WingBlog

Manufacturing Intelligence, Networking, Security & Some Unrelated Stuff

David McKay

How to Renew A Godaddy SSL Certificate on Zimbra 7 and 6

Tuesday, 08 February 2011 Posted by David McKay Category Stuff 0 comment

UPDATED:  2012-02-06 CORRECTION-CORRECTION-CORRECTION!!   Major oops in this blog from last year, my apologies if it caused anyone problems!  Turns out the Zimbra gui SSL upload is STILL not working for SSL Certificates and returns the same error:   

Your certificate was not installed due to the error : system failure: IOException while handling uploaded certificate

So, I revisited my own tutorial and found a couple of errors - corrected version is next:

***NOTES:  Anywhere you see , you need to change it to match what your server or certificate name actually is, or this won't work.  This procedure was done against the following Centos/Zimbra server version (found using "zmcontrol -v"): Release 6.0.8_GA_2661.RHEL5_20100820021155 CentOS5 NETWORK edition.  UPDATE:  Procedure worked for using release 7.1.3_GA_3346.RHEL5_20110928134522 CentOS5 NETWORK edition.

EPIC FAIL (this is the "normal" way that hasn't worked for me, regardlesss of the version of Zimbra):

  1. Logged into the Zimbra Administration console and clicked on Tools>Certificates>mail.myserver.org (lower left side of your screen).  
  2. Once the certificate appears (sometimes takes awhile), click on Install Certificate at the top of the window.
  3. Select the target server (I only have one server, but multiple domains)
  4. hit next
  5. Select the option for "Install the commercially signed certificate". 
  6. Hit next
  7. For the Certificate file:  Browse to the location where you downloaded ".crt" and select the file
  8. For the Root CA file:  Browse to the location where you downloaded "gd-class2-root.crt" and select the file
  9. For the Intermediate CA file:  Browse to the location where you downloaded "gd_bundle.crt" and select the file
  10. Click Next
  11. Click Install

Now for you, this may have worked.  HOWEVER, for me, it did not.  

Try Number 2 (worked).  

  1. Soooooo, fire up your favorite SSH Client (I use SecureCRT from VanDyke), and log into your zimbra server via ssh AS root.  At this point DO NOT "su zimbra", as you need to be working as root, not as the zimbra administrator.
  2. Make a directory to hold the certs you are about to upload manually:  mkdir /opt/zimbra/ssl/zimbra/backup and then mkdir /opt/zimbra/ssl/zimbra/backup/newcerts
  3. Download the godaddy ssl files, which should be yourdomain.crt and gd_bundle.crt (replace the word "yourdomain" with yours....). 
  4. Since this is a renewal, you won't need anyting but yourdomain.crt, but from reference purposes, you can download the root ca from HERE.  
  5. Upload yourdomain.crt to/opt/zimbra/ssl/zimbra/backup/newcerts (how to do this is beyond the scope of this little blog, so google a solution if you don't have one - I use an SFTP tool called SecureFX)
  6. Change to the directory you just made:  cd /opt/zimbra/ssl/zimbra/backup/newcerts
  7. rename yourdomain.crt to commercial_ca.crt
  8. now you verify the certificate using zimbra's tools with this very long command:  /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial_ca.crt
  9. This should return something like the following:   ** Verifying ./.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.keyCertificate (./mail.f6f.org.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.Valid Certificate: ./.crt: OK
  10. If it doesn't, I recommend you call Zimbra for help  ;-)
  11. Deploy your newly verified certificate:  /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial_ca.crt
  12. The output should look something like this: ** Verifying ./commercial_ca.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.keyCertificate (./commercial_ca.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.Valid Certificate: ./commercial_ca.crt: OK[root@mail newcerts]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./commercial_ca.crt** Verifying ./commercial_ca.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.keyCertificate (./commercial_ca.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.Valid Certificate: ./commercial_ca.crt: OK[root@mail newcerts]# /opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial_ca.crt** Verifying ./commercial_ca.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.keyCertificate (./commercial_ca.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.Valid Certificate: ./commercial_ca.crt: OK** Copying ./commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt** Saving server config key zimbraSSLCertificate...done.** Saving server config key zimbraSSLPrivateKey...done.** Installing mta certificate and key...done.** Installing slapd certificate and key...done.** Installing proxy certificate and key...done.** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.** Installing CA to /opt/zimbra/conf/ca...done.
  13. Ok, now restart zimbra with: su zimbra
  14. zmcontrol restart
  15. Done

There you have it, hope that helps somebody besides me!

Tags: zimbra, it stuff, manufacturing intelligence

Related Post

About the author

David McKay
David McKay
Director of Business Development and Emerging Technologies for WingTip, LLC. Past gigs include Director of Sales, Western USA/Canada & Oceania for MDT Software, President- McKay Group, President, Inova, Inc., VP, Sales and Marketing for Touch Controls, and Chief cook and bottle washer for a system integration company (way back when!).
http://wingtipllc.com

Trackback

Trackback URL for this blog entry

Comments

Please login first to submit your comment