New GoDaddy SSL cert Install

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

New GoDaddy SSL cert Install

Post by kdmiller45 »

I just got my new GoDaddy SSL Cert, I tried the Letsencrypt freebie and just did not want to install fully, don't ask me why or how. So I bought this
My zip file contains the following files attached which files are used in the zimbra admin console in sequence, and please direct me also to a current document to assist or a video

559fedd8569c4f47.crt
559fedd8569c4f47.pem
gd+bundle-g2-g1.crt

Installed on
ubuntu 18.04 Server
Zimbra open source 8.8 I believe (the free one)

I'm just a private individual using it as a hobbyist
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: New GoDaddy SSL cert Install

Post by JDunphy »

Hi Keith,

I found this but I don't know if it still works given you appear to have different names.

https://wiki.zimbra.com/wiki/Installing ... ertificate

We can probably figure this out however.

The thing to keep in the back of your mind is the following.

1) you will get a certificate for your domains
2) you will get a chain of certificates (list of signee's but probably not the CA root certificate)
3) you will have a key (private)

A certificate is a structure that contains the public key and some meta data like dates, who the certificate is for, etc. That chain or fullchain file should also contain your certificate too. You can look at the first few bytes after the BEGIN to see what I mean if you compare your certificate file with your chain file. The chain file should be larger if you look at the size. They both will contain BEGIN/END statements.

zmcertmgr (web console uses this also to install) needs the key, your certificate for your domain, and this chain including the root certificate. When you see someone add a certificate to the end of the chain or the full chain, they are adding this root CA certificate. Some websites provide an option where you can give them your chain file, click a box and they return the root certificate and a complete fullchain for your certificate. https://whatsmychaincert.com/ is an example of this.

Normally that root CA certificate is in our trust stores for clients (think browsers, etc) but zmcertmgr is using openssl to validate your certificate so we need to provide everything as we are the client here.

zmcertmgr first uses your private key and your certificate containing your public key to first validate that they work together.
Next it takes your certificate and the fullchain (chain) and walks it to verify that it all works and those trust entities are who they say they are. If it does you can then install it to zimbra.

That is all that is happening for certificates.

Now... if I am guessing on this:
kdmiller45 wrote: 559fedd8569c4f47.crt
559fedd8569c4f47.pem
gd+bundle-g2-g1.crt
I would say the 559fedd8569c4f47.pem is your key, gd+bundle-g2-g1.crt is your chain (aka fullchain in acme.sh speak), and 559fedd8569c4f47.crt is your certificate for your domain.

So if I wanted to do this... I might do the following.

1) paste gd+bundle-g2-g1.crt in the box 'Generate the correct chain' at https://whatsmychaincert.com and select 'include the root certificate'. It will give you a fullchain file that you can use with zmcertmgr. Let's call this file: fullchain.cer for this example.

Next do this (with all the files in /tmp):

Code: Select all

# su - zimbra
% cd /tmp
% zmcertmgr verifycrt comm  559fedd8569c4f47.pem 559fedd8569c4f47.crt fullchain.cer
If that worked, then install it:

Code: Select all

# su - zimbra
% cd /tmp
% zmcertmgr deploycrt comm 559fedd8569c4f47.crt  fullchain.cer
% zmcontrol restart
Hopefully someone has better instructions but that is how I would approach the problem to get it installed if other advice isn't forth coming.

HTH,

Jim
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

Re: New GoDaddy SSL cert Install

Post by kdmiller45 »

I did mention in the original message that I tried to use letsencrypt, do I need to remove those keys and anything to do with letsencrypt first, It seems I do, but am not sure how to do that

Keith
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: New GoDaddy SSL cert Install

Post by JDunphy »

kdmiller45 wrote:I did mention in the original message that I tried to use letsencrypt, do I need to remove those keys and anything to do with letsencrypt first, It seems I do, but am not sure how to do that

Keith
Nope... zmcertmgr will do the correct thing here. I change CA's all the time without issue. Just remember about permissions as you will be using the zimbra user to verify and install it. Some admin's unzip the files as themselves and run into problems later when zimbra can't read it when running zmcertmgr. If you copy your files to /tmp and make sure zimbra has read permission (ie. cat or more the files), you can avoid that issue.

If you are curious where zimbra puts your files after running zmcertmgr deploycrt, I have their locations listed under Notes.

https://wiki.zimbra.com/wiki/JDunphy-Letsencrypt#Notes

I run a tripwire (aide) on my mail server and these are the files that changed under /opt/zimbra after running zmcertmgr deploycrt.

Arrhhh, I just realized from looking at where the files are installed, that I didn't have you copy your key to commercial.key just prior to the zmcertmgr deploycrt. I should have said this provided my guesses are correct of what you have from your godaddy unzip.

Code: Select all

# su - zimbra
% cd /tmp
% cp  559fedd8569c4f47.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
% zmcertmgr deploycrt comm 559fedd8569c4f47.crt  fullchain.cer
% zmcontrol restart
Jim
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

Re: New GoDaddy SSL cert Install

Post by kdmiller45 »

still having issues here is what it looks like

zimbra@justourmail:/tmp$ cp 559fedd8569c4f47.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp: overwrite '/opt/zimbra/ssl/zimbra/commercial/commercial.key'? y
zimbra@justourmail:/tmp$ zmcertmgr deploycrt comm 559fedd8569c4f47.crt fullchain.cer
** Verifying '559fedd8569c4f47.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
unable to load Private Key
140168772985984:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
ERROR: Certificate '559fedd8569c4f47.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' do not match.
zimbra@justourmail:/tmp$

Where is the Private key obtained

Very ignorant of this process

Keith
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: New GoDaddy SSL cert Install

Post by JDunphy »

Hi Keith,

I was hoping someone that installs and uses godaddy with zimbra might offer some guidance. If you want to do letsencrypt, I am familiar with acme.sh with the zimbra.sh deploy script and only 2 command lines to execute to get a working certificate for zimbra installed. So simple you don't need a script to do this and any future renewal is handled automatically. Otherwise, here is how I would approach solving your godaddy certificate installation.

First we have to build up your background:

1) you generated both a public and private key - either through the zimbra admin interface or from the command line or via godaddy
2) you provided a CSR (certificate signing request) of your certficate to godaddy which included this public key) and they signed it and then provided you with a bundle of files to install. Zimbra uses nginx so that would be a good server to specify if they ask.
3) because others trust godaddy's certificate (it is installed in their browser by default), they now trust your certificate. This trust is just a file (sometimes called a trust store) and browsers have a list of certificates they trust from CA (certificate Authorities) as do programs you can run from the command line like keytool or openssl.

So the game is:

You need to get someone that is already trusted to sign your certificate that you generated yourself. Previously (like 20+ years ago), getting a certificate was fairly complicated. You would generate a CSR, perhaps fax in a letter on company letterhead and answer a few questions. If you checked out, they would sign your certificate and give you back a list of files for you to install (probably take 2-3 days to complete given this back and forth). Letsencrypt made this a lot easier and changed the process for admins to automate this themselves. If you can prove that you control your domain (meaning you can add special record, or run a daemon on a particular port, etc on demand then they believe you and will sign your request. That means the entire process can be done in just a few seconds and controlled entirely by you. They offer different verification methods (DNS, TLS, stand-alone,etc) and different scripts were developed by the internet community to make generating your certificates painless and simple. certbot, acme.sh are examples of these type of programs where acme.sh also handle other CA's so not just the free Letsencrypt certificates these days. Because everything can be done by a single script you run on your server, understanding CSR's, public and private keys is hidden from you with letsencrypt and probably also if you do everything from a browser I am guessing with godaddy or the zimbra admin interface.

Now back to godaddy.

If you don't remember step 1 then perhaps you did it all from godaddy. That means you would have used your zmhostname and any other hostnames that your zimbra server runs as. Generally, zimbra admins would generate a CSR (certficate signing request from the admin interface) and then send that to godaddy to sign but you have not explained how you did it in this thread. Godaddy should give you a zip, tar, or other of your signed certificate, chain of trust, and perhaps your private key if they generated your initial public and private key. If zimbra generated the CSR from the admin interface (gui) then they already have your private key. I would hope that zimbra's admin interface would take this signed certificate from godaddy and install it for you. That means you don't have to know the commands. Behind the scenes, that admin interface that you are using with your browser is using these commands you have read in these forums when you tried to verify and install your certificate.

You can help yourself by looking at the files they provided you. Look for lines like "CERTIFICATE" vs "PRIVATE KEY" vs "CERTIFICATE REQUEST"... that can help you identify what the files are. Until you explain how the CSR was generated, there is going to be a lot of guessing as to who has the private key and do you have to even know about that concept. ;-)

Now... letsencrypt. It exists because the process is complicated and admin's quickly forget how to install new certs each year. Letsencrypt introduced the acme protocol which allowed this to be transparent and done automatically going forward. It isn't less secure than other certificates or less convenient because you are doing it every 60-90 days. One of the big concerns with PKI (public key infrastructure) is that any trusted Certificate Authority could issue certificates on your behalf without you knowing it. As a result, we are discovering that having our certificates around shorter time frames is a better solution as compromised Certificate Authorities are removed from trust stores (your browsers, etc). Most of the major browsers will now only accept certificates that are 1 year or less as a result and will probably continue to get shorter with time. Given current security problems, we have already seeing CA's being removed from trust stores by major browsers after some of their cross signed partner CA's that were repeatably compromised.

If you want to learn about certificates and why/what/etc they are, I wrote a little primer recently for background and also have a fairly detailed howto wiki article about using acme.sh and letsencrypt for zimbra:

Ref: https://wiki.zimbra.com/wiki/JDunphy-LeChains

SSL certs for zimbra are simple once you understand the steps and have done it once. Until that happens it can seem difficult for even experienced admins from what I have read on these forums. I still remember installing my first stronghold certificate back in the late 90's. It's not because it was easy... it's because I spent hundreds of dollars and struggled to install it correctly. Every year, I repeated that pattern of how did I install this again and what do I have to do for that CSR. Unfortunately, there is no teacher like pain. ;-)


HTH,

Jim
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: New GoDaddy SSL cert Install

Post by L. Mark Stone »

GoDaddy certs are easy to install. The numbered cert file is your server cert (commercial.crt in the wiki) and the bundle file is the intermediate and root certs all in the correct order (commercial_ca.crt or chain.crt in the docs).

Your error says that the private key doesn't match. Each time you generate a CSR with zmcertmgr Zimbra rotates the ~/ssl/zimbra directory. I'd look in an older directory to try to find the matching commercial.key file (private key).

If you used openssl to generate the CSR, your private key will be wherever you did the CSR generation.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
kdmiller45
Advanced member
Advanced member
Posts: 59
Joined: Sun Jan 19, 2020 11:08 pm

Re: New GoDaddy SSL cert Install

Post by kdmiller45 »

I thought i would go back to letsencrypt for free, here is what I have going, I run the following command as Zimbra

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/socm/chain.pem
and get this error ** Verifying '/etc/letsencrypt/live/justourmail.com/cert.pem' against '/opt/zimb
ERROR: Can't read file '/etc/letsencrypt/live/justourmail.com/cert.pem'
here is the contents of the path :/etc/letsencrypt/live/justourmail.com# ls
README cert.pem chain.pem fullchain.pem privkey.pem
permissions of the file lrwxrwxrwx 1 root root 39 Nov 30 23:27 cert.pem

Permission for folders
drwxr-xr-x 109 root root 4096 Nov 30 23:13 etc
drwxr-xr-x 9 root root 4096 Dec 2 04:40 letsencrypt
drwxrwxrwx 3 root root 4096 Nov 30 23:25 live
drwxrwxrwx 2 root root 4096 Dec 1 00:11 justourmail.com
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: New GoDaddy SSL cert Install

Post by JDunphy »

kdmiller45 wrote: /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/socm/chain.pem
and get this error ** Verifying '/etc/letsencrypt/live/justourmail.com/cert.pem' against '/opt/zimb
ERROR: Can't read file '/etc/letsencrypt/live/justourmail.com/cert.pem'
here is the contents of the path :/etc/letsencrypt/live/justourmail.com# ls
README cert.pem chain.pem fullchain.pem privkey.pem
permissions of the file lrwxrwxrwx 1 root root 39 Nov 30 23:27 cert.pem
The zmcertmgr syntax you show above is incorrect as it is missing arguments. Provided all your certificate files are in /tmp, the correct usage is:

Code: Select all

# su - zimbra
% cd /tmp
% /opt/zimbra/bin/zmcertmgr verifycrt comm mail.example.com.key mail.example.com.cer fullchain.cer
The certificate arguments to zmcertmgr are:
private_key, then your_certificate which contains your public key and finally the full-chain containing all the certificates including your certificate again and the others that signed your certificate.

So it is validating your signed certificate and walking that signing tree of your certificate. The first argument is your private key and is provided so they can verify that what you sign can be decoded by your public key. We keep the private key and never give that out but your public key is available in your certificate and used by clients (meaning browsers, openssl from the command line, zmcertmgr, etc). So that one command is doing a few verification's all at once.

If you do something like this from looking at where I think your files are located:

Code: Select all

# su - zimbra
% cd /etc/letsencrypt/live/justourmail.com
% grep BEGIN *
full_chain.cer:-----BEGIN CERTIFICATE-----
full_chain.cer:-----BEGIN CERTIFICATE-----
full_chain.cer:-----BEGIN CERTIFICATE-----
example.com.cer:-----BEGIN CERTIFICATE-----
example.com.csr:-----BEGIN CERTIFICATE REQUEST-----
example.com.key:-----BEGIN RSA PRIVATE KEY-----
It should tell you what these files are to help you identify them - many times the name tells you also. If you get a permission problem with that grep, you need to resolve that since zmcertmgr is running as the zimbra user. So in the above example, we want example.com.key and example.come.cer and full_chain.cer.

Note: zmcertmgr is using openssl to do the actual work and verification so you can do this by hand to see the results and take a closer look of how your certificate was signed.

Code: Select all

# su - zimbra
% cd /etc/letsencrypt/live/justourmail.com
% % openssl verify -show_chain -purpose sslserver -CAfile full-chain.cer mail.example.com.cer
mail.example.com.cer: OK
Chain:
depth=0: CN = mail.example.com (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = R3
depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1
If you leave off the -show_chain, that is the last check that zmcertmgr is doing when you provide the verifycrt argument. The other argument comm just means it's a commercial certificate (free or paid for).

BTW, I don't use the letsencrypt client you are attempting to use for your letsencrypt certificate but given what you have shown, that is how I would approach resolution to see what the next steps are going to be. It really doesn't matter the client you pick. The same general zimbra install process applies to all certificates (purchased or free). So use that grep BEGIN trick when you are not sure what the files are.

The first step however and the one you ran into with your godaddy certificate is that you need to gather up those 3 files you provide as arguments to zmcertmgr. If they are all in the same directory than great; but if they are not then make sure you provide full pathnames, or copy them to place where you can use relative pathnames. Don't forget that the zimbra user needs to read and access them. Hopefully with this background you should be able to validate any certificate signed by godaddy, letsencrypt, or any others. You can't hurt your system while you are attempting to validate your certificate. Do that as often as it takes. After that, it's fairly straight forward to deploy a certificate that validated with zmcertmgr and lots of examples of how to do this.

Jim
Post Reply