Certificate errors

Revision as of 05:29, 23 September 2014 by Shanxt (talk | contribs) (Created page with " == Keystore tampered or unreadable == When starting mailbox, you see the following: java.io.IOException: Keystore was tampered with, or password was incorrect at ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Keystore tampered or unreadable

When starting mailbox, you see the following:

java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
Starting mailboxd...[] WARN: failed to read keystore file
java.io.IOException: Invalid keystore format
       at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)

The error says that the keystore is corrupted. Remove /opt/zimbra/ssl/zimbra/jetty.pkcs12 and /opt/zimbra/mailboxd/etc/keystore, and redeploy the cert (There's usually no need to recreate it, just redeploy it).

/opt/zimbra/bin/zmcertmgr deploycrt self

If simply redeploying doesn't work, recreate it as per the instructions Administration Console and CLI Certificate Tools


Saving keys failed

On deploying certs:

#   /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.

Mostly because the ldap is not accessible (is it running?) or if /opt/zimbra/conf/zmlocalconfig.xml isn't readable. Check permissions, connectivity with ldap, etc.


Verifying comm certs works, deploying doesn't

On deploying commercial certs, 'verify cert' works, but deploying doesn't.

XXXXX ERROR: failed to create jetty.pkcs12
No certificate matches private key

Ensure there's a newline at the end of each cert. If there isn't, the end of one cert and the beginning of the next cert cat on the same line, causing this error. If it isn't this, check for other similar formatting errors in the certs, like an extra space at the end of each line, etc.


Keystore not found

java.io.FileNotFoundException: /opt/zimbra/jetty-distribution-9.1.5.v20140505/etc/keystore (No such file or directory)

There's no keystore present. Redeploy certs, and all should be good. Only if redeploying doesn't work, recreate certs.


Extra files in ca dir causing errors

Server has 'ca.key ca.pem commercial_ca_1.pem commercial_ca_2.pem commercial_ca.pem' in it. The shouldn't be any other file in /opt/zimbra/conf/ca. Only store the commercial CA and key here. If you need to backup, store it in another directory. We've seen issues where multiple seemingly harmless files in this directory have caused problems, particularly with postfix. See also - http://wiki.zimbra.com/wiki/Error_%28MTA%29:_Unable_to_set_STARTTLS


Unable to get issuer certificate

[root@shanx certbundle]#  /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt /tmp/ca_chain.crt 
Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key

Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. XXXXX ERROR: Invalid Certificate: commercial.crt: C = IN, ST = Delhi, L = New Delhi, O = Shashank Intermediate CA One, OU = Intermediate CAs, CN = Shashank Intermediate CA One, emailAddress = stewari@zimbra.com error 2 at 2 depth lookup:unable to get issuer certificate

Intermediate certificate is missing. Check the chain, and ensure it's all present, one after the other, when you're doing this step: cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt

'ca_intermediary' should have ALL the intermediate certs in the correct order. The issuer of one should be the subject of the next one.

Digicert has explained this quite well: https://www.digicert.com/ssl.htm


Certificate is not yet valid

error 9 at 0 depth lookup:certificate is not yet valid

Probably a timing issue. The certificate is not yet valid means that it is probably valid for a future date, but not now. Check start date and time of the validity, and then the time on the server, time the certificate was issued, ntp, etc.


Unable to load certificate

Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
unable to load certificate
140362235303592:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
XXXXX ERROR: Unmatching certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair.
XXXXX ERROR: provided cert isn't valid.

It was supposed to get a certificate, but it got something else. Check if the file is indeed a certificate, permissions, etc. Also if it is a certificate in the PEM format. Some CAs give the cert as a .der, some give it in a funny format, etc. You'll have to check what it is, and convert it to a properly readable .pem cert. Good explanation of the different formats here: http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file


Can't find private key

** Verifying /tmp/wts.cer against /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: Can't find private key  /opt/zimbra/ssl/zimbra/commercial/commercial.key
XXXXX ERROR: provided cert isn't valid.


  1. Check if there's a formatting error in the cert, i.e.,new lines, extra spaces at the end of each line, etc.
  2. The key isn't valid. There are way too many customers who generate a CSR, send it and get a commercial certificate, and for some reason generate a new CSR again and again. This causes the old key to be backed in /opt/zimbra/ssl/zimbra.<date>. Check each /opt/zimbra/ssl/zimbra.<date> folder, and verify against each key. One of them should work.


Proxy displays old cert

A new certificate has been installed on a proxy server, but logging into the webpage still shows the old one.

  • First do the obvious 'clearing-cache-of-browser' steps
  • Check 'nginx.crt'. Sometimes, even after deploying the new cert, it doesn't get copied here. Manually copying it should fix it.


Ldap replica sync errors

This happens nearly all the time because the CA of the replica ldap isn't the same as the CA of the master. To fix this:

  • Run the following on the master ldap:
 /opt/zimbra/bin/zmcertmgr deploycrt self -allserver
  • If it doesn't work:
  1. Copy the CA from the master to the replica
  2. Deploy this CA on the replica
  3. Recreate and redeploy the self-signed cert on replica
Jump to: navigation, search