I recently requested an update to our LetsEncrypt certificates to change the key_type to ecdsa using elliptical-curve secp384r1 which are seen as more secure these days – the certs were generated fine but as soon as I tried to deploy them in zimbra the process failed as zmcertmgr was unable to verify the public key matched the cert.
[[email protected] tmp]# su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/privkey1.pem /tmp/cert16.pem /tmp/zimbra_chain1.pem" ** Verifying '/tmp/cert1.pem' against '/tmp/privkey1.pem' 139741916038976:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:469: ERROR: Certificate '/tmp/cert1.pem' and private key '/tmp/privkey1.pem' do not match.
To make sure I did not have a broken system, I force renewed my certificate again changing the key_type back to rsa. This time the certs validated and deployed.
to fix this issue run these script:
#!/bin/sh # zmcertmgr=/opt/zimbra/bin/zmcertmgr cp $zmcertmgr $zmcertmgr.bak sed -i -e 's/$self->run("$ssl rsa -noout -modulus -in '$keyf'/$self->run("$ssl pkey -pubout -in '$keyf'/g' \ -e 's/$self->run("$ssl x509 -noout -modulus -in '$crtf'/$self->run("$ssl x509 -noout -pubkey -in '$crtf'/g' $zmcertmgr
With the change in place the certificates verify correctly.
[[email protected] tmp]# su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/privkey1.pem /tmp/cert1.pem /tmp/zimbra_chain1.pem" ** Verifying '/tmp/cert1.pem' against '/tmp/privkey1.pem' Certificate '/tmp/cert1.pem' and private key '/tmp/privkey1.pem' match. ** Verifying '/tmp/cert1.pem' against '/tmp/zimbra_chain1.pem' Valid certificate chain: /tmp/cert16.pem: OK
Further, the following error is possible: ldap-daemon does not start
zmlocalconfig -e ldap_starttls_required=false zmlocalconfig -e ldap_starttls_supported=0
- Howto Renew Zimbra Letsencrypt SSL certificate
- How to free up disk space on Zimbra server
- how to change Zimbra OCS ip address
- how to enable / disable zimbra reverse proxy
- how to change user password on zimbra cli