- 1 SSL Certificate Errors
- 1.1 Keystore tampered or unreadable
- 1.2 Saving keys failed
- 1.3 Verifying comm certs works, deploying doesn't
- 1.4 Keystore not found
- 1.5 Extra files in ca dir causing errors
- 1.6 Unable to get issuer certificate
- 1.7 Certificate is not yet valid
- 1.8 Unable to load certificate
- 1.9 Can't find private key
- 1.10 Proxy displays old cert
- 1.11 Ldap replica sync errors
SSL Certificate Errors
Keystore tampered or unreadable
When starting mailbox, you see the following:
java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
Starting mailboxd... WARN: failed to read keystore file java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
The error says that the keystore is corrupted. Remove /opt/zimbra/ssl/zimbra/jetty.pkcs12 and /opt/zimbra/mailboxd/etc/keystore, and redeploy the cert (There's usually no need to recreate it, just redeploy it).
mv /opt/zimbra/ssl/zimbra/jetty.pkcs12 /tmp/jetty.pkcs12 mv /opt/zimbra/mailboxd/etc/keystore /tmp/keystore /opt/zimbra/bin/zmcertmgr deploycrt self
If simply redeploying doesn't work, recreate it as per the instructions Administration Console and CLI Certificate Tools
Saving keys failed
On deploying certs:
# /opt/zimbra/bin/zmcertmgr deploycrt self ** Saving server config key zimbraSSLCertificate...failed. ** Saving server config key zimbraSSLPrivateKey...failed.
Mostly because the ldap is not accessible (is it running?) or if /opt/zimbra/conf/localconfig.xml isn't readable. Check permissions, connectivity with ldap, etc.
Verifying comm certs works, deploying doesn't
On deploying commercial certs, 'verify cert' works, but deploying doesn't.
XXXXX ERROR: failed to create jetty.pkcs12 No certificate matches private key
Ensure there's a newline at the end of each cert. If there isn't, the end of one cert and the beginning of the next cert cat on the same line, causing this error. If it isn't this, check for other similar formatting errors in the certs, like an extra space at the end of each line, etc.
Keystore not found
java.io.FileNotFoundException: /opt/zimbra/jetty-distribution-9.1.5.v20140505/etc/keystore (No such file or directory)
There's no keystore present. Redeploy certs, and all should be good. Only if redeploying doesn't work, recreate certs.
Extra files in ca dir causing errors
Server has 'ca.key ca.pem commercial_ca_1.pem commercial_ca_2.pem commercial_ca.pem' in it. The shouldn't be any other file in /opt/zimbra/conf/ca. Only store the commercial CA and key here. If you need to backup, store it in another directory. We've seen issues where multiple seemingly harmless files in this directory have caused problems, particularly with postfix. See also - http://wiki.zimbra.com/wiki/Error_%28MTA%29:_Unable_to_set_STARTTLS
Unable to get issuer certificate
[root@shanx certbundle]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key commercial.crt /tmp/ca_chain.crt Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. XXXXX ERROR: Invalid Certificate: commercial.crt: C = IN, ST = Delhi, L = New Delhi, O = Shashank Intermediate CA One, OU = Intermediate CAs, CN = Shashank Intermediate CA One, emailAddress = firstname.lastname@example.org error 2 at 2 depth lookup:unable to get issuer certificate
Intermediate certificate is missing. Check the chain, and ensure it's all present, one after the other, when you're doing this step:
cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt
'ca_intermediary' should have ALL the intermediate certs in the correct order. The issuer of one should be the subject of the next one.
Digicert has explained this quite well: https://www.digicert.com/ssl.htm
Certificate is not yet valid
error 9 at 0 depth lookup:certificate is not yet valid
Probably a timing issue. The certificate is not yet valid means that it is probably valid for a future date, but not now. Check start date and time of the validity, and then the time on the server, time the certificate was issued, ntp, etc.
Unable to load certificate
Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key unable to load certificate 140362235303592:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE XXXXX ERROR: Unmatching certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) pair. XXXXX ERROR: provided cert isn't valid.
It was supposed to get a certificate, but it got something else. Check if the file is indeed a certificate, permissions, etc. Also if it is a certificate in the PEM format. Some CAs give the cert as a .der, some give it in a funny format, etc. You'll have to check what it is, and convert it to a properly readable .pem cert. Good explanation of the different formats here: http://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file
Can't find private key
** Verifying /tmp/wts.cer against /opt/zimbra/ssl/zimbra/commercial/commercial.key XXXXX ERROR: Can't find private key /opt/zimbra/ssl/zimbra/commercial/commercial.key XXXXX ERROR: provided cert isn't valid.
- Check if there's a formatting error in the cert, i.e.,new lines, extra spaces at the end of each line, etc.
- The key isn't valid. There are way too many customers who generate a CSR, send it and get a commercial certificate, and for some reason generate a new CSR again and again. This causes the old key to be backed in /opt/zimbra/ssl/zimbra.<date>. Check each /opt/zimbra/ssl/zimbra.<date> folder, and verify against each key. One of them should work.
Proxy displays old cert
A new certificate has been installed on a proxy server, but logging into the webpage still shows the old one.
- First do the obvious 'clearing-cache-of-browser' steps
- Check 'nginx.crt'. Sometimes, even after deploying the new cert, it doesn't get copied here. Manually copying it should fix it.
Ldap replica sync errors
This happens nearly all the time because the CA of the replica ldap isn't the same as the CA of the master. To fix this:
- Run the following on the master ldap:
/opt/zimbra/bin/zmcertmgr deploycrt self -allserver
- If it doesn't work:
1. Copy the CA from the master to the replica
rsync -Pa /opt/zimbra/ssl/zimbra/ca/ email@example.com:/opt/zimbra/ssl/zimbra/ca/
2. Deploy this CA on the replica
3. Recreate and redeploy the self-signed cert on replica
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 /opt/zimbra/bin/zmcertmgr deploycrt self