I'm facing this error when trying to update my certificate that purchased from Sectigo for my domain. This is the wildcard ssl
Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/chain_1e609a2b-535f-4f58-9f69-87b96092b70b /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/crt_1e609a2b-535f-4f58-9f69-87b96092b70b with {RemoteManager: notify.softexindonesia.com->zimbra@notify.softexindonesia.com:22}
Details :
Message: Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/chain_1e609a2b-535f-4f58-9f69-87b96092b70b /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/crt_1e609a2b-535f-4f58-9f69-87b96092b70b with {RemoteManager: notify.softexindonesia.com->zimbra@notify.softexindonesia.com:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/chain_1e609a2b-535f-4f58-9f69-87b96092b70b /opt/zimbra/data/tmp/63173479-9340-49dc-b28a-5bf716688e0e/crt_1e609a2b-535f-4f58-9f69-87b96092b70b with {RemoteManager: notify.softexindonesia.com->zimbra@notify.softexindonesia.com:22}
Detail
I'm performing the update from the GUI.
Tried on the console also having an issue.
I'm attaching the screenshot as well. Appreciate the assistance on this, since my SMTP mail cannot be use on my application that use this zimbra.
Unable to update SSL certificate
-
- Posts: 1
- Joined: Fri Oct 22, 2021 7:36 am
Unable to update SSL certificate
- Attachments
-
- Zimbra.PNG (66.72 KiB) Viewed 5969 times
-
- Posts: 1
- Joined: Wed Nov 23, 2022 1:04 pm
Re: Unable to update SSL certificate
Hello all,
I have the same problem.
Can anyone help with this problem?
Message: Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22}Message: Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22}
I have the same problem.
Can anyone help with this problem?
Message: Your certificate was not installed due to the error: system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22}Message: Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/chain_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 /opt/zimbra/data/tmp/79cb0620-b1a3-4629-9e7a-f53a810b23d5/crt_c678fb44-5cf9-4393-80dc-d1ad4faf38b9 with {RemoteManager: smtp.dware.bg->zimbra@smtp.dware.bg:22}
- Attachments
-
- 2022-11-23 15_07_16-.png (117.54 KiB) Viewed 4156 times
Re: Unable to update SSL certificate
Have you created the certificate chain properly ?
https://wiki.zimbra.com/wiki/Certificate_Chain
https://wiki.zimbra.com/wiki/Certificate_Chain
-
- Posts: 1
- Joined: Thu Nov 24, 2022 12:17 pm
Re: Unable to update SSL certificate
Hi!
Unfortunatelly, I have the same problem too. With small difference: i trying to install DV sertificate of another CA: Certum.
I contacted with CA manager and i know the chain created properly. Does Zimbra checks any server's settings: some ports avaliability, etc?
To undestand of problem i tried command line interface and took theese:
/opt/zimbra/bin/zmcertmgr verifycrtchain /opt/ssl/commercial_ca.crt /opt/ssl/commercial.crt
** Verifying '/opt/ssl/commercial.crt' against '/opt/ssl/commercial_ca.crt'
ERROR: Unable to validate certificate chain: C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
error 2 at 2 depth lookup: unable to get issuer certificate
error /opt/ssl/commercial.crt: verification failed
Best regards!
Victor.
Unfortunatelly, I have the same problem too. With small difference: i trying to install DV sertificate of another CA: Certum.
I contacted with CA manager and i know the chain created properly. Does Zimbra checks any server's settings: some ports avaliability, etc?
To undestand of problem i tried command line interface and took theese:
/opt/zimbra/bin/zmcertmgr verifycrtchain /opt/ssl/commercial_ca.crt /opt/ssl/commercial.crt
** Verifying '/opt/ssl/commercial.crt' against '/opt/ssl/commercial_ca.crt'
ERROR: Unable to validate certificate chain: C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
error 2 at 2 depth lookup: unable to get issuer certificate
error /opt/ssl/commercial.crt: verification failed
Best regards!
Victor.
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Unable to update SSL certificate
Many certificate issuers’ Support teams will say “the chain is complete” because all the applications with which they are familiar rely either on the root certificates provided by an operating system or because for a web application the browsers themselves have their own root certificate store to provide that “missing” cert.
But Zimbra is different. It has multiple certificate stores and does not utilize the operating system’s root certificate packages.
As a result, I prefer to install certificates only from the command line. When you run “zmcertmgr verifycrt” and it passes, I have never had the cert deployment fail.
But Zimbra is different. It has multiple certificate stores and does not utilize the operating system’s root certificate packages.
As a result, I prefer to install certificates only from the command line. When you run “zmcertmgr verifycrt” and it passes, I have never had the cert deployment fail.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Unable to update SSL certificate
You may also be experiencing a problem with the certificate type. I just spent many hours trying to figure out why I could not verify a certificate and it was due to the newer ECDSA type of certificate. I don't know if this applies to your problem, but if it is an ECDSA type certificate and not an RSA type certificate, it probably will not work.
Re: Unable to update SSL certificate
I had the same issue a few weeks ago.
Follow the command line cert install process.
Here is my process
Prepare Certifictes
Create CSR in Zimbra Admin console
Request new cert from Commodo Store
Download Certificate pack
Copy certs to FTP (insert favourite file copy process to copy certificates to server)
In Zimbra CLI download certs from FTP as zimbra user (su zimbra)
Cat My_CA_Bundle.ca-bundle > commercial_ca.crt
Single-Node Commercial Certificate
1. Verify your commercial certificate.
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert/mail_sarcasmogerdes_com.crt /tmp/cert.commercial_ca.crt
**Verifying /tmp/cert/mail_sarcasmogerdes_com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/ cert/mail_sarcasmogerdes_com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/cert/mail_sarcasmogerdes_com.crt: OK
2. Deploy your commercial certificate.
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert/mail_sarcasmogerdes_com.crt /tmp/cert/commercial_ca.crt
** Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmpt/commercial.crt: OK
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Appending CA chain /tmp/ca_chain.crt to
/opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Saving server config key zimbraSSLCeretificate…done.
**Saving server config key zimbraSSLPrivateKey…done.
**Installing mta certificate and key…done.
**Installing slapd certificate and key…done.
**Installing proxy certificate and key…done.
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
**Installing CA to /opt/zimbra/conf/ca…done.
3. To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
Follow the command line cert install process.
Here is my process
Prepare Certifictes
Create CSR in Zimbra Admin console
Request new cert from Commodo Store
Download Certificate pack
Copy certs to FTP (insert favourite file copy process to copy certificates to server)
In Zimbra CLI download certs from FTP as zimbra user (su zimbra)
Cat My_CA_Bundle.ca-bundle > commercial_ca.crt
Single-Node Commercial Certificate
1. Verify your commercial certificate.
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/cert/mail_sarcasmogerdes_com.crt /tmp/cert.commercial_ca.crt
**Verifying /tmp/cert/mail_sarcasmogerdes_com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/ cert/mail_sarcasmogerdes_com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/cert/mail_sarcasmogerdes_com.crt: OK
2. Deploy your commercial certificate.
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/cert/mail_sarcasmogerdes_com.crt /tmp/cert/commercial_ca.crt
** Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmpt/commercial.crt: OK
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Appending CA chain /tmp/ca_chain.crt to
/opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Saving server config key zimbraSSLCeretificate…done.
**Saving server config key zimbraSSLPrivateKey…done.
**Installing mta certificate and key…done.
**Installing slapd certificate and key…done.
**Installing proxy certificate and key…done.
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
**Installing CA to /opt/zimbra/conf/ca…done.
3. To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt