Unable to update SSL certificate

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
arif.nardite
Posts: 1
Joined: Fri Oct 22, 2021 7:36 am

Unable to update SSL certificate

Post by arif.nardite »

I'm facing this error when trying to update my certificate that purchased from Sectigo for my domain. This is the wildcard ssl

Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/chain_1e609a2b-535f-4f58-9f69-87b96092b70b /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/crt_1e609a2b-535f-4f58-9f69-87b96092b70b with {RemoteManager: notify.softexindonesia.com->zimbra@notify.softexindonesia.com:22}


Details :
Message: Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/chain_1e609a2b-535f-4f58-9f69-87b96092b70b /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/crt_1e609a2b-535f-4f58-9f69-87b96092b70b with {RemoteManager: notify.softexindonesia.com->zimbra@notify.softexindonesia.com:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/chain_1e609a2b-535f-4f58-9f69-87b96092b70b /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/crt_1e609a2b-535f-4f58-9f69-87b96092b70b with {RemoteManager: notify.softexindonesia.com->zimbra@notify.softexindonesia.com:22}
Detail

I'm performing the update from the GUI.

Tried on the console also having an issue.

I'm attaching the screenshot as well. Appreciate the assistance on this, since my SMTP mail cannot be use on my application that use this zimbra.
Attachments
Zimbra.PNG
Zimbra.PNG (66.72 KiB) Viewed 5779 times
viktor_mitkov
Posts: 1
Joined: Wed Nov 23, 2022 1:04 pm

Re: Unable to update SSL certificate

Post by viktor_mitkov »

Hello all,

I have the same problem.
Can anyone help with this problem?

Message: Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22}Message: Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22}
Attachments
2022-11-23 15_07_16-.png
2022-11-23 15_07_16-.png (117.54 KiB) Viewed 3966 times
milauria
Advanced member
Advanced member
Posts: 96
Joined: Mon Aug 15, 2016 12:32 pm

Re: Unable to update SSL certificate

Post by milauria »

Have you created the certificate chain properly ?
https://wiki.zimbra.com/wiki/Certificate_Chain
Victor.Davydenko
Posts: 1
Joined: Thu Nov 24, 2022 12:17 pm

Re: Unable to update SSL certificate

Post by Victor.Davydenko »

Hi!
Unfortunatelly, I have the same problem too. With small difference: i trying to install DV sertificate of another CA: Certum.
I contacted with CA manager and i know the chain created properly. Does Zimbra checks any server's settings: some ports avaliability, etc?
To undestand of problem i tried command line interface and took theese:

/opt/zimbra/bin/zmcertmgr verifycrtchain /opt/ssl/commercial_ca.crt /opt/ssl/commercial.crt
** Verifying '/opt/ssl/commercial.crt' against '/opt/ssl/commercial_ca.crt'
ERROR: Unable to validate certificate chain: C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
error 2 at 2 depth lookup: unable to get issuer certificate
error /opt/ssl/commercial.crt: verification failed

Best regards!
Victor.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Unable to update SSL certificate

Post by L. Mark Stone »

Many certificate issuers’ Support teams will say “the chain is complete” because all the applications with which they are familiar rely either on the root certificates provided by an operating system or because for a web application the browsers themselves have their own root certificate store to provide that “missing” cert.

But Zimbra is different. It has multiple certificate stores and does not utilize the operating system’s root certificate packages.

As a result, I prefer to install certificates only from the command line. When you run “zmcertmgr verifycrt” and it passes, I have never had the cert deployment fail.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
avd
Posts: 2
Joined: Sun Nov 27, 2022 9:50 pm

Re: Unable to update SSL certificate

Post by avd »

You may also be experiencing a problem with the certificate type. I just spent many hours trying to figure out why I could not verify a certificate and it was due to the newer ECDSA type of certificate. I don't know if this applies to your problem, but if it is an ECDSA type certificate and not an RSA type certificate, it probably will not work.
tlgerdes
Posts: 42
Joined: Mon Nov 21, 2022 4:02 am

Re: Unable to update SSL certificate

Post by tlgerdes »

I had the same issue a few weeks ago.

Follow the command line cert install process.

Here is my process

Prepare Certifictes
Create CSR in Zimbra Admin console
Request new cert from Commodo Store
Download Certificate pack
Copy certs to FTP (insert favourite file copy process to copy certificates to server)
In Zimbra CLI download certs from FTP as zimbra user (su zimbra)
Cat My_CA_Bundle.ca-bundle > commercial_ca.crt


Single-Node Commercial Certificate
1. Verify your commercial certificate.
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert/mail_sarcasmogerdes_com.crt /tmp/cert.commercial_ca.crt
**Verifying /tmp/cert/mail_sarcasmogerdes_com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/ cert/mail_sarcasmogerdes_com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/cert/mail_sarcasmogerdes_com.crt: OK


2. Deploy your commercial certificate.
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert/mail_sarcasmogerdes_com.crt /tmp/cert/commercial_ca.crt
** Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmpt/commercial.crt: OK
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Appending CA chain /tmp/ca_chain.crt to
/opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Saving server config key zimbraSSLCeretificate…done.
**Saving server config key zimbraSSLPrivateKey…done.
**Installing mta certificate and key…done.
**Installing slapd certificate and key…done.
**Installing proxy certificate and key…done.
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
**Installing CA to /opt/zimbra/conf/ca…done.


3. To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
Post Reply