.yourdomain.com:443