CLI Certificate Tools for Zimbra Server How To

Zimbra_Logo

For the few of you who actually run your own organizational mail servers and the even fewer of those who run Zimbra, here is what you do when you encounter the following error while trying to start zimbra

Host mail.domain.tld
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn’t exist.

This is normally caused by the expiry of the certificate that Zimbra uses for ldap. All you have to do to fix the situation is generate a new valid certificate, using Zimbra’s CLI (command line interface) certificate tools.

The following are examples of using the CLI certificate tools for different installation scenarios.

Single-Node Self-Signed Certificate

1. Begin by generating a new Certificate Authority (CA).

 /opt/zimbra/bin/zmcertmgr createca -new

2. Then generate a certificate signed by the CA that expires in 365 days.

 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365

3. Next deploy the certificate.

 /opt/zimbra/bin/zmcertmgr deploycrt self

4. Next deploy the CA.

 /opt/zimbra/bin/zmcertmgr deployca

5. To finish, verify the certificate was deployed to all the services.

 /opt/zimbra/bin/zmcertmgr viewdeployedcrt

Multi-Node Self-Signed Certificate

1. Begin by generating a new Certificate Authority (CA).

 /opt/zimbra/bin/zmcertmgr createca -new

2. Then generate a certificate signed by the CA that expires in 365 days with either wild-card or subject altnames.

 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=CA/L=NVA/O=ZCS/OU=ZCS/CN=*.domain.tld"
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subjectAltNames "host1.domain.tld,host2.domain.tld"

3. Next, deploy the certificate to all nodes in the deployment.

 /opt/zimbra/bin/zmcertmgr deploycrt self -allserver

4. To finish, verify the certificate was deployed.

 /opt/zimbra/bin/zmcertmgr viewdeployedcrt

Note: The option viewdeployedcrt only works for the local server.

Single-Node Commercial Certificate

1. Begin by generating a Certificate Signing Request (CSR).

 /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite" -subjectAltNames host.example.com

2. Next, submit the CSR to the SSL provider and get a commercial certificate in PEM format. Save the new certificate to a temporary file (e.g. /tmp/commercial.crt).

3. Now, download and save the root Certificate Authority (CA) from your provider to a temporary file. (e.g. /tmp/ca.crt)

4. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)

5. Combine root and intermediary CAs into a temporary file.

 cat /tmp/ca.crt /tmp/ca_intermediary.crt > /tmp/ca_chain.crt

6. Verify your commercial certificate.

 /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
 **Verifying /tmp/commercial.crt against
 /opt/zimbra/ssl/zimbra/commercial/commercial.key
 Certificate (/tmp/commercial.crt) and private key
 (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 Valid Certificate: /tmp/commercial.crt: OK

7. Deploy your commercial certificate.

 /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
 ** Verifying /tmp/commercial.crt against
 /opt/zimbra/ssl/zimbra/commercial/commercial.key
 Certificate (/tmp/commercial.crt) and private key
 (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
 Valid Certificate: /tmpt/commercial.crt: OK
 **Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 **Appending ca chain /tmp/ca_chain.crt to
 /opt/zimbra/ssl/zimbra/commercial/commercial.crt
 **Saving server config key zimbraSSLCeretificate…done.
 **Saving server config key zimbraSSLPrivateKey…done.
 **Installing mta certificate and key…done.
 **Installing slapd certificate and key…done.
 **Installing proxy certificate and key…done.
 **Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
 **Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
 **Installing CA to /opt/zimbra/conf/ca…done.

8. To finish, verify the certificate was deployed.

 /opt/zimbra/bin/zmcertmgr viewdeployedcrt
Share

Leave a Reply