Zmcertmgr error no longer runs as root

Return to “Administrators”

Return to “Administrators”

Zmcertmgr error no longer runs as root

Post by amatu » Fri Jul 15, 2016 5:03 pm

From zimbra 8.6 and older, the letsencrypt ssl installation is simple and normal, but in new Zimbra 8.7, the utilities zmcertmgr always notify like that:
zmcertmgr: ERROR: no longer runs as root!
When I verified or deployed. Please check it!!

Re: Zimbra 8.7 and letsencrypt ssl

Post by DualBoot » Fri Jul 15, 2016 7:40 pm

The Guy — DualBoot

PostMaster — WikiMaster — SysAdmin
«Free Your Mind. Think Open Source»
april.org
Zetalliance Member — zetalliance.org

Re: Zimbra 8.7 and letsencrypt ssl

Post by jorgedlcruz » Sat Jul 16, 2016 3:06 am

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by amatu » Sat Jul 16, 2016 10:53 am

Hi jorgedlcruz and DualBoot !

Thanks guys, I will check and confirm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by amatu » Sat Jul 16, 2016 2:51 pm

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by MisterM74 » Sat Jul 16, 2016 3:23 pm

Hello
This also works with multi-domain solution?
* .domain.com

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by v1rtu4l » Sat Jul 16, 2016 7:40 pm

If those certificates expire after 90 days who would you automate the renewal. It is not of much use, if you would need to renew by hand every few months.

Gesendet von meinem SM-N910F mit Tapatalk

Re: [SOLVED] Zimbra 8.7 and letsencrypt ssl

Post by jorgedlcruz » Sat Jul 16, 2016 7:45 pm

./letsencrypt-auto certonly —standalone -d fqdn1 -d fqdn2

./letsencrypt-auto certonly —standalone -d mail.domain.com
./letsencrypt-auto certonly —standalone -d mail2.domain.net
./letsencrypt-auto certonly —standalone -d client3.domain.org

And then use the new SSL SNI, to assing each certificate, to the proper Domain — https://wiki.zimbra.com/wiki/Multiple_SSL_Certificates,_Server_Name_Indication_(SNI)_for_HTTPS

First method is easier, and because you need to renew the SSL each three months will save you time, but all the domains remind exposed when people search for your SSL certificate, the second one is better, as each domain have their own SSL Certificate, but because you want to use Let’s Encrypt you need to renew each one each three months

Start another thread if you want more information, this topic, for one domain, is solved

Источник

Zmcertmgr error no longer runs as root

Post by vettalex » Fri Oct 01, 2021 4:36 pm

# / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
zmcertmgr: ERROR: no longer runs as root!
root @ zimbra:

# su zimbra
zimbra @ zimbra: / root $ / opt / zimbra / bin / zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
** Verifying ‘cert.pem’ against ‘privkey.pem’
ERROR: Can’t read file ‘privkey.pem’
ERROR: Can’t read file ‘cert.pem’

What can I check to correct this error? thank you all for your availability

Re: problem with certificate renewal let’s encrypt

Post by GlooM » Sat Oct 02, 2021 9:08 am

User zimbra cant read files. Check ownership.

Re: problem with certificate renewal let’s encrypt

Post by vettalex » Sat Oct 02, 2021 2:28 pm

Re: problem with certificate renewal let’s encrypt

Post by pattonb » Mon Oct 04, 2021 7:09 am

I had the same issue, I checked the permissions, and they are all zimbra:zimbra

here is the info direct from my console

[code/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/archive/fqdn/cert3.pem /etc/letsencrypt/archive/fqdn/chain3.pem
** Verifying ‘/etc/letsencrypt/archive/fqdn/cert3.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
ERROR: Can’t read file ‘/etc/letsencrypt/archive/fqdn/cert3.pem’][/code]

here are the files, I see there is some crt’s from previous renewals, I don’t see them making any difference. as the link from the /etc/letsencrypt/archive/fqdn/* points to /etc/letsencrypt/archive/fqdn/

[root@gw fqdn]# pwd
/etc/letsencrypt/archive/fqdn
[root@gw fqdn]#
[root@gw fqdn]# ls -l
total 56
-rw-r—r—. 1 zimbra zimbra 2833 Oct 3 02:27 cert3.pem
-rw-r—r—. 1 zimbra zimbra 3054 Jul 5 02:10 chain1.pem
-rw-r—r—. 1 zimbra zimbra 4949 Jul 7 02:07 chain2.pem
-rw-r—r—. 1 zimbra zimbra 5688 Oct 3 23:31 chain3.pem
-rw-r—r—. 1 zimbra zimbra 6582 Jul 5 02:08 fullchain1.pem
-rw-r—r—. 1 zimbra zimbra 6582 Jul 7 02:02 fullchain2.pem
-rw-r—r—. 1 zimbra zimbra 6582 Oct 3 02:27 fullchain3.pem
-rw-r—r—. 1 root root 1939 Oct 3 02:41 isrgrootx1.pem.txt
-rw-r—r—. 1 zimbra zimbra 1704 Oct 3 02:27 privkey3.pem

any ideas ? is it not possible to verify the same way as it was previously ? ( ie. copy the .pem files) to /opt/zimbra/ssl/letsencrypt .
the /etc/letsencrypt/live/fqdn/*.pem files are ln to /etc/letsencrypt/archive/fqdn. I tried both ways, via the /etc/letsencrypt/live/fqdn and /etc/letsencrypt/live/fqdn .. same result.

Re: problem with certificate renewal let’s encrypt

Post by GlooM » Mon Oct 04, 2021 2:10 pm

pattonb wrote:
any ideas ? is it not possible to verify the same way as it was previously ? ( ie. copy the .pem files) to /opt/zimbra/ssl/letsencrypt .
the /etc/letsencrypt/live/fqdn/*.pem files are ln to /etc/letsencrypt/archive/fqdn. I tried both ways, via the /etc/letsencrypt/live/fqdn and /etc/letsencrypt/live/fqdn .. same result.

The problem is that the access rights to the files are present. But the access rights to the folders are not enough. Application cannot open directory hierarchy

You must make sure that the zimbra user can actually read the file. Login to user zimbra and try :

cat /etc/letsencrypt/archive/fqdn/cert3.pem
Will the file output appear to the console? If not, then the verifycrt utility will not be able to read it.

The easiest thing to do is to create a folder in the root.
For example
/CERTS

Then copy certs to it and chmod -R 777 /CERTS. From here the files should be read exactly

Otherwise, the zimbra user will have to additionally add access rights to directories: /etc/letsencrypt/live/ and /etc/letsencrypt/live/fqdn

Re: problem with certificate renewal let’s encrypt

Post by pattonb » Mon Oct 04, 2021 3:42 pm

ok, thanks I will give that a go.
I suspect the previous process, of copying the certs to /opt/zimbra/ssl/letsencrypt ( from the zimbra wiki, which has changed)
before running the zmcertmgr was intended to prevent this issue.

I will update as to the results.

Re: problem with certificate renewal let’s encrypt

Post by GlooM » Mon Oct 04, 2021 4:04 pm

Yes, you are absolutely right!
This is because the user «zimbra» initially has rights to the entire directory hierarchy «/opt/zimbra/ssl/letsencrypt», unlike directories «/etc/letsencrypt/live/fqdn/»

Re: problem with certificate renewal let’s encrypt

Post by pattonb » Mon Oct 04, 2021 6:09 pm

so, I could use the previous wiki process, with the one change being when getting the certs using certbot and applying the
—preferred-chain «ISRG Root X1», when requesting the new certs ? and the

zmproxyctl stop
zmmailboxdctl stop

remains the same in the process ?

Re: problem with certificate renewal let’s encrypt

Post by mfehr » Mon Oct 04, 2021 6:59 pm

The issue is in the old certificate that has expired. Check your .pem files with

openssl crl2pkcs7 -nocrl -certfile fullchain.pem | openssl pkcs7 -noout -print_certs

issuer=C = US, O = Let’s Encrypt, CN = R3

subject=C = US, O = Let’s Encrypt, CN = R3

issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

Источник

Zmcertmgr error no longer runs as root

Post by drzoidberg » Sun Aug 14, 2016 6:05 pm

I have an issue with deployment of SSL certificate. Anyone same problem? When I use GUI deployment, its says some error about RemoteManager port 22

so I followed Single-Node Commercial Certificate recommended steps from https://wiki.zimbra.com/wiki/Administra . cate_Tools

I have three files, GeoTrust Global CA (ROOT CA) .pem which renamed into .crt; IntermediateCA.crt and ServerCert.crt
RootCA and Intermediate is merged into one Chain file.

Verification is OK

]$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying ‘/tmp/commercial.crt’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘/tmp/commercial.crt’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘/tmp/commercial.crt’ against ‘/tmp/ca_chain.crt’
Valid certificate chain: /tmp/commercial.crt: OK

]$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Fixing newlines in ‘/tmp/commercial.crt’
Can’t rename /tmp/commercial.crt to /tmp/commercial.crt.bak: Operation not permitted, skipping file at /opt/zimbra/bin/zmcertmgr line 1225.
** Verifying ‘/tmp/commercial.crt’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘/tmp/commercial.crt’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘/tmp/commercial.crt’ against ‘/tmp/ca_chain.crt’
Valid certificate chain: /tmp/commercial.crt: OK
** Copying ‘/tmp/commercial.crt’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’
** Copying ‘/tmp/ca_chain.crt’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt’
** Appending ca chain ‘/tmp/ca_chain.crt’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’
** Importing cert ‘/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt’ as ‘zcs-user-commercial_ca’ into cacerts ‘/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts’
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key ‘zimbraSSLCertificate’ via zmprov modifyServer mail.domain.tld. ok
** Saving config key ‘zimbraSSLPrivateKey’ via zmprov modifyServer mail.domain.tld. ok
** Installing ldap certificate ‘/opt/zimbra/conf/slapd.crt’ and key ‘/opt/zimbra/conf/slapd.key’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’ to ‘/opt/zimbra/conf/slapd.crt’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ to ‘/opt/zimbra/conf/slapd.key’
** Creating file ‘/opt/zimbra/ssl/zimbra/jetty.pkcs12’
ERROR: openssl pkcs12 export to ‘/opt/zimbra/ssl/zimbra/jetty.pkcs12’ failed(1):
unable to load certificates
140604730992320:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:809:

Something with Jetty (what is it?) or PEM bad end of file, I check it many times and end files are OK.
I also check empty lines or merged headings, and It is OK

——BEGIN CERTIFICATE——
xxxx
——END CERTIFICATE——
——BEGIN CERTIFICATE——
xxxx
——END CERTIFICATE——

Thank you very much for any help,
Dave

Источник

Zmcertmgr error no longer runs as root

Post by JDunphy » Tue Apr 20, 2021 12:12 am

kdiamond wrote: Thank you for your reply!

Yes, I was looking at both methods. My current DNS provider does not allow for DNS validation. You think it’s wise to switch for another DNS provider (Cloudflare for example), just to have that feature?

Probably not. Cloudflare however is free and you are not changing registrar’s but simply re-delegating the name servers but now you need to learn their interface which might not be optimal for you and there is a learning curve.

Another option is to use another challenge methods such as http, etc if DNS doesn’t work for you with these ACME clients (certbot, acme.sh, etc)

I will also note that you can still make this work with your current DNS provider if you have another domain that is with a DNS provider that has support for DNS updates via an API.

Here is a list of supported DNS hosting providers with acme.sh (see dnsapi directory)

% ls dnsapi/
README.md dns_da.sh dns_exoscale.sh dns_kas.sh dns_neodigit.sh dns_rackspace.sh
dns_1984hosting.sh dns_ddnss.sh dns_freedns.sh dns_kinghost.sh dns_netcup.sh dns_rcode0.sh
dns_acmedns.sh dns_desec.sh dns_gandi_livedns.sh dns_knot.sh dns_netlify.sh dns_regru.sh
dns_acmeproxy.sh dns_df.sh dns_gcloud.sh dns_leaseweb.sh dns_nic.sh dns_scaleway.sh
dns_active24.sh dns_dgon.sh dns_gd.sh dns_lexicon.sh dns_njalla.sh dns_schlundtech.sh
dns_ad.sh dns_dnsimple.sh dns_gdnsdk.sh dns_linode.sh dns_nm.sh dns_selectel.sh
dns_ali.sh dns_do.sh dns_he.sh dns_linode_v4.sh dns_nsd.sh dns_servercow.sh
dns_anx.sh dns_doapi.sh dns_hetzner.sh dns_loopia.sh dns_nsone.sh dns_simply.sh
dns_arvan.sh dns_domeneshop.sh dns_hexonet.sh dns_lua.sh dns_nsupdate.sh dns_tele3.sh
dns_autodns.sh dns_dp.sh dns_hostingde.sh dns_maradns.sh dns_nw.sh dns_transip.sh
dns_aws.sh dns_dpi.sh dns_huaweicloud.sh dns_me.sh dns_one.sh dns_ultra.sh
dns_azure.sh dns_dreamhost.sh dns_infoblox.sh dns_miab.sh dns_online.sh dns_unoeuro.sh
dns_cf.sh dns_duckdns.sh dns_infomaniak.sh dns_misaka.sh dns_openprovider.sh dns_variomedia.sh
dns_clouddns.sh dns_durabledns.sh dns_internetbs.sh dns_myapi.sh dns_openstack.sh dns_vscale.sh
dns_cloudns.sh dns_dyn.sh dns_inwx.sh dns_mydevil.sh dns_opnsense.sh dns_vultr.sh
dns_cn.sh dns_dynu.sh dns_ionos.sh dns_mydnsjp.sh dns_ovh.sh dns_world4you.sh
dns_conoha.sh dns_dynv6.sh dns_ispconfig.sh dns_namecheap.sh dns_pdns.sh dns_yandex.sh
dns_constellix.sh dns_easydns.sh dns_jd.sh dns_namecom.sh dns_pleskxml.sh dns_zilore.sh
dns_cx.sh dns_edgedns.sh dns_joker.sh dns_namesilo.sh dns_pointhq.sh dns_zone.sh
dns_cyon.sh dns_euserv.sh dns_kappernet.sh dns_nederhost.sh dns_rackcorp.sh dns_zonomi.sh

For example, with the acme.sh client (bash script). you would add a resource record (CNAME) that points to this other domain that is with a dns providers like cloudflare. After that, add this option. —challenge-alias . This is listed in the wiki article as we run our own delegated dns servers here without any api and that is how I get around the problem (same as you). I have a domain with cloudflare that isn’t related to our mail servers which I will call someotherdomain.com for this example.

You would have this entry with your current DNS provider for your domain that provides no api to add/remove txt records.

_acme-challenge.mail.example.com. IN CNAME _acme-challenge.someotherdomain.com.
_acme-challenge.mail2.example.com. IN CNAME _acme-challenge.someotherdomain.com.

./acme.sh —issue —dns dns_cf —challenge-alias someotherdomain.com -d mail.example.com -d mail2.example.com

./acme.sh —deploy —deploy-hook zimbra -d mail.example.com

Finally, ACME is the protocol for challenge/verification so acme.sh also supports ZeroSSL (like letsencrypt and free) which will become the default in Aug 2021 for acme.sh. Existing acme.sh installations will continue to use letsencryipt but new installs will default to ZeroSSL (also free) unless a command line switch is provided. I’ll update our instructions once I see the new switch.

Here are a list of other clients that support ACME client implementations:

With any of these, the installation of the letsencrypt certificate with Zimbra will be the same and use the zmcertmgr program that comes with Zimbra.

Источник

Zimbra: Creating a new self-signed SSL certificate

Every other year I spend hours on renewing the ssl certificates on zimbra with the help of hopeless outdated tutorials. A tedious process that I don’t do often enough to remember how I did it. I learned the hard way that it is easier to use the admin console, than using CLI and messing around with concatinating the different certificates.

Hereby the steps that I take:

Please note that this is a walkthrough, dedicated to the
GoGetSSL Sectigo PositiveSSL Wildcard certificate, and may not work for other SSL providers.

Zimbra version: 8.8.15

1. We use the wildcard certificate on several servers, but we generate the CSR always(!) on the zimbra server. So go to admin console > Configure > Certificates, click the domain in the list and then in top right corner, choose install certificate. Choose the generate CSR option (second of the 3 options). Make sure that in the common name field you use the wildcard symbol: e.g.
   *.example.com
   Also check the checkbox that it concerns a wildcard common name
   Fill out the rest of the info according to your situation. At the bottom, there’s option to add other names; remove all of them (if any). Go to next page and download the CSR, finish the wizard.
2. on the GoGetSSL page create the new/renew the SSL certificate with the by Zimbra generated CSR. Finish up the entire process, including the validation. All the way up to that the certificate is issued and files can be downloaded. Choose to download the ‘All files’ zip file. extract on your local system.
3. browse to: https://www.gogetssl.com/wiki/intermediate-certificates/sectigo-intermediate-root-certificates/
   On this page download the file: DV RSA Files > RSA DV Bundle with SHA-1 (TXT file)
4. go back to admin console > Configure > Certificates, click the domain in the list and then in top right corner, choose install certificate. This time you choose the 3rd option: install commercial signed certificate. First screen of the wizard shows the info you entered earlier for the CSR. The info may show up empty. For me this didn’t give me any problems, so I left it. On the next screen: You have to upload 3 certificate files by default, but we need to upload 4, so we need to do Add Intermediate CA for the fourth file.

Choose files as follows:

• Certificate: server certificate from the zip file: e.g. _example.com.crt
• Root CA: RSA DV Bundle with SHA-1 (TXT file), from the link above
• Intermediate CA: USERTrust_RSA_Certification_Authority.crt from zip file
• (Added) Intermediate CA: AAA_Certificate_Services.crt

NOTE: I can’t remember which Intermediate CA I chose first, so if any problems, try switching the last 2 mentioned files around.

Finish the wizard and test by sending and receiving email.

Then I take the certificates and update other servers with these certificates. (e.g. nginx, apache2, etc). Note: you may need to get the commercial.key file for use on other servers. On linux this file is located in: /opt/zimbra/ssl/zimbra/commercial/
If permission denied, you may use root account or do: sudo su — zimbra

I hope this helps for people struggling with the same certificate and zimbra