После установки коммерческого сертификата, появилась ошибка.

alexey_g, 10/02/2015 - 14:13
 Добрый день.

Установил коммерческий сертификат и теперь при попытке запуска какой либо утилиты, получаю ошибку:

zimbra@mail:/$ zmprov
ERROR: zclient.IO_ERROR (invoke sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, server: localhost) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

Сталкивался кто-нибудь с таким?
 
Форумы »

Комментарии

aleksa106
11/02/2015 - 14:49
Лучше расскажите как ставили... Вам подскажут что пропустили.
Ставили из Админки или консоли?
CSR генерили в Zimbre или на стороне?
Вот "простынка" по установке:

Single-Node Commercial Certificate

We need to take care and ask for the Certificate authority for the Root and Intermediate Keys, we will need it soon.

We will use at least 2048-bit key, is the minimum for all Certificate Authorities: 1. Begin by generating a Certificate Signing Request (CSR).

/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=CA/L=Sunnyvale/O=Yahoo/OU=Zimbra Collaboration Suite" -subjectAltNames host.example.com

2. Next, submit the CSR to the SSL provider and get a commercial certificate in PEM format. Save the new certificate to a temporary file (e.g. /tmp/commercial.crt).

3. Now, download and save the root Certificate Authority (CA) from your provider to a temporary file. (e.g. /tmp/ca.crt)

4. Download any intermediary CAs from your provider to a temporary file. (e.g. /tmp/ca_intermediary.crt)

5. Combine root and intermediary CAs into a temporary file.

cat /tmp/ca_intermediary.crt /tmp/ca.crt > /tmp/ca_chain.crt

6. Verify your commercial certificate.

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
**Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmp/commercial.crt: OK

7. Deploy your commercial certificate.

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
Verifying /tmp/commercial.crt against
/opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key
(/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: /tmpt/commercial.crt: OK
Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
Appending ca chain /tmp/ca_chain.crt to
/opt/zimbra/ssl/zimbra/commercial/commercial.crt
Saving server config key zimbraSSLCeretificate…done.
Saving server config key zimbraSSLPrivateKey…done.
Installing mta certificate and key…done.
Installing slapd certificate and key…done.
Installing proxy certificate and key…done.
Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
Creating keystore file /opt/zimbra/mailbox/etc/keystore…done.
Installing CA to /opt/zimbra/conf/ca…done.

8. To finish, verify the certificate was deployed.



alexey_g
18/02/2015 - 14:42
 Все решилось само собой. Заказчик решил сменить сертификат, поставил через web-интерфейс. Заработало.
aleksa106
20/02/2015 - 14:00
Повезло... :-)
Раньше при установке из Web, не работало...
Добавить комментарий