Unable to install Commercial SSL Certificate Zimbra Admin Console

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Unable to install Commercial SSL Certificate Zimbra Admin Console

Post by fosiul@gmail.com »

Hi
When i am installing Commercial signed certificate from Zimbra Admin Console, its giving me bellow error,

Message: Your certificate was not installed due to the error : system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/869bc9ac-0c4b-4b09-9888-87519a8fe75b/chain_06ff1de5-a13f-4cdb-9576-26757e4be6cf /opt/zimbra/data/tmp/869bc9ac-0c4b-4b09-9888-87519a8fe75b/crt_06ff1de5-a13f-4cdb-9576-26757e4be6cf with {RemoteManager: mail.xxxxx.co.uk->zimbra@mail.xxxxx.co.uk:22} Error code: ZaCertWizard.prototype.installCallback Method: AjxException.UNKNOWN_ERROR Details:system failure: exception executing command: zmcertmgr verifycrtchain /opt/zimbra/data/tmp/869bc9ac-0c4b-4b09-9888-87519a8fe75b/chain_06ff1de5-a13f-4cdb-9576-26757e4be6cf /opt/zimbra/data/tmp/869bc9ac-0c4b-4b09-9888-87519a8fe75b/crt_06ff1de5-a13f-4cdb-9576-26757e4be6cf with {RemoteManager: mail.xxxxx.co.uk->zimbra@mail.xxxxx.co.uk:22}

Do i need to setup a password for Zimbra user ?

Any help will be really appreicate

Thanks
mafiabusiness
Advanced member
Advanced member
Posts: 53
Joined: Sat Sep 13, 2014 3:28 am

Re: Unable to install Commercial SSL Certificate Zimbra Admin Console

Post by mafiabusiness »

Hey,

so I had same / similar issue, and the way i resolved it was to

0. log in to thawte and revoke the ssl I had just made
1. open the terminal, ditching zimbra admin
2. create the SSL Request via the terminal
3. upload that to thawte
4. get the ssl from them
5. install, like a motorcycle ride in sunshine in Florida with a nice pillion… ;-)

Miguel
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: Unable to install Commercial SSL Certificate Zimbra Admin Console

Post by fosiul@gmail.com »

mafiabusiness wrote:Hey,

so I had same / similar issue, and the way i resolved it was to

0. log in to thawte and revoke the ssl I had just made
1. open the terminal, ditching zimbra admin
2. create the SSL Request via the terminal
3. upload that to thawte
4. get the ssl from them
5. install, like a motorcycle ride in sunshine in Florida with a nice pillion… ;-)

Miguel
hi There is a probelm
I already signed the CSR with my SSL provider , and I have all the certificate.. if i now follow your instruction i will have to spent another £80 ....

Please help me with my current situation .
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: Unable to install Commercial SSL Certificate Zimbra Admin Console

Post by fosiul@gmail.com »

Ok , if i do this , i see it gives me OK


zimbra@mail:/tmp/key$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/key/commercial.crt /tmp/key/ca_chain.crt
** Verifying '/tmp/key/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/key/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/key/commercial.crt' against '/tmp/key/ca_chain.crt'
Valid certificate chain: /tmp/key/commercial.crt: OK


now I have one question,
now if do bellow, will it replace all SSL certificate with existing self signed certificate ? for all the services ?

opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/key/commercial.crt /tmp/key/ca_chain.crt

Please let me know
Thanks
mafiabusiness
Advanced member
Advanced member
Posts: 53
Joined: Sat Sep 13, 2014 3:28 am

Re: Unable to install Commercial SSL Certificate Zimbra Admin Console

Post by mafiabusiness »

Hi pal,

I spoke to Thawte and they were happy to revoke the SSL I had paid for, and generate a new one for me.
I spoke to Thawte support for a long time about this issue I had, and at the end, the problem was this:

1. I generated the CSR using Zimbra GUI.
2. I uploaded that to Thawte.
3. I had nothing but problems installing it.

To resolve that, after hours with Thawte, I:

1. revoked the SSL with Thawte
2. I generated a new CSR using Terminal

[root@mail commercial]# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=country/ST=county/L=city/O=companyname/OU=department /CN=fqdnservername"
** Generating a server csr for download comm -new -keysize 2048 -subject /C=country/ST=county/L=city/O=companyname/OU=department /CN=fqdnservername
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20140807081641
** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
[root@mail commercial]#

3. I uploaded that csr to Thawte
4. they made me a new SSL
5. I downloaded that + their new root.ca + ther indermediate.ca
6. I created a new file called my_ssl.ca, opened it up, and copied and pasted the intermediate.ca and thawtessl.ca there. (one after the other, no returns, no spaces, nothing)
7. Then I ran the verify command you have up there
8. I then ran the deploy command:

(note that the two .crt files are what mine were called, so you need to change them to be what you have them called)

[root@mail thawte]# /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt ca_chain.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ca_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@mail thawte]#

The SSL Certificate is now installed, but not active.
Restart Zimbra for the new SSL certificate to be up and active.

Miguel
fosiul@gmail.com
Posts: 21
Joined: Sun Sep 02, 2018 5:03 pm

Re: Unable to install Commercial SSL Certificate Zimbra Admin Console

Post by fosiul@gmail.com »

mafiabusiness wrote:Hi pal,


The SSL Certificate is now installed, but not active.
Restart Zimbra for the new SSL certificate to be up and active.

Miguel
Thanks, Miguel, my problem solved,
i am now able to do this from command line,
Thanks
mafiabusiness
Advanced member
Advanced member
Posts: 53
Joined: Sat Sep 13, 2014 3:28 am

Re: Unable to install Commercial SSL Certificate Zimbra Admin Console

Post by mafiabusiness »

whop whop!
lovely news.

now you know.
next time - command line straight away.
forget Zimbra GUI.

Weird that it does not work.

:-(

Miguel
Post Reply