Migration tool: migrate Certificates?
Results 1 to 10 of 10

Thread: Migration tool: migrate Certificates?

  1. #1
    Active Member
    Join Date
    Jun 2012
    Location
    Verona, Italia
    Posts
    12

    Migration tool: migrate Certificates?

    Hello and congratulations to the developers of this project.
    I am going to migrate a phisical server zimbra version 7.2.2 CentOS 5 x86 on a virtual machine Centos 6 X86_64, same version of zimbra.
    I have set up the new machine with two LAN cards, one with the same IP but disconnected and the second usable in dhcp. The new machine has the same hostname as the old. Migration take place and ended successfully. But i have this question: I have to copy the certificates of the old server to the new?
    thanks

    Luciano

  2. #2
    Senior Member Known ZeXtras Reseller
    Join Date
    Feb 2013
    Posts
    80
    If the service names are the same ie. CN, then yes, as no reason why not to take across the certificate. Do not think zxmig will do that for you though so there will be some manual work.

  3. #3
    ZeXtras Community Manager ZeXtras Employee Cine's Avatar
    Join Date
    Apr 2011
    Posts
    2,365
    Hello lucianog!

    As INNOVOT correctly stated, the ZeXtras Migration Tool and ZeXtras Suite will not automatically transfer and install SSL certificates to the new server, so it has to be done manually...

    Have a nice day,
    Cine
    the ZeXtras Team

  4. #4
    Active Member
    Join Date
    Jun 2012
    Location
    Verona, Italia
    Posts
    12
    Ok! Thank you.
    I get information on the location of the certificates in the manual of administration of zimbra?

    Quote Originally Posted by Cine View Post
    Hello lucianog!

    As INNOVOT correctly stated, the ZeXtras Migration Tool and ZeXtras Suite will not automatically transfer and install SSL certificates to the new server, so it has to be done manually...

    Have a nice day,
    Cine
    the ZeXtras Team

  5. #5
    CTO ZeXtras Employee d0s0n's Avatar
    Join Date
    Apr 2011
    Posts
    571
    Yes, Luciano, you can take a look at Zimbra Wiki for SSL certificate managing.
    I can suggest you the official guide for 32->64 migration:

    4) If the original server was running with commercial certificates, copy those over as well.
    • The tomcat keystore (http, pop, and imap) is /opt/zimbra/tomcat/conf/keystore. (In 5.0.x, the jetty keystore (http, pop, and imap) is /opt/zimbra/mailboxd/etc/keystore.)
    • When transferring the keystore file, be sure to transfer the keystore password to the new system otherwise the mailbox server will not start.
      Run on old system
      Code:
      zmlocalconfig -s mailboxd_keystore_password
      On new system
      Code:
      zmlocalconfig -e mailboxd_keystore_password=thepassword
    • If any root certificates were added to the cacerts keystore, that is /opt/zimbra/java/jre/lib/security/cacerts on linux or /System/Library/Frameworks/JavaVM.framework/Versions/1.5/Home/lib/security/cacerts on Mac OS X, copy cacerts to the new server.
    • The postfix certificates (smtp) are /opt/zimbra/conf/smtpd.crt and smtpd.key. If you are using the certificates for nginx, perdition, or ldap (slapd) they are also in /opt/zimbra/conf/; they should normally be identical to the postfix certificate files.


    Or you can check also this one where someone preferred to re-create the certificates on the new server:
    I found that I couldn't successfully copy the SSL certs so I simply delete and re-create them on the new server. If commercial certs are used then I guess they will need to be manually re-imported after the migration.
    Code:
    echo "Deleting old SSL certs"
    rm -rf "$zimbraLocation"/ssl
    mkdir "$zimbraLocation"/ssl
    chown zimbra:zimbra "$zimbraLocation"/ssl
    chown zimbra:zimbra "$zimbraLocation"/java/jre/lib/security/cacerts
    chmod 644 "$zimbraLocation"/java/jre/lib/security/cacerts
    su - zimbra -c 'keytool -delete -alias my_ca -keystore '"$zimbraLocation"'/java/jre/lib/security/cacerts -storepass changeit'
    #Next line is ugly hack because I always got an error using keytool
    rm -f "$zimbraLocation"/mailboxd/etc/keystore
    echo "Creating new SSL certs"
    "$zimbraLocation"/bin/zmcertmgr createca -new
    "$zimbraLocation"/bin/zmcertmgr deployca -localonly
    "$zimbraLocation"/bin/zmcertmgr createcrt self -new
    "$zimbraLocation"/bin/zmcertmgr deploycrt self
    Or finally this old guide that I never tried


    D0s0n
    ZeXtras Website # ZeXtras Wiki # ZeXtras Store

    Head of ZeXtras System Administrators

  6. #6
    Active Member
    Join Date
    Jun 2012
    Location
    Verona, Italia
    Posts
    12
    Grazie d0s0n!

    L.

  7. #7
    Active Member
    Join Date
    Jun 2012
    Location
    Verona, Italia
    Posts
    12
    More info ...

    Now I have successfully migrated a server zimbra 7.2.2 32bit to a 64bit system. CentOS 6.3. In my network I have about 10 Zimbra Desktop Client (latest release). After migration ZDC clients always ask the password. I would like to understand why the client ZDC ask the password and therefore do not synchronize more with the new server.
    On a PC, I removed the zimbra account and then recreated, this has properly synchronized. Question: ZDC where the certificates are stored? if it is an issue of certificates ....
    Thank you all.

    Luciano.

  8. #8
    CTO ZeXtras Employee d0s0n's Avatar
    Join Date
    Apr 2011
    Posts
    571
    Hi Luciano,

    your problem is not related to the certificates but it is normal behavior with a migration. This is caused by the change of the ids during the restore.
    So you have found the only solution for your issue: recreate and resync all ZDC accounts.

    D0s0n


    Sent from my iPhone using Tapatalk 2
    ZeXtras Website # ZeXtras Wiki # ZeXtras Store

    Head of ZeXtras System Administrators

  9. #9
    Active Member
    Join Date
    Jun 2012
    Location
    Verona, Italia
    Posts
    12
    Thanks D0s0n!
    The surgical solution! Eh Eh!

    Bye
    L.

  10. #10
    Active Member
    Join Date
    Dec 2016
    Posts
    6
    Quote Originally Posted by Cine View Post
    Hello lucianog!

    As INNOVOT correctly stated, the ZeXtras Migration Tool and ZeXtras Suite will not automatically transfer and install SSL certificates to the new server, so it has to be done manually...

    Have a nice day,
    Cine
    the ZeXtras Team
    Hello Cine,

    Just curious if the latest version of the Migration tool will move the SSL Certificates? Also does it move any customized spam assassin rules?

    Thanks,
    Daniel

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •