Zimbra Upgrade (Take Two)

Ok going from 6.0.2 -> 6.0.5 NE on RHEL 4.x (Yes I know that the next major version won’t support 4.x) and I was hoping for a nice smooth upgrade, the previous SSL Comercial cert problems now showing as fixed in the bugtracker, however at the end of the process and I’m getting the same “Expired Cert” warning messages from email clients and the like….

So as root

cd /opt/zimbra/ssl/zimbra
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.6.0.2/commercial/commercial.crt commercial.6.0.2/commercial/commercial_ca.crt

Restart the services using ZMProv and all is good.

Zimbra upgrade

Note: I originally posted this on a different website, but have since re-purposed that site, and having had this post help me out twice I figure it was worth keeping ;-)

Update: Bug 41683 is now showing as fixed in 6.0.4

So last night was the chosen time to upgrade the Zimbra install at work, all offices were shut, most people shouldn’t be working and if they were then an hour without email shouldn’t be too much to have to cope with.

With offices in San Francsico and also Dubai the time when server changes that impact everyone can be made is from midnight Friday through to 05:00 on Sunday morning (Dubai has Friday and Saturday as its weekend)

All seemed to go fine with the upgrade until I checked the installed certificate, this had reverted to an earlier, now expired cert.  Using the admin interface to attempt a reinstall with newer server certificate failed with:

Invalid Request
Message: invalid request: missing required attribute: server Error code: service.INVALID_REQUEST Method: GetCertRequest Details:soap:Sender

So a quick hunt around the support forums, a bit of googling later and with no obvious answer found (and an impending deadline) it was time to log a support ticket.

Shortly the landline rang and it was time to give over access of the mail server to Zimbra support to have a look and fix the problem. 10 Minutes later and all was sorted.  It was a known bug (42216 / 41683) which is due to be fixed in 6.0.4

However the interim solution is to redeploy the commercial cert.
cd /opt/zimbra/ssl/zimbra/commercial
/opt/zimbra/bin/zmcertmgr verifycrt comm ./commercial.key ./commercial.crt ./commercial_ca.crt

Then if all looks good:
/opt/zimbra/bin/zmcertmgr deploycrt comm ./commercial.crt ./commercial_ca.crt

And you’re back up and running with the correctly installed commercial certificate.

Hopefully this is useful to someone, will probably need this again for the 6.0.3 upgrade