Sign in Subscribe
zimbra

Deploying SSL certificates to zimbra after expiriy

You got your new SSL cert, deployed it on all servers but forgot about the zimbra server and now zmcontrol is refusing to do anything.

Cristian Livadaru

1 min read
Deploying SSL certificates to zimbra after expiriy

Create intermediate certificate file

Since I prefer the CLI to deploy cert and also taking the possibility into account that zimbra might not be running, I will show you how to deploy the certificates via command line. You can read more about the zimbra CLI commands here on the zimbra wiki

First get all intermediate certificates into one file, in case of Sectigo (former Comodo) this is how you add all bundles into one single file: 

cat AddTrustExternalCARoot.crt USERTrustRSAAddTrustCA.crt SectigoRSADomainValidationSecureServerCA.crt > /tmp/ca_bundle.crt

now place your ssl certificate also in /tmp or some other directory where the zimbra user has access to.

Deploy new certificate

First check if everything is valid, this assumes that your ssl certificate is in /tmp/STAR_example_at.crt 

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/STAR_example_at.crt /tmp/ca_bundle.crt

This should result in something like this

Valid certificate chain: /tmp/STAR_example_at.crt: OK

Now you can deploy the certificate

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/STAR_example_at.crt /tmp/ca_bundle.crt

Fixing LDAP SSL error

Now with your new certificate in place you can start zimbra again but instead of starting zimbra gives you the stinky finger in form of an SSL error.

zimbra@example:~$ zmcontrol status
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting

you could reboot here and it should fix the error, but if you want to be sure that everything starts and works with the new cert, you can disable SSL for LDAP, start zimbra then reenable SSL for LDAP. 

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0

now you can start zimbra with zmcontrol as usual. If everything works reenable SSL for LDAP and reboot. 

zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_starttls_supported=1

Sign up for more like this.

Enter your email
Subscribe