I recently had to recreate the SSL certificate of a Zimbra server and surprisingly it was not as easy as the documentation looked like, so I’d like to document how it is done and make comments on some difficulties that might come up.
So this is how it is done (on a Ubuntu Server running Zimbra Network edition 6.0.16 GA):
- SSH into the server, login as root
- Switch to the zimbra-user using
su - zimbra
- Then run the following commands:
sudo /opt/zimbra/bin/zmcertmgr createca -new sudo /opt/zimbra/bin/zmcertmgr deployca sudo /opt/zimbra/bin/zmcertmgr deploycrt self
- Restart Zimbra. To do so, as user zimbra, issue these commands (no sudo here):
/opt/zimbra/bin/zmcontrol stop /opt/zimbra/bin/zmcontrol start
So the difficulties I had and some remarks:
- sudo kept asking me for a password when I typed in
sudo zmcertmgr createca -new
Seems I am not the only one with this problem. The zmcertmgr command is white-listed in /etc/sudoers so you should normally not be asked for a password. Run the following command to edit /etc/sudoers (do not edit it in any other way!)
visudo
So make sure in this file the following line is included:
%zimbra ALL=NOPASSWD:/opt/zimbra/bin/zmcertmgr
The % at the beginning seems to belong there. Note that the zimbra wiki has typo (zm
vertmgr) in this line.
But although I had this line in there, sudo kept asking me for the password. So what finally worked was invoking zmcertmgr with the complete path (as done above).
Update: It seems I had a typo in here myself. Make sure it is “zmcertmgr” and not “zmzertmgr” 😉
Thanks to the comment by erolha! - In the Zimbra Release notes, the last command for updating the certificate is
sudo zmcertmgr deploycrt self -new
I got this error:
Can't deploy cert for -new. Unknown service.
Without -new (and the complete path), it went through well.
- No zimbra documentation I found mentions that a restart of zimbra is required, but without a restart, the old certificate was still used when opening the webmailer or the admin interface via https.
I hope I could help some of you that run into one of these problems.