After I started my Zimbra server, I had alerte from my server. It told me about my CA was mismatch with my domain. This is example alert :
If you want to create new CA for your Zimbra server , you can follow these steps :
[ad#ad-post-1]
[aoddy@zimbra ~]# su – [root@zimbra ~]# rm -rf /opt/zimbra/ssl [root@zimbra ~]# mkdir /opt/zimbra/ssl [root@zimbra ~]# chown zimbra:zimbra /opt/zimbra/ssl |
Change user to zimbra account
[root@zimbra ~]# su – zimbra [zimbra@uranus ~]$ keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit [zimbra@uranus ~]$ keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass zimbra keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect [zimbra@uranus ~]$ zmlocalconfig -s -m nokey mailboxd_keystore_password cz3vJBeRZ |
Edit some details in file /opt/zimbra/conf/zmssl.cnf.in
countryName_default = TH stateOrProvinceName = Bangkok localityName = Thailand 0.organizationName = Aoddy organizationalUnitName = Aoddy commonName = mail.aoddy.com #(eg, your name or your server\’s hostname) commonName_default = mail.aoddy.com |
Create new CA.
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createca -new ** Creating directory /opt/zimbra/ssl/zimbra ** Creating directory /opt/zimbra/ssl/zimbra/ca ** Creating directory /opt/zimbra/ssl/zimbra/server ** Creating directory /opt/zimbra/ssl/zimbra/commercial ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf…done ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key…done. ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem…done. |
Deploy new CA
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deployca ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done. ** Saving CA in ldap…done. ** Copying CA to /opt/zimbra/conf/ca…done. |
Create certificate by self
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr createcsr self -new ‘/C=TH/ST=Bangkok/L=Thailand/O=Aoddy/CN=mail.aoddy.com’ ** Generating a server csr for download self -new /C=TH/ST=Bangkok/L=Thailand/O=Aoddy/CN=mail.aoddy.com subj=/C=TH/ST=Bangkok/L=Thailand/O=Asterluce/CN=mail.aoddy.com ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226155943 ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr…done. |
Deploy new certificate .
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr deploycrt self -new ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20080226160014 ** Creating /opt/zimbra/conf/zmssl.cnf…done ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr…done. ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done. ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done. ** Installing mta certificate and key…done. ** Installing slapd certificate and key…done. ** Installing proxy certificate and key…done. ** Installing CA to /opt/zimbra/conf/ca…done. |
Check new certificate .
[root@uranus ~]# /opt/zimbra/bin/zmcertmgr viewcsr self subject=/C=TH/ST=Bangkok/L=Thailand/O=Asterluce/CN=mail.asterluce.com SubjectAltName= |
Perfect !! 😀
Aoddy
"It's not that I'm so smart, it's just that I stay with problems longer." Albert Einstein
Invester | Developer | Defier | Cryptonian | Wife lover.
After you generate a new certificate complete, you should generate .der file for your web browser, too.
204 cd ssl/
205 ls
206 cd zimbra
207 ls
208 cd ca/
209 ls
210 pwd
211 openssl x509 -in ca.pem -out ca.der -outform DER
Help me!!!
root@mail:~# /opt/zimbra/bin/zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS…done.
** Saving global config key zimbraCertAuthorityCertSelfSigned…failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned…failed.
** Copying CA to /opt/zimbra/conf/ca…done.
Like TLS init def ctx failed: -1 you can see at http://www.zimbra.com/forums/administrators/23369-huge-problem-after-upgrade-tls-init-def-ctx-failed-1-a.html#post112782
Hello
Thanks for your excellent post. May can you help us ?
We use a 6.0 zimbra open source edition on a suse linux
We need to generate new certificate and we follow your proc even if it was for 5.0.
Everything seems good but we have the following :
mailbox Stopped
zmmailboxdctl is not running.
and a zmprov give :
[] INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused
[] INFO: Retrying request
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)
Have you any idea ?
Thanks
Best regards