We help IT Professionals succeed at work.

Zimbra and Renewing SSL Certficate

netserveng
netserveng asked
on
1,193 Views
Last Modified: 2017-05-10
We are using StartSSL (StartCom) for the ssl certificate. I was able to use the gui in zimbra to generate the csr then request the cert from startcom. I then went back into the certificate wizard on zimbra and installed the new cert. I can see the new cert with the updated dates but still getting error on clients: This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store. Not sure how to continue. Also I work with exchange servers so this zimbra email server is new to me.

Thanks
Comment
Watch Question

AntzsInfrastructure Services
CERTIFIED EXPERT

Commented:
Can you check if the StartSSL Root Cert is placed correctly in the Trusted Root.
Untitled.png
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
What error message are your clients getting? Also in the zimbra server logs what errors does the server show for the cert. THat will help us trouble shoot.

When every I've installed or renewed certs on zimbra I have always had more success doing it from the command line. I use the free LetsEncrypt certificates and here is the basic steps.

- generate certificate requests

- Copy files to /opt/zimbra/ssl/letsencrypt

- verify cert
  /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

- make backup of original cert
   cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

- make new cert to zimbra ssl store
  cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

- deploy cert in zimbra
  /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

-Restart zimbra services

Author

Commented:
Thank you for the info. I did some more research and found out that it's StartCom (startssl) that lost the trust to the root. After chatting with them they did verify that the problem is on their end and could take months for them to get trusted again. Looks like I have to get the cert from another company. Thanks again for the info.

Author

Commented:
Hello Sanga Collins, I'm now looking at going with godaddy for the ssl cert and was wondering if you ever installed a cert from godaddy on a zimbra server ? I only deal with exchange servers so this is all new to me on Zimbra. When I renewed and installed the cert I got from StartCOM I used the GUI Wizard and it worked great and was wondering if I could use it with the godaddy cert. I do know the wizard did ask for the 3 cert files which I got from StartCOM and was wondering if I would get the same thing from godaddy ? Also what server type would I have to chose for the Zimbra server ?

Thanks
Rob
Natty GregIn Theory (IT)
CERTIFIED EXPERT

Commented:
StartSSL had lost their trust with mozilla, safari and google among others and they are working on getting back that trust so their certificate will say untrusted (not a word ) but you get the point. you can still use until they do what the big three ask of them.
Systems Admin
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Sanga CollinsSystems Admin
CERTIFIED EXPERT

Commented:
Found the link I saved right away: http://jamesreubenknowles.com/adding-a-godaddy-ssl-certificate-to-zimbra-7-1360

THis was for Zimbra 7 but the concept is the same. A lot of people do have issues when using the gui but it is possible to setup. Once you get more comfortable with zimbra, you should def explore the command line. It is much more powerful (and dangerous :)

Author

Commented:
Thanks for the help

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.