Scribd
Upload
199 views4 pages

Zimbra SSL Certificate Renewal Guide

This document summarizes the steps taken to renew an SSL certificate for a Zimbra installation from the provider LANIWAY. It describes downloading new certificate files, modifying the permissions and ownership of files, validating and deploying the new certificates to the necessary Zimbra services, and restarting services for the changes to take effect. An error occurred during the creation of one certificate file that required specifying the "-nomac" option to workaround missing PKCS12KDF support.

Uploaded by

Alex Franco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
199 views4 pages

Zimbra SSL Certificate Renewal Guide

This document summarizes the steps taken to renew an SSL certificate for a Zimbra installation from the provider LANIWAY. It describes downloading new certificate files, modifying the permissions and ownership of files, validating and deploying the new certificates to the necessary Zimbra services, and restarting services for the changes to take effect. An error occurred during the creation of one certificate file that required specifying the "-nomac" option to workaround missing PKCS12KDF support.

Uploaded by

Alex Franco
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 4

RENOVAÇÃO SSL ZIMBRA

ANO BASE: 2022

Empresa fornecedora: LANIWAY

Arquivos recebidos:

STAR.*.ca-bundle
STAR.*.crt
STAR.*.csr
STAR.*.key
STAR.*.pem
STAR.*.pfx

Procedimentos:

# cd /opt/zimbra/ssl/zimbra/commercial

Inserir os arquivos STAR.*.crt STAR.*.key STAR.*.ca-bundle neste local;

Renomear os arquivos abaixo:

# mv STAR.*.crt commercial.crt
# mv STAR.*.key commercial.key
# mv STAR.*.ca-bundle commercial_ca.crt

Neste ano em específico, encontramos problemas na validação do arquivo commercial_ca.crt


pela falta dos dados da certificadora raiz.
Encontramos a solução pesquisando o erro gerado nos fóruns do zimbra onde chegamos até a base
de conhecimento da SECTIGO (quem está fornecendo o certificado) no endereço
https://sectigo.com/knowledge-base/detail/Sectigo-Intermediate-Certificates/kA01N000000rfBO

Realizamos o download do item abaixo:

Root Certificates:
[Download] SHA-2 Root : USERTrust RSA Certification Authority

O conteúdo do download encontra-se abaixo e deve ser inserido no início do arquivo


commercial_ca.crt

-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----

Alterar o dono/grupo dos arquivos e nível de permissão

# chown zimbra. commercial*


# chmod +x commercial*

Acessar perfil zimbra:

# su – zimbra

Acessar diretório base:

$ cd /opt/zimbra/ssl/zimbra/commercial

Validar os arquivos gerados:

$ zmcertmgr verifycrt comm commercial.key commercial.crt

(RESULTADO)
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against
'/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: commercial.crt: OK

Realizar o deploy do certificado:

$ zmcertmgr deploycrt comm commercial.crt commercial_ca.crt


(RESULTADO)

** Fixing newlines in 'commercial.crt'


** Fixing newlines in 'commercial_ca.crt'
** Verifying 'commercial.crt' against
'/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'commercial.crt' and private key
'/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK
** Copying 'commercial.crt' to
'/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
'commercial.crt' and '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are
identical (not copied) at /opt/zimbra/bin/zmcertmgr line 1264.
** Copying 'commercial_ca.crt' to
'/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
'commercial_ca.crt' and
'/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are identical (not copied) at
/opt/zimbra/bin/zmcertmgr line 1264.
** Appending ca chain 'commercial_ca.crt' to
'/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-
user-commercial_ca' into cacerts
'/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer pirilampo.*...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer pirilampo.*...ok
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key
'/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to
'/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to
'/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key
'/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to
'/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to
'/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key
'/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to
'/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to
'/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/0bbd18b2.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to
'/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '0bbd18b2.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '062cdee6.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink '16744f0c.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '5ad8a5d6.0' -> 'commercial_ca_3.crt'

Reiniciar o serviço zimbra:

$ zmcontrol restart

Após reinicialização do serviço, o certificado deve ser atualizado junto ao navegador.

ERRRO – após atualização zimbra 9 (alguns pacotes)

** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'


ERROR: openssl pkcs12 export to '/opt/zimbra/ssl/zimbra/jetty.pkcs12' failed(1):
Error creating PKCS12 MAC; no PKCS12KDF support?
Use -nomac if MAC not required and PKCS12KDF support not available.
00F4CABA487F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:373:Global default library
context, Algorithm (PKCS12KDF : 192), Properties (<null>)
00F4CABA487F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen
error:crypto/pkcs12/p12_mutl.c:147:
00F4CABA487F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation
error:crypto/pkcs12/p12_mutl.c:220:

You might also like