ERROR: openssl pkcs...
 
Notifications
Clear all

[Solved] ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):

19 Posts
7 Users
4 Likes
3,882 Views
(@anahuac)
Joined: 10 months ago
Posts: 304
Topic starter  

Today me and many colegues from @ZimBrasil Telegram group got this error trying to install Z9 Zextras on Ubuntu 20.04:

** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):
Error creating PKCS12 MAC; no PKCS12KDF support?
Use -nomac if MAC not required and PKCS12KDF support not available.
80A2D013DE7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (PKCS12KDF : 188), Properties (<null>)
80A2D013DE7F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:crypto/pkcs12/p12_mutl.c:147:
80A2D013DE7F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:crypto/pkcs12/p12_mutl.c:220:

This never happened before and I have myself some servers running Z9 Zextras flawlessly. So it got us all by surprise.

Install just brakes right after the "apply" step just when it's going to deploy the certificate.

 

After some digging and hacking I came out with a workaround and that's what I'm sharing with you:

1 - use screen to install Zimbra 9. You'll need two screens to do this. If you are not familiar with screen you may use tmux or just login twice on the server you're going to install it;

2 - on one screen start the installation process as always til you get to to the "apply" moment, right after you set the admin password;

3 - on the second screen edit /opt/zimbra/bin/zmcertmgr file, go to the line 1817, and add the option "-nomac" to the @out array, like this:

      @out = $self->run(
            $self->Openssl, "pkcs12", "-inkey", $keyf,
            "-in",          $crtf,    "-name",  $server,
            "-export",      "-out",   $pkcsf,   "-passout",
            "pass:$kpass",  "-nomac", "2>&1"
        );

4 - go to the line 1878 and do the very same adding "-nomac" to @out array and save the file

5 - get back to the first screen and "apply"...

That way your Z9 Zextras will be installed til Zextras devels fix it in the right way.

 


   
dominix reacted
Quote
mgarbo
(@mgarbo)
Joined: 9 years ago
Posts: 61
 

On latest zimbra patch packages release, synacor has released openssl 3.0.9.

You can't use zimbra 9 build by zextras because it have no support for latest zimbra package build.

Remember that zimbra 9 by zextras build only zimbra core package ( web interface / configuration and so on ) and not zimbra thirdparties packages ( binary like nginx / ldap / openssl etc etc ... ) .

If you want the lasted zimbra 9 you must compile it by yourself or wait zextras build related to last zimbra 9 patch.

Read this topic : https://community.zextras.com/forum/zimbra-ose-9-by-zextras/patch-34-for-zimbra-9-has-been-released-regarding-global-security/


   
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
Topic starter  

Any risks upgrading Z9 Zextras from "apt upgrade"?
Because right now there are many Zimbra packages available do upgrade... 

I'll take a look to the link... tyvm


   
ReplyQuote
(@sequephonic)
Joined: 9 months ago
Posts: 4
 

It's not helped for me.

Installing MTA SSL certificates...failed.

And if do this:

zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr createca -new
** Recreating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Creating CA with existing private key /opt/zimbra/ssl/zimbra/ca/ca.key
zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20230731034855
** Recreating /opt/zimbra/conf/zmssl.cnf
** Generating a server CSR of type 'self' for download
** Using CA cert in '/opt/zimbra/ssl/zimbra/ca/ca.pem'
** Using CA private key in '/opt/zimbra/ssl/zimbra/ca/ca.key'
** Retrieving Commercial CA cert from LDAP... failed
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr with keysize=2048 digest=sha256
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer mail.*****.ru...failed (rc=1)
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr
zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr deploycrt self
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/server/server.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/server/server.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):
Error creating PKCS12 MAC; no PKCS12KDF support?
Use -nomac if MAC not required and PKCS12KDF support not available.
80327CB3BD7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (PKCS12KDF : 192), Properties (<null>)
80327CB3BD7F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:crypto/pkcs12/p12_mutl.c:147:
80327CB3BD7F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:crypto/pkcs12/p12_mutl.c:220:
zimbra@mail:~$

And how now install latest version Zimbra?

I need old style admin panel with all features. In Carbonio CE new minimalistiv admin panel and more changes need do in CLI.


   
ReplyQuote
(@sequephonic)
Joined: 9 months ago
Posts: 4
 

Either wait until they fix it, or install Carbonio and wait for all the other settings that were in the classic one to be added to the new administration panel.


   
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
Topic starter  

FTR this is what I did to upgrade all my Z9 Zextras and it's up and working as expected:

apt update
apt upgrade
/opt/zimbra/libexec/zmfixperms
chown syslog.adm /var/log/zimbra.log
systemctl restart rsyslog.service

reboot

   
ReplyQuote
(@sequephonic)
Joined: 9 months ago
Posts: 4
 

@anahuac In my case, I can only install Carbonio CE withou problems. Glad you got the situation resolved. If I could install from scratch on Ubuntu 18 or 20 zcs-9 I would install it. But this error haunts and editing the script does not help.


   
ReplyQuote
 mrom
(@mrom)
Joined: 9 months ago
Posts: 1
 

Patch your /opt/zimbra/bin/zmcertmgr and add the -nomac param:

   1817         @out = $self->run(
   1818             $self->Openssl, "pkcs12", "-inkey", $keyf,
   1819             "-in",          $crtf,    "-name",  $server,
   1820             "-export",      "-out",   $pkcsf,   "-passout",
   1821             "pass:$kpass", "-nomac", "2>&1"
   1822         );
   1878         @out = $self->run(
   1879             $self->Openssl, "pkcs12", "-inkey", $keyf,
   1880             "-in",          $crtf,    "-name",  $server,
   1881             "-export",      "-out",   $pkcsf,   "-passout",
   1882             "pass:$kpass", "-nomac", "2>&1"
   1883         );

   
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
Topic starter  

@sequephonic I have done it more than once and so others... so I'll ask you to go through my first post again... step by step. Did you notice you have to fix zmcertmgr in two places?


   
ReplyQuote
(@sequephonic)
Joined: 9 months ago
Posts: 4
 

@anahuac Ohh... Sorry. i was not very attentive at that moment and missed with my eyes that the line number is another second 1878.

Now install done. Thank you very much@anahuac !!!


   
anahuac reacted
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
Topic starter  

Last night I needed to renew Let's Encrypt certificate on a Z9 Zextras server and I got the same error above. The fixing is also the same editing zmcertmgr as described on my previous post

So, if you have an updated Z9 you may get in the same problem. Wish it helps.


   
ReplyQuote
(@fosiul)
Joined: 7 months ago
Posts: 1
 

Posted by: @mrom

Patch your /opt/zimbra/bin/zmcertmgr and add the -nomac param:

   1817         @out = $self->run(
   1818             $self->Openssl, "pkcs12", "-inkey", $keyf,
   1819             "-in",          $crtf,    "-name",  $server,
   1820             "-export",      "-out",   $pkcsf,   "-passout",
   1821             "pass:$kpass", "-nomac", "2>&1"
   1822         );
   1878         @out = $self->run(
   1879             $self->Openssl, "pkcs12", "-inkey", $keyf,
   1880             "-in",          $crtf,    "-name",  $server,
   1881             "-export",      "-out",   $pkcsf,   "-passout",
   1882             "pass:$kpass", "-nomac", "2>&1"
   1883         );

 

@mrom 

Thanks, this solution worked for me!!  with bellow configuration

Linux  4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-112-generic x86_64)

Release 9.0.0.ZEXTRAS.20221203.UBUNTU18.64 UBUNTU18_64 FOSS edition.

Thanks for the solution, life saving. 

 


   
anahuac reacted
ReplyQuote
(@trigg3r)
Joined: 5 years ago
Posts: 23
 

Ho questo problema su una installazione Zimbra 9.0.0_ZEXTRAS_20220713 (build 20220705100434)

Solo che il mio file /opt/zimbra/bin/zmcertmgr  non contiene la parola "nomac" :\

 

Ho provato a reinstallare Zimbra: tutto va a buon fine ma il problema rimane.

 

Ho provato a scaricare e reinstallare zextras-theme-ubuntu.tgz e ottendo un errore sul deploy:

su - zimbra -c 'zmskindeploy /opt/zimbra/jetty/webapps/zimbra/skins/zextras/'
ERROR: zclient.IO_ERROR (invoke PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed, server: localhost) (cause: javax.net.ssl.SSLHandshakeException PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed)

 

Sono fermo con il server ... mi potete aiutare??

 

Grazie


   
ReplyQuote
(@anahuac)
Joined: 10 months ago
Posts: 304
Topic starter  

@trigg3r Ok... so you have to ADD that "nopac" part to make it work


   
ReplyQuote
(@trigg3r)
Joined: 5 years ago
Posts: 23
 

Posted by: @anahuac
so you have to ADD that "nopac" part to make it work

 

Thank al lot @anahuac!

 

How can I recognize for sure which line I have to modify?

 


   
ReplyQuote
Page 1 / 2