Zimbra using old certificate

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
sebasq
Posts: 6
Joined: Mon Apr 10, 2017 8:52 pm

Zimbra using old certificate

Post by sebasq »

Hi,

I've bought new Wildcard certificate. I did deployed it on the server. Everything went smooth and without errors. Unfortunately server is still showing old and expired certificate. I' ve tried all the instructions I' ve found in google and on forums. No luck. I've implemented this server 2 years ago and as I can recall I did use VirtualIPAdresses to separate domains. I've tried deploying certificate for domains but still no luck. What can I check? Where can I find old certificates and remove/replace them? I have done this operation many times on other instances of Zimbra and always with no trouble at all working from day one.

Please help. I've check whole /opt/ catalog searching for certificates/replacing/deleting and still no luck.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra using old certificate

Post by jorgedlcruz »

Hi Sebas,
Can you please let us know your Zimbra version? Also the requirements you have like 5 domains, and the SSL you have for example one SSL per each domain? or it's a multi-SAN?

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
sebasq
Posts: 6
Joined: Mon Apr 10, 2017 8:52 pm

Re: Zimbra using old certificate

Post by sebasq »

Hi,

Thanks for reply.

I'm using Release 8.6.0.GA.1153.UBUNTU14.64.

I have 6 domains and one Wildcard multidomain certificate for 3 domains - one file.
Server runs on domain1.com.
Additionally I have 5 virtual domains.
Certificate is for domain1.com + domain2.com + domain3.com.

Thanks!
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra using old certificate

Post by jorgedlcruz »

So,
Do you have your SSL only for that 3 domains, and what happened to the rest? They will receive the usual error?

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
sebasq
Posts: 6
Joined: Mon Apr 10, 2017 8:52 pm

Re: Zimbra using old certificate

Post by sebasq »

Yes. Exactly. I do not really care about the 3 others. We are not using them on daily basis.
They can get usual error.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra using old certificate

Post by jorgedlcruz »

Then it's easier:
If you have the private key from other server, because it's a wildcard and you could have generated the private key in other then first this and paste your private key:

Code: Select all

vi /opt/zimbra/ssl/zimbra/commercial/commercial.key 
Put on /tmp the next files commercial.crt and commercial_ca.crt where you add the ssl and the root and ca on the next file, and run

Code: Select all

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt 
Then a restart and that's it

Code: Select all

zmcontrol restart
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
sebasq
Posts: 6
Joined: Mon Apr 10, 2017 8:52 pm

Re: Zimbra using old certificate

Post by sebasq »

Hi,

This is brand new certificate generated based on new private.key - based on new csr. Do you still need that key?

I have tried all of the commends you mentioned in the first place. I'm using them all the time on other servers and Zimbra instances with other certificates and its working all the time.

No luck.

After that I did some other thing I've found in google and forums:

Code: Select all

mv /opt/zimbra/ssl/zimbra/jetty.pkcs12 /tmp/jetty.pkcs12
mv /opt/zimbra/mailboxd/etc/keystore /tmp/keystore
/opt/zimbra/bin/zmcertmgr deploycrt self
No luck.

And then again deployed my certificate. Unfortunately it still shows old certificate. I could even force Zimbra to show self deployed certificate.

Then I did deployed certificates for each domain with zmdomaincertmgr deplycert based on tutorial I have found:
https://wiki.zimbra.com/wiki/SSL_certif ... per_domain

No luck.

Then I did some checks based on:
viewtopic.php?t=59203

https://wiki.zimbra.com/wiki/Multiple_S ... _for_HTTPS

No luck.

I have tried to implement this certificate through Admin Web console but still no luck.

I the end to be honest I wouldn't bother you if this was simple - really spend many hours of looking for the reason and I'm out of ideas :(
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra using old certificate

Post by jorgedlcruz »

Hi,
Super weird, try the next:

Code: Select all

zmcertmgr viewdeployedcrt all
What do you see there? You are not sharing any feedback about the code you see once used the commands I provided.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
sebasq
Posts: 6
Joined: Mon Apr 10, 2017 8:52 pm

Re: Zimbra using old certificate

Post by sebasq »

Ok. Sorry for not sharing. So let's start with:

Code: Select all

/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt 
Output:

Code: Select all

root@domain1:/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
Then:

Code: Select all

zmcertmgr viewdeployedcrt all
Output:

Code: Select all

root@domain1:/opt/zimbra/bin/zmcertmgr viewdeployedcrt all
::service mta::
notBefore=Apr 10 17:57:49 2017 GMT
notAfter=Apr 10 17:57:49 2018 GMT
subject= /C=PL/CN=*.domain1.com
issuer= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2
SubjectAltName= *.domain1.com, domain1.com, domain3.com, *.domain2.com, *.domain3.com, domain2.com
::service proxy::
notBefore=Apr 10 17:57:49 2017 GMT
notAfter=Apr 10 17:57:49 2018 GMT
subject= /C=PL/CN=*.domain1.com
issuer= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2
SubjectAltName= *.domain1.com, domain1.com, domain3.com, *.domain2.com, *.domain3.com, domain2.com
::service mailboxd::
notBefore=Apr 10 17:57:49 2017 GMT
notAfter=Apr 10 17:57:49 2018 GMT
subject= /C=PL/CN=*.domain1.com
issuer= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2
SubjectAltName= *.domain1.com, domain1.com, domain3.com, *.domain2.com, *.domain3.com, domain2.com
::service ldap::
notBefore=Apr 10 17:57:49 2017 GMT
notAfter=Apr 10 17:57:49 2018 GMT
subject= /C=PL/CN=*.domain1.com
issuer= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Domain Validation CA SHA2
SubjectAltName= *.domain1.com, domain1.com, domain3.com, *.domain2.com, *.domain3.com, domain2.com
What is more weird I did check the status of certificate via Web Admin Console and when i clicked on View Certificate it was there - good certificate but still not working as it should be but still not working.

I've tried via web access and through mail client and it still shows old certificate.

Thanks!
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: Zimbra using old certificate

Post by jorgedlcruz »

What's the result if you run from the server, and from external:

Code: Select all

openssl s_client -showcerts -connect mail.yourdomain.com:443
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Post Reply