Today me and many colegues from @ZimBrasil Telegram group got this error trying to install Z9 Zextras on Ubuntu 20.04:
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1): Error creating PKCS12 MAC; no PKCS12KDF support? Use -nomac if MAC not required and PKCS12KDF support not available. 80A2D013DE7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (PKCS12KDF : 188), Properties (<null>) 80A2D013DE7F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:crypto/pkcs12/p12_mutl.c:147: 80A2D013DE7F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:crypto/pkcs12/p12_mutl.c:220:
This never happened before and I have myself some servers running Z9 Zextras flawlessly. So it got us all by surprise.
Install just brakes right after the "apply" step just when it's going to deploy the certificate.
After some digging and hacking I came out with a workaround and that's what I'm sharing with you:
1 - use screen to install Zimbra 9. You'll need two screens to do this. If you are not familiar with screen you may use tmux or just login twice on the server you're going to install it;
2 - on one screen start the installation process as always til you get to to the "apply" moment, right after you set the admin password;
3 - on the second screen edit /opt/zimbra/bin/zmcertmgr file, go to the line 1817, and add the option "-nomac" to the @out array, like this:
@out = $self->run(
$self->Openssl, "pkcs12", "-inkey", $keyf,
"-in", $crtf, "-name", $server,
"-export", "-out", $pkcsf, "-passout",
"pass:$kpass", "-nomac", "2>&1"
);
4 - go to the line 1878 and do the very same adding "-nomac" to @out array and save the file
5 - get back to the first screen and "apply"...
That way your Z9 Zextras will be installed til Zextras devels fix it in the right way.
On latest zimbra patch packages release, synacor has released openssl 3.0.9.
You can't use zimbra 9 build by zextras because it have no support for latest zimbra package build.
Remember that zimbra 9 by zextras build only zimbra core package ( web interface / configuration and so on ) and not zimbra thirdparties packages ( binary like nginx / ldap / openssl etc etc ... ) .
If you want the lasted zimbra 9 you must compile it by yourself or wait zextras build related to last zimbra 9 patch.
Read this topic : https://community.zextras.com/forum/zimbra-ose-9-by-zextras/patch-34-for-zimbra-9-has-been-released-regarding-global-security/
Any risks upgrading Z9 Zextras from "apt upgrade"?
Because right now there are many Zimbra packages available do upgrade...
I'll take a look to the link... tyvm
It's not helped for me.
Installing MTA SSL certificates...failed.
And if do this:
zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr createca -new
** Recreating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Creating CA with existing private key /opt/zimbra/ssl/zimbra/ca/ca.key
zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20230731034855
** Recreating /opt/zimbra/conf/zmssl.cnf
** Generating a server CSR of type 'self' for download
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Retrieving Commercial CA cert from LDAP... failed
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr with keysize=2048 digest=sha256
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.*****.ru...failed (rc=1)
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr
zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr deploycrt self
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):
Error creating PKCS12 MAC; no PKCS12KDF support?
Use -nomac if MAC not required and PKCS12KDF support not available.
80327CB3BD7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (PKCS12KDF : 192), Properties (<null>)
80327CB3BD7F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:crypto/pkcs12/p12_mutl.c:147:
80327CB3BD7F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:crypto/pkcs12/p12_mutl.c:220:
zimbra@mail:~$
And how now install latest version Zimbra?
I need old style admin panel with all features. In Carbonio CE new minimalistiv admin panel and more changes need do in CLI.
Either wait until they fix it, or install Carbonio and wait for all the other settings that were in the classic one to be added to the new administration panel.
FTR this is what I did to upgrade all my Z9 Zextras and it's up and working as expected:
apt update apt upgrade /opt/zimbra/libexec/zmfixperms chown syslog.adm /var/log/zimbra.log systemctl restart rsyslog.service reboot
@anahuac In my case, I can only install Carbonio CE withou problems. Glad you got the situation resolved. If I could install from scratch on Ubuntu 18 or 20 zcs-9 I would install it. But this error haunts and editing the script does not help.
Patch your /opt/zimbra/bin/zmcertmgr and add the -nomac param:
1817 @out = $self->run( 1818 $self->Openssl, "pkcs12", "-inkey", $keyf, 1819 "-in", $crtf, "-name", $server, 1820 "-export", "-out", $pkcsf, "-passout", 1821 "pass:$kpass", "-nomac", "2>&1" 1822 );
1878 @out = $self->run( 1879 $self->Openssl, "pkcs12", "-inkey", $keyf, 1880 "-in", $crtf, "-name", $server, 1881 "-export", "-out", $pkcsf, "-passout", 1882 "pass:$kpass", "-nomac", "2>&1" 1883 );
@sequephonic I have done it more than once and so others... so I'll ask you to go through my first post again... step by step. Did you notice you have to fix zmcertmgr in two places?
Last night I needed to renew Let's Encrypt certificate on a Z9 Zextras server and I got the same error above. The fixing is also the same editing zmcertmgr as described on my previous post
So, if you have an updated Z9 you may get in the same problem. Wish it helps.
Patch your /opt/zimbra/bin/zmcertmgr and add the -nomac param:
1817 @out = $self->run( 1818 $self->Openssl, "pkcs12", "-inkey", $keyf, 1819 "-in", $crtf, "-name", $server, 1820 "-export", "-out", $pkcsf, "-passout", 1821 "pass:$kpass", "-nomac", "2>&1" 1822 );1878 @out = $self->run( 1879 $self->Openssl, "pkcs12", "-inkey", $keyf, 1880 "-in", $crtf, "-name", $server, 1881 "-export", "-out", $pkcsf, "-passout", 1882 "pass:$kpass", "-nomac", "2>&1" 1883 );
Thanks, this solution worked for me!! with bellow configuration
Linux 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)
Release 9.0.0.ZEXTRAS.20221203.UBUNTU18.64 UBUNTU18_64 FOSS edition.
Thanks for the solution, life saving.
Ho questo problema su una installazione Zimbra 9.0.0_ZEXTRAS_20220713 (build 20220705100434)
Solo che il mio file /opt/zimbra/bin/zmcertmgr non contiene la parola "nomac" :\
Ho provato a reinstallare Zimbra: tutto va a buon fine ma il problema rimane.
Ho provato a scaricare e reinstallare zextras-theme-ubuntu.tgz e ottendo un errore sul deploy:
su - zimbra -c 'zmskindeploy /opt/zimbra/jetty/webapps/zimbra/skins/zextras/'
ERROR: zclient.IO_ERROR (invoke PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed, server: localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed)
Sono fermo con il server ... mi potete aiutare??
Grazie