ERROR: openssl x509 -hash failed(1): unable to load certificate

Rosol · July 5, 2018, 9:51pm

Hello.

I wanted to install Letsencrypt certificate into Zimbra mail server.
I went through
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

Command /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem give me below:

zimbra@zimbra:~/ssl/letsencrypt$ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
** Verifying ‘cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
Certificate ‘cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ match.
** Verifying ‘cert.pem’ against ‘chain.pem’
Valid certificate chain: cert.pem: OK
** Copying ‘cert.pem’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’
** Copying ‘chain.pem’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt’
** Appending ca chain ‘chain.pem’ to ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’
** Importing cert ‘/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt’ as ‘zcs-user-commercial_ca’ into cacerts ‘/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts’
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key ‘zimbraSSLCertificate’ via zmprov modifyServer zimbra.isteam.pl…ok
** Saving config key ‘zimbraSSLPrivateKey’ via zmprov modifyServer zimbra.isteam.pl…ok
** Installing imapd certificate ‘/opt/zimbra/conf/imapd.crt’ and key ‘/opt/zimbra/conf/imapd.key’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’ to ‘/opt/zimbra/conf/imapd.crt’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ to ‘/opt/zimbra/conf/imapd.key’
** Creating file ‘/opt/zimbra/ssl/zimbra/jetty.pkcs12’
** Creating keystore ‘/opt/zimbra/conf/imapd.keystore’
** Installing ldap certificate ‘/opt/zimbra/conf/slapd.crt’ and key ‘/opt/zimbra/conf/slapd.key’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’ to ‘/opt/zimbra/conf/slapd.crt’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ to ‘/opt/zimbra/conf/slapd.key’
** Creating file ‘/opt/zimbra/ssl/zimbra/jetty.pkcs12’
** Creating keystore ‘/opt/zimbra/mailboxd/etc/keystore’
** Installing mta certificate ‘/opt/zimbra/conf/smtpd.crt’ and key ‘/opt/zimbra/conf/smtpd.key’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’ to ‘/opt/zimbra/conf/smtpd.crt’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ to ‘/opt/zimbra/conf/smtpd.key’
** Installing proxy certificate ‘/opt/zimbra/conf/nginx.crt’ and key ‘/opt/zimbra/conf/nginx.key’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.crt’ to ‘/opt/zimbra/conf/nginx.crt’
** Copying ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ to ‘/opt/zimbra/conf/nginx.key’
** NOTE: restart services to use the new certificates.
** Cleaning up 6 files from ‘/opt/zimbra/conf/ca’
** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/b46ce07a.0
** Removing /opt/zimbra/conf/ca/4f06f81d.0
** Copying CA to /opt/zimbra/conf/ca
** Copying ‘/opt/zimbra/ssl/zimbra/ca/ca.key’ to ‘/opt/zimbra/conf/ca/ca.key’
** Copying ‘/opt/zimbra/ssl/zimbra/ca/ca.pem’ to ‘/opt/zimbra/conf/ca/ca.pem’
** Creating CA hash symlink ‘b46ce07a.0’ -> ‘ca.pem’
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink ‘4f06f81d.0’ -> ‘commercial_ca_1.crt’
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
ERROR: openssl x509 -hash failed(1):
unable to load certificate
139859327575704:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1200:
139859327575704:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509_CERT_AUX
139859327575704:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

Can you help me with that?

Thank you.

_az · July 5, 2018, 11:37pm

Sounds like you may have missed the Build the proper Intermediate CA plus Root CA step.

What’s this show:

openssl crl2pkcs7 -nocrl -certfile ~/ssl/letsencrypt/chain.pem | openssl pkcs7 -noout -print_certs

Rosol · July 6, 2018, 8:29am

Hello _az.

Thank you for response.

zimbra@zimbra:~$ openssl crl2pkcs7 -nocrl -certfile ~/ssl/letsencrypt/chain.pem | openssl pkcs7 -noout -print_certs
subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3

subject=/O=Digital Signature Trust Co./CN=DST Root CA X3
issuer=/O=Digital Signature Trust Co./CN=DST Root CA X3

Rosol · July 6, 2018, 8:42am

In one of the steps is point called: Build the proper Intermediate CA plus Root CA.
In this point i have to download RootCA certificate from:
https://www.identrust.com/certificates/trustid/root-download-x3.html
and merge with chain.pem certificate because chain.pem is generated without Root.CA.
I did as is described.
Perhaps in this step is something wrong?

_az · July 6, 2018, 9:28am

That looks correct. The issue must be somewhere else.

Rosol · July 6, 2018, 11:08am

I’ve fixed it.
I didn’t copied properly priv.key as commercial.key needed by Zimbra.

Thank you for help.

system · August 5, 2018, 11:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.