Forums
Zimbra OSE
Zimbra OSE - How to...
ERROR: openssl pkcs...
 
Notifications
Clear all

[Solved] ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):

 
Page 2 / 2
Zimbra OSE - How to & Setup
Last Post by niceandclean 2 months ago
20 Posts
9 Users
4 Reactions
5,002 Views
RSS
 anahuac
(@anahuac)
Joined: 1 year ago
Posts: 310
Topic starter 10/18/2023 16:35  

@trigg3r roll up a bit... there are many messages showing the right lines you have to change.. please read the previous posts.


   
ReplyQuote
 trigg3r
(@trigg3r)
Joined: 5 years ago
Posts: 25
10/18/2023 16:50  

Hai solved with this: https://github.com/Zimbra/zm-core-utils/pull/137

 

adding "-propquery", "-fips"  (not "-nomac")

 

thank you!


   
anahuac reacted
ReplyQuote
 Nico35
(@nico35)
Joined: 1 year ago
Posts: 2
04/18/2024 14:10  

hi,

i have a similar problem but my error is different. I try to distribute a commercial certificate. if I do the check the result is OK.

i I already tried changing the properties in "-nomac" or "-propquery", "-fips" 

 

[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/ca_chain.crt'
Valid certificate chain: /tmp/commercial.crt: OK
[zimbra@mail ~]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Fixing newlines in '/tmp/ca_chain.crt'
Can't rename /tmp/ca_chain.crt to /tmp/ca_chain.crt.bak: Operation not permitted, skipping file at /opt/zimbra/bin/zmcertmgr line 1239.
** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/tmp/commercial.crt' against '/tmp/ca_chain.crt'
Valid certificate chain: /tmp/commercial.crt: OK
** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Copying '/tmp/ca_chain.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
** Appending ca chain '/tmp/ca_chain.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer mail.xxx.it...ERROR: account.INVALID_ATTR_VALUE (invalid attr value: invalid attr value - unable to modify attributes: ldap host=mail.xxx.it:389: zimbraSSLCertificate: value #0 invalid per syntax) (cause: com.zimbra.cs.ldap.LdapException$LdapInvalidAttrValueException invalid attr value - unable to modify attributes: ldap host=mail.xxx.it:389: zimbraSSLCertificate: value #0 invalid per syntax)
failed (rc=2)
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):
No cert in -in file '/opt/zimbra/conf/imapd.crt' matches private key
8003D8AF467F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:405:
8003D8AF467F0000:error:05800074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:405:
This post was modified 3 months ago 2 times by Nico35

   
ReplyQuote
 Nico35
(@nico35)
Joined: 1 year ago
Posts: 2
04/18/2024 15:37  

I resolved the commercial certificate was not in the format required by zimbra


   
ReplyQuote
 niceandclean
(@niceandclean)
Joined: 2 months ago
Posts: 1
06/08/2024 00:31  

Although  it seems like is a solved topic, I want to share my experience with this error.

My zimbra installation was 9.0.0_ZEXTRAS_20221203 on Rocky Linux 8.8, so when I was renewing  the SSL Certificate  by zmcertmgr I got the following:

command: /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_bundle.crt

ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):
Error creating PKCS12 MAC; no PKCS12KDF support?
Use -nomac if MAC not required and PKCS12KDF support not available.
0061F3F3637F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (PKCS12KDF : 192), Properties (<null>)
0061F3F3637F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:crypto/pkcs12/p12_mutl.c:147:
0061F3F3637F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:crypto/pkcs12/p12_mutl.c:220:

After some search I didn't find a solution that works for me, fortunately I had a prototype server with same configuration to play a little, I downloaded  and installed the release 9.0.0_ZEXTRAS_20231104.RHEL8_64_20231124123142  after upgrade  I  issued the same command to install the new certificate, this time it worked like a charm. and after restart  zimbra I finally got my server working.

 


   
ReplyQuote
Page 2 / 2
Forum Jump:
  Previous Topic
Next Topic