Root CA certificate has expired: Difference between revisions

No edit summary
 
(7 intermediate revisions by one other user not shown)
Line 2: Line 2:
__FORCETOC__
__FORCETOC__
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
=CA_root_certificate_has_expired=
=Root CA certificate has expired=
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 9.0}}|}}
{{WIP}}


==Problem==
==Problem==
Line 15: Line 14:
  Unable to start TLS: SSL connect attempt failed error:14090086:SSL
  Unable to start TLS: SSL connect attempt failed error:14090086:SSL


OR
'''OR'''


  ldap status
  ldap status
  Unable to start TLS: SSL connect attempt failed error:14090086:SSL
  Unable to start TLS: SSL connect attempt failed error:14090086:SSL


==How to verify the Root CA has expired==
==How to verify if the Root CA or any intermediate CA has expired==


  su - zimbra
  su - zimbra
Line 33: Line 32:
  error 10 at 2 depth lookup:certificate has expired
  error 10 at 2 depth lookup:certificate has expired
  OK
  OK
== Description ==
1. '''commercial.key''' is your private key used to generate the Certificate Signing Request (CSR)
2. '''commercial_ca.crt''' is the certificate chain created by bundling the intermediate and root CA
3. '''commercial.crt''' is the SSL certificate.


==Solution==
==Solution==


This issue has cropped up because  '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. We need to download the new Comodo RSA Certification authority Root and re deploy the SSL certificate.
This issue has cropped up because  '''Sectigo (Comodo) Root certificate''' which is namely '''AddTrust External CA Root''' have expired on '''May 30, 2020'''. The successor of this root certificate is named the '''Comodo RSA Certification authority Root''', and wil expire in '''2038'''. To fix the issue, download the new Comodo RSA Certification authority Root and re-deploy the SSL certificate.


  The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]
  The new Comodo RSA Certification authority Root can be downloaded from here [https://support.comodo.com/index.php?/Knowledgebase/Article/View/969/108/root-comodo-rsa-certification-authority-sha-2 link]
Line 43: Line 50:


1. Download and save the root CA. (e.g. /tmp/ca.crt)  
1. Download and save the root CA. (e.g. /tmp/ca.crt)  
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)
3. Combine root and intermediary CAs into a temporary file.
3. Combine root and intermediary CAs into a temporary file.


Line 56: Line 65:
  chmod 750 /opt/zimbra/ssl/zimbra
  chmod 750 /opt/zimbra/ssl/zimbra
  chmod 750 /opt/zimbra/ssl/zimbra/*
  chmod 750 /opt/zimbra/ssl/zimbra/*


5. Verify your commercial certificate.
5. Verify your commercial certificate.
Line 66: Line 76:
  Valid Certificate: /tmp/commercial.crt: OK
  Valid Certificate: /tmp/commercial.crt: OK


6. Deploy your commercial certificate.
7. Deploy your commercial certificate.


  /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
  /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
Line 86: Line 96:
  **Installing CA to /opt/zimbra/conf/ca…done.
  **Installing CA to /opt/zimbra/conf/ca…done.


7. To finish, verify the certificate was deployed.
8. To finish, verify the certificate was deployed.


  /opt/zimbra/bin/zmcertmgr viewdeployedcrt
  /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Line 92: Line 102:
==A quick Fix till the root CA is installed==
==A quick Fix till the root CA is installed==


We can disable the TLS on the LDAP server for the time being till the certificates are re deployed
Disable the TLS on the LDAP server as a workaround till the certificates are re-deployed


Please execute the below commands on the LDAP servers
Execute the below commands on the LDAP servers


  zmlocalconfig -e ldap_starttls_required=false
  zmlocalconfig -e ldap_starttls_required=false
Line 100: Line 110:
  zmcontrol restart
  zmcontrol restart


Once the certificates are re-deployed then enable TLS on the LDAP server again.
zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_starttls_supported=1
zmcontrol restart


{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10"

Latest revision as of 02:30, 2 June 2020

Root CA certificate has expired

   KB 24097        Last updated on 2020-06-2  




0.00
(0 votes)

Problem

Ldap servers are unable to communicate with other servers in the ZCS environment

We get the below error when checking the LDAP status

zmcontrol status
Unable to start TLS: SSL connect attempt failed error:14090086:SSL

OR

ldap status
Unable to start TLS: SSL connect attempt failed error:14090086:SSL

How to verify if the Root CA or any intermediate CA has expired

su - zimbra
cd /opt/zimbra/ssl/zimbra/commercial/
zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
error 10 at 3 depth lookup:certificate has expired
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 10 at 2 depth lookup:certificate has expired
OK

Description

1. commercial.key is your private key used to generate the Certificate Signing Request (CSR)

2. commercial_ca.crt is the certificate chain created by bundling the intermediate and root CA

3. commercial.crt is the SSL certificate.

Solution

This issue has cropped up because Sectigo (Comodo) Root certificate which is namely AddTrust External CA Root have expired on May 30, 2020. The successor of this root certificate is named the Comodo RSA Certification authority Root, and wil expire in 2038. To fix the issue, download the new Comodo RSA Certification authority Root and re-deploy the SSL certificate.

The new Comodo RSA Certification authority Root can be downloaded from here link

Steps to re deploy the certs

1. Download and save the root CA. (e.g. /tmp/ca.crt)

2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)

3. Combine root and intermediary CAs into a temporary file.

cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt

4. Move the old certs and recreate the necessary folders

mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old
mkdir /opt/zimbra/ssl/zimbra/
mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server}
mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
chmod 750 /opt/zimbra/ssl/zimbra
chmod 750 /opt/zimbra/ssl/zimbra/*


5. Verify your commercial certificate.

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
**Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/commercial.crt: OK

7. Deploy your commercial certificate.

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmpt/commercial.crt: OK
**Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Appending CA chain /tmp/ca_chain.crt to
/opt/zimbra/ssl/zimbra/commercial/commercial.crt
**Saving server config key zimbraSSLCeretificate…done.
**Saving server config key zimbraSSLPrivateKey…done.
**Installing mta certificate and key…done.
**Installing slapd certificate and key…done.
**Installing proxy certificate and key…done.
**Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
**Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
**Installing CA to /opt/zimbra/conf/ca…done.

8. To finish, verify the certificate was deployed.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

A quick Fix till the root CA is installed

Disable the TLS on the LDAP server as a workaround till the certificates are re-deployed

Execute the below commands on the LDAP servers

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0
zmcontrol restart

Once the certificates are re-deployed then enable TLS on the LDAP server again.

zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_starttls_supported=1
zmcontrol restart
Submitted by: Samrat Sarkar
Verified Against: ZCS 8.8.x, 9.0 Date Created: 2020-06-01
Article ID: https://wiki.zimbra.com/index.php?title=Root_CA_certificate_has_expired Date Modified: 2020-06-02



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search