Hello, by mistake it seems to delete the certificates that zimbra installs when the installation is done for the first time, I am trying to generate again and I have this message
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
** Creating directory '/opt/zimbra/ssl/zimbra'
** Creating directory '/opt/zimbra/ssl/zimbra/ca'
** Creating directory '/opt/zimbra/ssl/zimbra/commercial'
** Creating directory '/opt/zimbra/ssl/zimbra/server'
** Creating directory '/opt/zimbra/ssl/zimbra/ca/newcerts'
** Touching file '/opt/zimbra/ssl/.rnd'
** Touching file '/opt/zimbra/ssl/zimbra/ca/index.txt'
** Recreating /opt/zimbra/conf/zmssl.cnf
** Generating a server CSR of type 'self' for download
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
** Retrieving CA cert from LDAP... failed
** Retrieving CA private key from LDAP... failed
** Retrieving Commercial CA cert from LDAP... failed
ERROR: createca: empty key '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Recreating /opt/zimbra/conf/zmssl.cnf
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr with keysize=2048 digest=sha256
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.server.com...failed (rc=1)
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr
ERROR: openssl ca failed(1):
Using configuration from /opt/zimbra/conf/zmssl.cnf
Error opening CA private key /opt/zimbra/ssl/zimbra/ca/ca.key
140553627977392:error:02001002:system library:fopen:No such file or directory:bss_file.c:406:fopen('/opt/zimbra/ssl/zimbra/ca/ca.key','r')
140553627977392:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:408:
unable to load CA private key
You have new mail in /var/spool/mail/zimbra
Thanks for you help
certificate removed
-
pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: certificate removed
You should first create a ca and then deploy it.
Look at your inbox of PMs please.
Look at your inbox of PMs please.
-
pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: certificate removed
Try this if you'd like:
I was able to reproduce and fix the problem you describe in a 8.8.9. This is not a permanent fix, but is good enough for you to start your services and then tune them as you want.
Excecute all these commands as root:
in all your servers:
zmcontrol stop
In all your servers:
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/.rnd
su - zimbra -c '/opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/etc/java/cacerts -storepass changeit'
chmod -R 0755 /opt/zimbra/ssl
chown -R zimbra:zimbra /opt/zimbra/ssl
In the servers where you have the store deployed:
su - zimbra -c '/opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`'
In the server where you have your ldap:
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca -localonly'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createcrt -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
su - zimbra -c 'zmcontrol start'
At this point, services should be able to start in the server where you have your ldap service installed.
In the rest of your servers:
su - zimbra -c 'mkdir -p /opt/zimbra/ssl/zimbra/ca'
su - zimbra -c 'chmod -R 0750 /opt/zimbra/ssl/zimbra'
Now, copy the content of /opt/zimbra/ssl/zimbra/ca that exists in your ldap server, to the rest of your servers. You could use scp to do it from your ldap server it would look something like this: scp /opt/zimbra/ssl/zimbra/ca/* root@ipofyourotherserver:/opt/zimbra/ssl/zimbra/ca
On each of your other servers:
su - zimbra -c 'opt/zimbra/bin/zmcertmgr deployca'
On your ldap server:
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt self -allserver"
On the rest of your servers:
su - zimbra -c 'zmcontrol restart'
Good luck!
I was able to reproduce and fix the problem you describe in a 8.8.9. This is not a permanent fix, but is good enough for you to start your services and then tune them as you want.
Excecute all these commands as root:
in all your servers:
zmcontrol stop
In all your servers:
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/.rnd
su - zimbra -c '/opt/zimbra/common/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/common/etc/java/cacerts -storepass changeit'
chmod -R 0755 /opt/zimbra/ssl
chown -R zimbra:zimbra /opt/zimbra/ssl
In the servers where you have the store deployed:
su - zimbra -c '/opt/zimbra/common/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`'
In the server where you have your ldap:
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createca -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deployca -localonly'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr createcrt -new'
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt self'
su - zimbra -c 'zmcontrol start'
At this point, services should be able to start in the server where you have your ldap service installed.
In the rest of your servers:
su - zimbra -c 'mkdir -p /opt/zimbra/ssl/zimbra/ca'
su - zimbra -c 'chmod -R 0750 /opt/zimbra/ssl/zimbra'
Now, copy the content of /opt/zimbra/ssl/zimbra/ca that exists in your ldap server, to the rest of your servers. You could use scp to do it from your ldap server it would look something like this: scp /opt/zimbra/ssl/zimbra/ca/* root@ipofyourotherserver:/opt/zimbra/ssl/zimbra/ca
On each of your other servers:
su - zimbra -c 'opt/zimbra/bin/zmcertmgr deployca'
On your ldap server:
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt self -allserver"
On the rest of your servers:
su - zimbra -c 'zmcontrol restart'
Good luck!