SSL Problem - No common encryption algorithm
-
- Posts: 13
- Joined: Fri Sep 12, 2014 10:00 pm
SSL Problem - No common encryption algorithm
I've been unsucessfully trying to get a real SSL certificate to work with Zimbra and decided to go back to a self-signed certificate set, however I've apparently broken something so that even the self-signed cert will no longer work.
zmcreatecert
cmcertinstall mailbox
zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key
zmtlsctl mixed
tomcat restart
These commands complete without error and show what I would expect them to show. I tried deleting the tomcat keystore file and letting it be recreated.
Firefox displays the following message when trying to connect to port 7071. "Firefox and xxx.xxx.com cannot communicate securely because they have no common encryption algorithms."
Ideas?
zmcreatecert
cmcertinstall mailbox
zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key
zmtlsctl mixed
tomcat restart
These commands complete without error and show what I would expect them to show. I tried deleting the tomcat keystore file and letting it be recreated.
Firefox displays the following message when trying to connect to port 7071. "Firefox and xxx.xxx.com cannot communicate securely because they have no common encryption algorithms."
Ideas?
SSL Problem - No common encryption algorithm
Try recreating the CA before the cert creation and install:
zmcreateca
Out of curiousity, what happened with the commercial cert install?
zmcreateca
Out of curiousity, what happened with the commercial cert install?
-
- Posts: 13
- Joined: Fri Sep 12, 2014 10:00 pm
SSL Problem - No common encryption algorithm
Stiil doesn't work. zmcreateca creates a ca and puts it in '/opt/zimbra/ssl/ssl/ca/ca.key'. zmcreatecert fails the first time after running zmcreateca, but it seems to run without errors if I immediately run it again.
Here's what happens when I run zmcreatecert the first time.
[zimbra@z1 ~]$ zmcreatecert
expr: non-numeric argument
/opt/zimbra/bin/zmcreatecert: line 58: [: -lt: unary operator expected
** Importing CA
keytool error: java.lang.Exception: Certificate not imported, alias already exists
** Creating keystore
** Creating server cert request
Generating a 1024 bit RSA private key
...................++++++
........++++++
writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
-----
** Signing cert request
Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
unable to load number from /opt/zimbra/ssl/ssl/ca/ca.srl
error while loading serial number
4182:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=z1.sfo2.smrn.com
Getting CA Private Key
unable to load serial number from /opt/zimbra/ssl/ssl/ca/ca.srl
4183:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
I got got similar results when trying to install the real certificate.
Here's what happens when I run zmcreatecert the first time.
[zimbra@z1 ~]$ zmcreatecert
expr: non-numeric argument
/opt/zimbra/bin/zmcreatecert: line 58: [: -lt: unary operator expected
** Importing CA
keytool error: java.lang.Exception: Certificate not imported, alias already exists
** Creating keystore
** Creating server cert request
Generating a 1024 bit RSA private key
...................++++++
........++++++
writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
-----
** Signing cert request
Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
unable to load number from /opt/zimbra/ssl/ssl/ca/ca.srl
error while loading serial number
4182:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=z1.sfo2.smrn.com
Getting CA Private Key
unable to load serial number from /opt/zimbra/ssl/ssl/ca/ca.srl
4183:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
I got got similar results when trying to install the real certificate.
SSL Problem - No common encryption algorithm
Ok, let's clean up the certs and start again:
as root:
rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl
su - zimbra
(all one line here: )
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
(again, all one line: )
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
zmcreateca
zmcreatecert
zmcertinstall mailbox
zmcertinstall mta ...
as root:
rm -rf /opt/zimbra/ssl
mkdir /opt/zimbra/ssl
chown zimbra:zimbra /opt/zimbra/ssl
su - zimbra
(all one line here: )
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
(again, all one line: )
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
zmcreateca
zmcreatecert
zmcertinstall mailbox
zmcertinstall mta ...
SSL Problem - No common encryption algorithm
[quote user="Daryl Jones"]I've been unsucessfully trying to get a real SSL certificate to work with Zimbra and decided to go back to a self-signed certificate set, however I've apparently broken something so that even the self-signed cert will no longer work.
....
Ideas?[/QUOTE]
I have a real cert successfully setup from instantSSL. I just edited the main.cf file in postfix. There are 2 lines that point to your ssl files. That doesnt make the cert work with webmail over https (which im not using) and the zimbra admin still gets a warning (which i can live with), but pop clients won't see any issues that way.
altimage
....
Ideas?[/QUOTE]
I have a real cert successfully setup from instantSSL. I just edited the main.cf file in postfix. There are 2 lines that point to your ssl files. That doesnt make the cert work with webmail over https (which im not using) and the zimbra admin still gets a warning (which i can live with), but pop clients won't see any issues that way.
altimage
-
- Posts: 13
- Joined: Fri Sep 12, 2014 10:00 pm
SSL Problem - No common encryption algorithm
Thanks for the info on deleting the items from the keystore. I will try this on my test machine later today.
How do I deal with an intermediate certificate when using zmcertinstall?
Thanks for the tip on manualling configuring postfix main.cf. I came to the same conclusion and was able to successfully make postfix smtpd work with the real certificate by doing what you suggested. Unfortunately, this doesn't address the problem with POP3 or IMAP since postfix doesn't handle these services.
How do I deal with an intermediate certificate when using zmcertinstall?
Thanks for the tip on manualling configuring postfix main.cf. I came to the same conclusion and was able to successfully make postfix smtpd work with the real certificate by doing what you suggested. Unfortunately, this doesn't address the problem with POP3 or IMAP since postfix doesn't handle these services.
SSL Problem - No common encryption algorithm
For intermediate certs, you'll have to install them by hand:
su - zimbra
keytool -import -alias -trustcacerts -file -storepass zimbra
su - zimbra
keytool -import -alias -trustcacerts -file -storepass zimbra
-
- Posts: 5
- Joined: Fri Sep 12, 2014 10:03 pm
SSL Problem - No common encryption algorithm
su - zimbra
(all one line here: )
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
(again, all one line: )
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
zmcreateca
zmcreatecert
zmcertinstall mailbox
zmcertinstall mta ...[/QUOTE]
I have this same issue and as I am following these instruction it asks far a password. Did this happen during install?
Thank You,
Michael
(all one line here: )
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
(again, all one line: )
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
zmcreateca
zmcreatecert
zmcertinstall mailbox
zmcertinstall mta ...[/QUOTE]
I have this same issue and as I am following these instruction it asks far a password. Did this happen during install?
Thank You,
Michael
SSL Problem - No common encryption algorithm
At what point does it ask for a password? As which user are you running the commands? Which build are you running?
-
- Posts: 5
- Joined: Fri Sep 12, 2014 10:03 pm
SSL Problem - No common encryption algorithm
[quote user="marcmac"]At what point does it ask for a password? As which user are you running the commands? Which build are you running?[/QUOTE]
I am Running M3_436
as Zimbra user I get:
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
Enter keystore password:
I get the same for the next command:
[root@mail ~]# su zimbra
[zimbra@mail root]$ keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
Enter keystore password:
I am Running M3_436
as Zimbra user I get:
keytool -delete -alias my_ca -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
Enter keystore password:
I get the same for the next command:
[root@mail ~]# su zimbra
[zimbra@mail root]$ keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -keypass zimbra
Enter keystore password: