The process is to put your commercial and intermediate-root bundle certs in a temporary directory, and when you run zmcertmgr deploycrt comm, you need to point to those files, like so:Bittone wrote:Hello everyone,
I have the very same problem of the expired cert.
After activating the workaround I have a problem deploying the new ca_bundle.
After downloading from my issuer website the new bundle I tested it with zmcertmgr verifycrt and everything seems fine.
But when I try to install them I get:Code: Select all
[zimbra@postino commercial]$ ls -la total 28 drwxr-x---. 2 zimbra zimbra 72 Jun 3 11:53 . drwxr-x---. 5 zimbra zimbra 64 Jul 11 2016 .. -rw-r-----. 1 zimbra zimbra 12078 Jun 3 11:53 commercial.crt -rw-r-----. 1 zimbra zimbra 1734 Jun 3 11:53 commercial.key -rw-r-----. 1 zimbra zimbra 9831 Jun 3 11:56 commercial_ca.crt [zimbra@postino commercial]$ zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt ** Verifying './commercial.crt' against './commercial.key' Certificate './commercial.crt' and private key './commercial.key' match. ** Verifying './commercial.crt' against './commercial_ca.crt' Valid certificate chain: ./commercial.crt: OK
As you can see the commercial_ca.crt has been replaced by the old one and I cannot complete the installation of the new ca_bundle.Code: Select all
[zimbra@postino commercial]$ zmcertmgr deploycrt comm ** Creating /opt/zimbra/ssl/zimbra/commercial/commercial.crt ** Creating /opt/zimbra/ssl/zimbra/commercial/commercial.key ** Creating /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt ** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ERROR: Unable to validate certificate chain: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root error 10 at 3 depth lookup:certificate has expired C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority error 10 at 2 depth lookup:certificate has expired OK [zimbra@postino commercial]$ ls -la total 28 drwxr-x---. 2 zimbra zimbra 72 Jun 3 11:58 . drwxr-x---. 5 zimbra zimbra 64 Jul 11 2016 .. -rw-r-----. 1 zimbra zimbra 12078 Jun 3 11:58 commercial.crt -rw-r-----. 1 zimbra zimbra 1734 Jun 3 11:58 commercial.key -rw-r-----. 1 zimbra zimbra 9747 Jun 3 11:58 commercial_ca.crt
Any ideas why I get this ? According to the manual the certs must be placed in /opt/zimbra/ssl/zimbra/commercial dir and that's exactly what I did but the bundle gets overwritten.
Zimbra version is 8.7.11 community
Thank you all for your attention
Alberto
Code: Select all
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/sectigo/commercial.crt /tmp/sectigo/intermediate-root-bundle.crt
Hope that helps,
Mark