Zimbra Gandi SSL Certificate Installation

Zimbra Gandi SSL Certificate Installation

The old Comodo intermediate/root certificates expired at the end of May 2020, so while your Gandi SSL certificate itself is not expired, your certificate chain will be broken.

Zimbra will continue to run, but the Admin Console will show all services as down, and tools like zmcontrol will fail. Zimbra will not restart.

zimbra@mail2:~$ zmcontrol status
Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
Cannot determine services - exiting

This post will you show you how to recover from the above and install Gandi SSL certificates with the new Sectigo certs that have replaced the expired Comodo certs.

Before we start in earnest, let’s makes two localconfig changes so Zimbra can at least restart if it needs to (we’ll reverse these later):

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0

Let’s get started…

First, you can/should read about the new chains of trust and replacement certificates from Sectigo here at this link.

Second, we need to collect four certificates.  Let’s save all of the certificates to /tmp/ssl-2020 as the “zimbra” user.

  1. Your server’s existing (or your new) Gandi SSL certificate.
    1. Download this from Gandi, or if you are just replacing the expired Comodo certificates, this is the certificate at the top of the file /opt/zimbra/ssl/zimbra/commercial/commercial.crt.
  2. The Gandi Intermediate certificate.
    1. Download this from your Gandi Control Panel, save it as GandiStandardSSLCA2-1.crt in /tmp/ssl-2020.
  3. The two Sectigo certificates: The USERTrust (root) certificate and the SectigoRSA (intermediate) certificate.
    1. Links for these two certificates’ home pages at crt.sh can be found on the Sectigo link, but you can also use this link for the root certificate (USERTrust), and this link for the intermediate certificate (Comodo RSA).  On the latter two pages, look for the “SHA-256(Certificate)” entry in the left-hand column, and then click on the long identifier key just to the right to download each of the actual certificates from censys.io.

Once you have created all four certificates, you can run as the “zimbra” user:

cat /tmp/ssl-2020/USERTrust-Root.crt /tmp/ssl-2020/SectigoRSA-Intermediate.crt /tmp/ssl-2020/GandiStandardSSLCA2-1.crt > /tmp/ssl-2020/commercial_ca.crt

The above command with create the bundle of root and intermediate certificates.  If you read the Sectigo article, what we need to do is to create the file /tmp/ssl-2020/commercial_ca.crt to represent Trust Chain Path B, but without the End Entity [Leaf Certificate]::
— USERTrust RSA Certification Authority (Root CA) [Root]
— Sectigo RSA DV/OV/EV Secure Server CA [Intermediate 1]
— GandiStandardSSLCA2-1.pem [Gandi Intermediate]
— End Entity [Leaf Certificate] << == This is your Gandi SSL certificate, the single commercial.crt file!


Next, let’s verify the certificates:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/ssl-2020/commercial.crt /tmp/ssl-2020/commercial_ca.crt

If the verification fails, and you are just replacing the expired Comodo intermediates, please be sure that the file /tmp/ssl-2020/commercial.crt contains just the very top certificate from the file /opt/zimbra/ssl/zimbra/commercial/commercial.crt, or that you downloaded it fresh from Gandi!

Assuming the verification works, let’s deploy the certificates now:

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/ssl-2020/commercial.crt /tmp/ssl-2020/commercial_ca.crt

Assuming the deployment worked OK, let’s put back the two localconfig variables to how they were (and should be):

zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_starttls_supported=1

And then finally, we need to restart Zimbra and make sure that it restarted OK:

zmcontrol restart && sleep 10 && zmcontrol status

You should be all good now!

Hope that helps,
L. Mark Stone
Mission Critical Email LLC
1 June 2020

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.