https://wiki.zimbra.com/api.php?action=feedcontributions&user=Qubit&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-28T08:31:43ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Recreating_a_Self-Signed_SSL_Certificate_in_ZCS_4.5_%26_5.0&diff=5162Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.02007-05-29T10:03:50Z<p>Qubit: /* Install the server certificate files (as zimbra) */</p>
<hr />
<div>== Self Signed Certificate Instructions ==<br />
<br />
''If you're working with a commercial certificate, do *NOT* use this page - go [[Commercial Certificates|here]] instead''<br />
<br />
* To clean up SSL certificates and recreate a new self-signed cert try this.<br />
<br />
=== Why recreate my certificates ===<br />
<br />
If you're seeing an error like this when you run zmprov:<br />
<br />
[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 08 00:38:45 EDT 2006<br />
ERROR: zclient.IO_ERROR (invoke java.security.cert.CertificateException: Untrusted Server Certificate Chain, server: localhost) <br />
(cause: javax.net.ssl.SSLHandshakeException java.security.cert.CertificateException: Untrusted Server Certificate Chain)<br />
<br />
your certs are expired, and need to be recreated<br />
<br />
===Back up existing certificates===<br />
<br />
* This backs up the default certificates created by zmcreateca and zmcreatecert:<br />
tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/<br />
<br />
* This backs up the server's working certificate files:<br />
cd /opt/zimbra/<br />
tar cf /tmp/zimbra-certs.tar conf/ca/ conf/*.crt conf/*.key conf/*.pem tomcat/conf/keystore java/jre/lib/security/cacerts<br />
<br />
===Delete and re-create SSL Directory (as root)===<br />
su -<br />
rm -rf /opt/zimbra/ssl<br />
mkdir /opt/zimbra/ssl<br />
chown zimbra:zimbra /opt/zimbra/ssl<br />
<br />
===Give the zimbra user write access to the cacerts keystore===<br />
* On linux the java cacerts file is a part of the ZCS installation.<br />
chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts<br />
chmod 644 /opt/zimbra/java/jre/lib/security/cacerts<br />
* On Mac OS X the java cacerts file is a part of the system's java installation. Either run the "keytool -delete ..." command in the next section as root or give write access to the zimbra user.<br />
chown zimbra:zimbra /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
chmod u+w /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts<br />
<br />
===Remove the self-signed root certificate from the cacerts keystore (as zimbra)===<br />
* Mac OS X<br />
keytool -delete -alias my_ca -keystore /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts -storepass changeit<br><br />
* Linux<br />
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit<br />
<br />
===Delete the server cert from the tomcat keystore (as zimbra)===<br />
su - zimbra<br />
keytool -delete -alias tomcat -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra<br />
<br />
===Perform optional configuration===<br />
* If you want to change the duration of the certificate from the default (365 days), modify the "default_days" entry in the file /opt/zimbra/conf/zmssl.cnf.in<br />
<br />
''Workaround: zmssl.cnf.in default_days is ingnored. Currently you will need to edit zmcreateca and zmcreatecert:'' Bug is http://bugzilla.zimbra.com/show_bug.cgi?id=12228<br />
<br />
* If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me.<br />
vi /opt/zimbra/conf/zmssl.cnf.in<br />
[change section to appear as below]<br />
0.organizationName = Zimbra<br />
0.organizationName_default = Zimbra<br />
# we can do this but it is not needed normally :-)<br />
#1.organizationName = Second Organization Name (eg, company)<br />
#1.organizationName_default = World Wide Web Pty Ltd<br />
organizationalUnitName = Zimbra<br />
organizationalUnitName_default = Zimbra<br />
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
commonName_max = 64<br />
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work><br />
<br />
===Create the CA certificate (as zimbra)===<br />
zmcreateca<br />
<br />
* (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:<br />
...<br />
Signature ok<br />
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname><br />
Getting Private key<br />
unable to write 'random state'<br />
<br />
===Install server ca files===<br />
* After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):<br />
cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key<br />
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem<br />
<br />
===Create the server certificate (as zimbra)===<br />
zmcreatecert<br />
<br />
If you wish to have several names on the certificate, supply them as arguments<br />
<br />
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com<br />
<br />
===Install the server certificate files (as zimbra)===<br />
zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt<br />
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key<br />
<br />
* I don't know what the CA cert stored in LDAP is used for, or if it is used at all, but it is *not* updated by the above steps. To update CA cert (as zimbra):<br />
cat /opt/zimbra/ssl/ssl/ca/ca.key<br />
zmprov -l mcf zimbraCertAuthorityKeySelfSigned "-----BEGIN RSA PRIVATE KEY-----<br />
[paste the contents of ca.key from above - I needed to construct this whole command in a text editor then paste into the CLI]<br />
-----END RSA PRIVATE KEY-----"<br />
<br />
''zmprov -l mcf zimbraCertAuthorityKeySelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.key`"''<br />
<br />
cat /opt/zimbra/ssl/ssl/ca/ca.pem<br />
zmprov -l mcf zimbraCertAuthorityCertSelfSigned "-----BEGIN TRUSTED CERTIFICATE-----<br />
[paste the contents of ca.pem from above - I needed to construct this whole command in a text editor then paste into the CLI]<br />
-----END TRUSTED CERTIFICATE-----"<br />
<br />
''zmprov -l mcf zimbraCertAuthorityCertSelfSigned "`cat /opt/zimbra/ssl/ssl/ca/ca.pem`"''<br />
<br />
* You can see your updated certs in LDAP now and compare them to contents of /opt/zimbra/ssl/ssl/ca (as zimbra)<br />
zmprov -l gcf zimbraCertAuthorityKeySelfSigned <br />
zmprov -l gcf zimbraCertAuthorityCertSelfSigned<br />
<br />
===Restart zimbra services===<br />
* It may be necessary to restart the Zimbra servers for the changes to take effect (as zimbra).<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
==Other Possible Issues==<br />
<br />
'''Note about 'unable to write random state':'''<br />
<br />
This is a "harmless" warning that openssl has no random number seed file. The [http://www.openssl.org/support/faq.html#USER1 full] [http://www.openssl.org/support/faq.html#USER2 story] is available from openssl.org.<br />
<br />
'''Permission denied (publickey,gssapi-with-mic)'''<br />
<br />
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/ssh/openssh_3.8.html</div>Qubit