Root CA certificate has expired
Root CA certificate has expired
Problem
Ldap servers are unable to communicate with other servers in the ZCS environment
We get the below error when checking the LDAP status
zmcontrol status Unable to start TLS: SSL connect attempt failed error:14090086:SSL
OR
ldap status Unable to start TLS: SSL connect attempt failed error:14090086:SSL
How to verify if the Root CA or any intermediate CA has expired
su - zimbra cd /opt/zimbra/ssl/zimbra/commercial/ zimbra@mail commercial]$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt ** Verifying 'commercial.crt' against 'commercial.key' Certificate 'commercial.crt' and private key 'commercial.key' match. ** Verifying 'commercial.crt' against 'commercial_ca.crt' ERROR: Unable to validate certificate chain: commercial.crt: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root error 10 at 3 depth lookup:certificate has expired C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority error 10 at 2 depth lookup:certificate has expired OK
Description
1. commercial.key is your private key used to generate the Certificate Signing Request (CSR)
2. commercial_ca.crt is the certificate chain created by bundling the intermediate and root CA
3. commercial.crt is the SSL certificate.
Solution
This issue has cropped up because Sectigo (Comodo) Root certificate which is namely AddTrust External CA Root have expired on May 30, 2020. The successor of this root certificate is named the Comodo RSA Certification authority Root, and wil expire in 2038. To fix the issue, download the new Comodo RSA Certification authority Root and re-deploy the SSL certificate.
The new Comodo RSA Certification authority Root can be downloaded from here link
Steps to re deploy the certs
1. Download and save the root CA. (e.g. /tmp/ca.crt)
2. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)
3. Combine root and intermediary CAs into a temporary file.
cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt
4. Move the old certs and recreate the necessary folders
mv /opt/zimbra/ssl/zimbra/ /opt/zimbra/ssl/zimbra.old mkdir /opt/zimbra/ssl/zimbra/ mkdir -p /opt/zimbra/ssl/zimbra/{ca,commercial,server} mv /opt/zimbra/ssl/zimbra.old/commercial/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.key chmod 750 /opt/zimbra/ssl/zimbra chmod 750 /opt/zimbra/ssl/zimbra/*
5. Verify your commercial certificate.
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt **Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmp/commercial.crt: OK
7. Deploy your commercial certificate.
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt ** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match. Valid Certificate: /tmpt/commercial.crt: OK **Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt **Appending CA chain /tmp/ca_chain.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt **Saving server config key zimbraSSLCeretificate…done. **Saving server config key zimbraSSLPrivateKey…done. **Installing mta certificate and key…done. **Installing slapd certificate and key…done. **Installing proxy certificate and key…done. **Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done. **Creating keystore file /opt/zimbra/mailbox/etc/keystore…done. **Installing CA to /opt/zimbra/conf/ca…done.
8. To finish, verify the certificate was deployed.
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
A quick Fix till the root CA is installed
Disable the TLS on the LDAP server as a workaround till the certificates are re-deployed
Execute the below commands on the LDAP servers
zmlocalconfig -e ldap_starttls_required=false zmlocalconfig -e ldap_starttls_supported=0 zmcontrol restart
Once the certificates are re-deployed then enable TLS on the LDAP server again.
zmlocalconfig -e ldap_starttls_required=true zmlocalconfig -e ldap_starttls_supported=1 zmcontrol restart
Submitted by: Samrat Sarkar |