SSL Certificate Deployment Issue on Zimbra 8.7

[drzoidberg]

Hi all,

I have an issue with deployment of SSL certificate. Anyone same problem? When I use GUI deployment, its says some error about RemoteManager port 22

so I followed Single-Node Commercial Certificate recommended steps from https://wiki.zimbra.com/wiki/Administra ... cate_Tools

I have three files, GeoTrust Global CA (ROOT CA) .pem which renamed into .crt; IntermediateCA.crt and ServerCert.crt
RootCA and Intermediate is merged into one Chain file.

Console output:

Verification is OK

Code: Select all

[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/ca_chain.crt'
Valid certificate chain: /tmp/commercial.crt: OK

Issue:

Code: Select all

[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Fixing newlines in '/tmp/commercial.crt'
Can't rename /tmp/commercial.crt to /tmp/commercial.crt.bak: Operation not permitted, skipping file at /opt/zimbra/bin/zmcertmgr line 1225.
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/ca_chain.crt'
Valid certificate chain: /tmp/commercial.crt: OK
** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/tmp/ca_chain.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/tmp/ca_chain.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.domain.tld...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.domain.tld...ok
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):
unable to load certificates
140604730992320:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:809:

Something with Jetty (what is it?) or PEM bad end of file, I check it many times and end files are OK.
I also check empty lines or merged headings, and It is OK

-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----

Thank you very much for any help,
Dave

[Veidit]

Have you tried to do it as root?

[drzoidberg]

Have you tried to do it as root?

Code: Select all

[root@mail tmp]# /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
zmcertmgr: ERROR: no longer runs as root!

[L. Mark Stone]

Looks like the zimbra user account doesn't have sufficient permissions over the crt files in /tmp.

You may want, as the root user, and before trying again to deploy the certs, running:

Code: Select all

chown zimbra.zimbra /tmp/*.crt
chmod 666 /tmp/*.crt

Then try deploying again.

Keep us posted!

All the best,
Mark

[drzoidberg]

Looks like the zimbra user account doesn't have sufficient permissions over the crt files in /tmp.

Code: Select all

chown zimbra.zimbra /tmp/*.crt
chmod 666 /tmp/*.crt

Solved that! Amazing!
What a newbie mistake..., thank you very much for help.

[L. Mark Stone]

Looks like the zimbra user account doesn't have sufficient permissions over the crt files in /tmp.

Code: Select all

chown zimbra.zimbra /tmp/*.crt
chmod 666 /tmp/*.crt

Solved that! Amazing!
What a newbie mistake..., thank you very much for help.

Lucky guess, but glad it worked for you!



All the best,
Mark

[dmcentire-zimbra]

Hi!

I registered on this site just to add this one post.

I ran into this same error with jetty12 and the chown/chmod commands didn't help my situation. Turns out I found another post on a zimbra forum that stated at this is a common error on newer systems when the certificate file doesn't have a trailing blank line.

So literally, edit the <certificate.crt> and add a <CR> after the -----END CERTIFICATE----- line.

This fixed it for me and I was able to install the new ssl cert.

Dennis