certificate_in_possibly_stale_keystore
Zimbra
Introduction
After install letsencrypt certificate via the beautiful /opt/letsencrypt-zimbra/obtain-and-deploy-letsencrypt-cert.sh, the certificate of the admin console (accessible via port 7071) has not been updated. The keystore is located at /opt/zimbra/mailboxd/etc/keystore
zmcertmgr viewdeployedcrt all SubjectAltName=mail.domain.tld NOTE: possibly stale keystore: /opt/zimbra/mailboxd/etc/keystore \- mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Jul 31 20:31:04 2021 GMT notAfter=Oct 29 20:31:02 2021 GMT subject=CN = mail.domain.tld issuer=C = US, O = Let's Encrypt, CN = R3
- Find the keystore password in zimbra configuration
zmlocalconfig -s | grep mailboxd_keystore_password
- Create a pkcs12 file with the certificate, chain and the private key (as zimbra user)
openssl pkcs12 -export -name jetty -in /opt/zimbra/ssl/zimbra/commercial/commercial.crt -inkey /opt/zimbra/ssl/zimbra/commercial/commercial.key -out jetty.p12
- cd to /opt/zimbra/mailboxd/etc/
cd /opt/zimbra/mailboxd/etc/
- Copy /tmp/tmp.Jlr8nDRlEp/0000_cert.pem (or other path created by cert geneation script) to mailboxd.pem
cp /tmp/tmp.Jlr8nDRlEp/0000_cert.pem mailboxd.pem
- Delete the actual certificate into keystore if not tempered or corrupt else delete the keystore file
keytool -delete -alias jetty -keystore keystore -storepass passwd
- Import the keystore into the keystore (haha)
keytool -importkeystore -destkeystore keystore -srckeystore jetty.p12 -srcstoretype jks zmcontrol restart
certificate_in_possibly_stale_keystore.txt · Dernière modification : 2021/11/11 12:03 de inc002