Hi, (Zimbra 8.8.11_GA_3787 (build 20190308072250))
I'm new here and in Zimbra. SSl world is not easy and we knows.
I have to install the cert (renew the previous).
Our provider send us:
intermediate.crt
webmail.xxx.xxx.it.crt
webmail.xxx.xxx.it.csr
webmail.xxx.xxx.it.key
What I understand is that the commercial.key = webmail.xxx.xxx.it.key....stop
I read that I have to concatenate all the intermediate.
I see that we have in the old files also RapidSSL Intermediate and Root CA Certificates: do I need these too?
I try a lot of configurations that now I'm very confusing with commercial_ca.crt , commercial.crt, ca_chain ecc ecc. I read a lot of tutorial, but nothing....
Some output:
[zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt
** Verifying 'commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: commercial.crt: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
error 2 at 1 depth lookup:unable to get issuer certificate
[zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/certificati/ca_chain.crt
** Verifying '/opt/zimbra/certificati/ca_chain.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/certificati/ca_chain.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/certificati/ca_chain.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: /opt/zimbra/certificati/ca_chain.crt: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
error 2 at 1 depth lookup:unable to get issuer certificate
Thank you.
Installing SSL Cert - HELP
-
fs.schmidt
- Outstanding Member
- Posts: 278
- Joined: Sat Sep 13, 2014 3:37 am
- Location: Brazil
- Contact:
Re: Installing SSL Cert - HELP
Hello,seradominus wrote: ERROR: Unable to validate certificate chain: /opt/zimbra/certificati/ca_chain.crt: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
You need to concatenate the root CA and the intermediate certificate from Sectigo.
I hope this helps you:
https://support.sectigo.com/Com_Knowled ... 000000zFIy
-
seradominus
- Posts: 6
- Joined: Wed Jun 17, 2020 7:41 pm
Re: Installing SSL Cert - HELP
Hi,
i tried to follow your the istructions on the link, but error again:
can you please say me precisely how files are formed?
"Copy and paste the certificate into a text file (save as commercial.crt": this "certificate" is webmail.xxx.xxx.it.crt ?
"Open the CAbundle that you received on a ZIP file using a text editor or Vi and save it as (commercial_ca.crt): commercial_ca.crt is formed by intermediate+root? But what is the root?
I dowaloaded from: https://support.sectigo.com/Com_Knowled ... 000000rfBO
but also I see that past year the intermediate was from: https://knowledge.digicert.com/generali ... html#links
So in conclusion what I need is:
commercial_ca.crt what is it made of?
commercial.crt what is it made of?
commercial.key is the webmail.xxx.xxxxx.key sended by our provider, right?
Thank you.
i tried to follow your the istructions on the link, but error again:
can you please say me precisely how files are formed?
"Copy and paste the certificate into a text file (save as commercial.crt": this "certificate" is webmail.xxx.xxx.it.crt ?
"Open the CAbundle that you received on a ZIP file using a text editor or Vi and save it as (commercial_ca.crt): commercial_ca.crt is formed by intermediate+root? But what is the root?
I dowaloaded from: https://support.sectigo.com/Com_Knowled ... 000000rfBO
but also I see that past year the intermediate was from: https://knowledge.digicert.com/generali ... html#links
So in conclusion what I need is:
commercial_ca.crt what is it made of?
commercial.crt what is it made of?
commercial.key is the webmail.xxx.xxxxx.key sended by our provider, right?
Thank you.
-
fs.schmidt
- Outstanding Member
- Posts: 278
- Joined: Sat Sep 13, 2014 3:37 am
- Location: Brazil
- Contact:
Re: Installing SSL Cert - HELP
Hello,
Usually the "Bundle" file is enough to deploy on Zimbra. I mean, you will inform your private key, cert and this bundle file (which contains the root and intermediate CA).
Which files have you received from the Sectigo?
Usually the "Bundle" file is enough to deploy on Zimbra. I mean, you will inform your private key, cert and this bundle file (which contains the root and intermediate CA).
Which files have you received from the Sectigo?
-
seradominus
- Posts: 6
- Joined: Wed Jun 17, 2020 7:41 pm
Re: Installing SSL Cert - HELP
Hi,
thank you for your patience.
What I received of new for this year are:
intermediate.crt
webmail.xxx.xxx.it.crt
webmail.xxx.xxx.it.csr
webmail.xxx.xxx.it.key
We take this from a provider of our application server and website. Give us also a certificate for our cloud: on the cloud server non problem to install.
I see that intermediate.crt from this provider is the same of "Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]" that I can download from di site: https://support.sectigo.com/articles/Kn ... rtificates
From this site, have I to download another files?
Thank you.
Best regards.
thank you for your patience.
What I received of new for this year are:
intermediate.crt
webmail.xxx.xxx.it.crt
webmail.xxx.xxx.it.csr
webmail.xxx.xxx.it.key
We take this from a provider of our application server and website. Give us also a certificate for our cloud: on the cloud server non problem to install.
I see that intermediate.crt from this provider is the same of "Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]" that I can download from di site: https://support.sectigo.com/articles/Kn ... rtificates
From this site, have I to download another files?
Thank you.
Best regards.
-
wentum
- Advanced member
- Posts: 53
- Joined: Fri Apr 04, 2014 10:49 am
- Location: Pforzheim (Germany)
- ZCS/ZD Version: Release 9.0.0.GA.3924 _P30
- Contact:
Re: Installing SSL Cert - HELP
Hello,
you'll need the corresponding ROOT certificate, too.
This is often not in those bundles, because webserver doesn't need it and this is probably most of the use cases...
Regards
Joerg
you'll need the corresponding ROOT certificate, too.
This is often not in those bundles, because webserver doesn't need it and this is probably most of the use cases...
Regards
Joerg
-
seradominus
- Posts: 6
- Joined: Wed Jun 17, 2020 7:41 pm
Re: Installing SSL Cert - HELP
Hi,
so from the link posted previously (https://support.sectigo.com/articles/Kn ... rtificates), what is the "the corresponding ROOT certificate"?
The USERTrust RSA Root xSigned using AAA CA [ Cross Signed ?
When I find the ROOT, what is the correct concatenation to build the file commercial_ca.crt?
Thank you.
so from the link posted previously (https://support.sectigo.com/articles/Kn ... rtificates), what is the "the corresponding ROOT certificate"?
The USERTrust RSA Root xSigned using AAA CA [ Cross Signed ?
When I find the ROOT, what is the correct concatenation to build the file commercial_ca.crt?
Thank you.
-
wentum
- Advanced member
- Posts: 53
- Joined: Fri Apr 04, 2014 10:49 am
- Location: Pforzheim (Germany)
- ZCS/ZD Version: Release 9.0.0.GA.3924 _P30
- Contact:
Re: Installing SSL Cert - HELP
Hello,
I would go with Fabio and take the bundle file as commercial_ca.crt...
But as it is a cross signed ROOT certificate it MAY be necessary to put the SHA-2 Root : USERTrust RSA Certification Authority in it, too...
Just try it out with (as User zimbra) zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
It will tell you if bundle is ok or not...
Regards
Joerg
I would go with Fabio and take the bundle file as commercial_ca.crt...
But as it is a cross signed ROOT certificate it MAY be necessary to put the SHA-2 Root : USERTrust RSA Certification Authority in it, too...
Just try it out with (as User zimbra) zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
It will tell you if bundle is ok or not...
Regards
Joerg
-
seradominus
- Posts: 6
- Joined: Wed Jun 17, 2020 7:41 pm
Re: Installing SSL Cert - HELP
Sorry for the late,
I think this is the last update.
Very very thanks to all for your help.
"it MAY be necessary to put the SHA-2 Root : USERTrust RSA Certification Authority in it, too...": YES!!!
I put in certificate_ca.crt also the ROOT and all done!!!
Below i put the final procedure that works for me: I hope it will help. If I wrote trivial things, you will forgive me
so....
ENTER LIKE root user AND EDIT THIS FILES:
go here:
#cd /opt/zimbra/ssl/zimbra/commercial
commercial.crt = mail.your.domain.xxxxx.xx.crt
commercial.key = mail.your.domain.xxxxx.xx.key
commercial_ca.crt = intermediate from your cert provider (or the Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]
from https://support.sectigo.com/articles/Kn ... rtificates, IS THE SAME FILE) + SHA-2 Root USERTrust RSA Certification Authority.crt from the same site.
SET USER AND GROUP AS zimbra TO FILE commercial.crt and commercial_ca.crt
#chown zimbra:zimbra commercial.crt
#chown zimbra:zimbra commercial_ca.crt
WHEN THE FILES ARE OK, switch to zimbra USER:
#su zimbra
THIS TO VERIFY BEFORE DEPLOY:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
IF ALL IS OK:
GO TO THIS FOLDER (important!!!! before launch the command):
cd /opt/zimbra
AND TRY DEPLOY WITH THIS COMMAND:
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
RESTART THE SERVICE:
zmcontrol restart
I think this is the last update.
Very very thanks to all for your help.
"it MAY be necessary to put the SHA-2 Root : USERTrust RSA Certification Authority in it, too...": YES!!!
I put in certificate_ca.crt also the ROOT and all done!!!
Below i put the final procedure that works for me: I hope it will help. If I wrote trivial things, you will forgive me
so....
ENTER LIKE root user AND EDIT THIS FILES:
go here:
#cd /opt/zimbra/ssl/zimbra/commercial
commercial.crt = mail.your.domain.xxxxx.xx.crt
commercial.key = mail.your.domain.xxxxx.xx.key
commercial_ca.crt = intermediate from your cert provider (or the Sectigo RSA Domain Validation Secure Server CA [ Intermediate ]
from https://support.sectigo.com/articles/Kn ... rtificates, IS THE SAME FILE) + SHA-2 Root USERTrust RSA Certification Authority.crt from the same site.
SET USER AND GROUP AS zimbra TO FILE commercial.crt and commercial_ca.crt
#chown zimbra:zimbra commercial.crt
#chown zimbra:zimbra commercial_ca.crt
WHEN THE FILES ARE OK, switch to zimbra USER:
#su zimbra
THIS TO VERIFY BEFORE DEPLOY:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
IF ALL IS OK:
GO TO THIS FOLDER (important!!!! before launch the command):
cd /opt/zimbra
AND TRY DEPLOY WITH THIS COMMAND:
/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
RESTART THE SERVICE:
zmcontrol restart