[SOLVED] ZCS 5.0.1 OS Edition certificate problems - Followed threads, still have pro
I've read the relevant threads on this problem... but none of them work for me.
SSL Certificate Problems - Zimbra :: Wiki
I did an upgrade from 4.5.10 to 5.0.0 and then to 5.0.1 some time ago. The upgrades went fine. After running for a few weeks though, I had a certificate expire.
The system in question is running RHEL 4 Update 6 and the RHEL 4 i386 version of ZCS 5.0.1 OS Edition.
Anyway, it appears my mailboxd certificate expired today. I logged into the admin console looked at the certs and it said that there were three of them, two of them were still good into 2012 (if I remember correctly) but that the one for mailboxd was expired as of today. I tried using the cert install feature of the admin console and checked "reinstall" or "overwrite" or whatever it was. That failed. After the failure, I seemed to have two certs and no cert for mailboxd. After that inbound and outbound mail stopped working.
So, I tried following the instructions at the first URL above... and there were two missing commands... zmcreateca and zmcreatecert are MISSING. There are sections to the document that say are for upto 4.5 and others that say they are for 5+. I followed them all as much as possible... but with missing commands... it wasn't going to work.
Then I found the second URL mentioned above. All of the instructions worked... and my system was now able to send and receive mail (inbound and outbound worked again)... but I can NO LONGER login to the admin console AND the web certificate is still expired... so the fix didn't fix anything... and only made the situation worse.
How do I fix this?
While there are lots of instructions, they are basically a jumbled mess... and in many ways non-functional. I've been running Zimbra for over two years and have had to fix expired certs twice before... on pre-5 systems and the instructions worked.
I considered deleting my cert dirs and trying to do an install/upgrade of the same version on top of itself but decided that since I have a certain level of functionality, I don't want to make it any worse.
Thanks in advance!
Oddly enough... it has healed some
After not messing with it all night... and trying to login to the admin interface this morning... lo and behold I can get into the Admin Console again. I won't ask why because I'm just happy it is working. :)
I did though restart the machine at least once, stop and restart the zimbra service as root several times during the various processes to see if the changes worked... so why it works now when it wouldn't last night is a mystery. I did quite my browsers and start it back up again a few times as well... but who knows... maybe I didn't do it in the perfect order... or maybe I should have flushed my browser cache too?!
Anyway, I still have a lot of logs to check through to see what if any pieces are still broken.
The web certificate is still expired so the original problem still remains.
I have one other Zimbra setup completely unrelated to the one I've been writing about that also had the web certificate expire yesterday... and I really don't know where to begin with it. I don't want to break it in the ways I broke this one.
It would be nice to see documentation the explains what is going on and why things are done so to better understand the process... instead of just following a recipe.
The first URL mentioned above does do a bit of explanation... but it still feels incredibly like a black box. Perhaps there is documentation out there explaining how Zimbra operates in finer detail so it is understandable by non-developers... and if so I'm sorry I haven't looked hard enough for it yet. Pointers would be appreciated.
I'll be happy to grep logs for anything but given the number of logs and their volumes, I didn't want to just start pasting stuff in here just because it looks like an error message... because it might not be related. Guidance please.
I do want to state just how much I like the Zimbra Collaboration Suite and how I've been using it for two years and have been promoting it by writing about it on my website some and also sending notices to various Linux new sites about Zimbra updates... and a few of them have picked them up. I mention this stuff not to say that I'm owed anything... but just to prove how much I believe in Zimbra as the best darn mail solution that exists.
Unfortunately I haven't needed a many of the additional features in the Network Edition (except perhaps for technical support, eh?) and have not really contributed to the company in a financial way.
The only significant problems I've had with Zimbra have been been related to certificate expirations. The last couple of times I regen'ed them I attempted / wanted to extend them for 5 years (rather than 1 year) but there are / were bugs where it didn't work without some script (rather than configuration) editing and I was weary of that.
I hope that the next few releases are able to expand and improve on the certificate management features in the Admin Console... that that problems related to certificates become less frequent. As more and more people upgrade to 5.0.1, I can imagine a rash of cert problems until all of this is fleshed out... and I hope it isn't just me.