Results 1 to 6 of 6

Thread: [SOLVED] Zimbra 6 mailboxd and zmmailboxdctl do not start after upgrade (solution)

  1. #1
    Join Date
    Jul 2006
    Location
    Australia, ACT
    Posts
    197
    Rep Power
    9

    Smile [SOLVED] Zimbra 6 mailboxd and zmmailboxdctl do not start after upgrade (solution)

    Short Explanation
    Step 1: Re-create and install self-signed SSL certificates.
    As root:
    Code:
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca
    /opt/zimbra/bin/zmcertmgr deploycrt self
    
    Or (if the /opt/zimbra/bin/zmcertmgr viewdeployedcrt indicates that the SSL certificate was not updated) 
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca -localonly
    /opt/zimbra/bin/zmcertmgr createcrt self -new
    /opt/zimbra/bin/zmcertmgr deploycrt self
    
    As zimbra:
    zmcontrol stop && zmcontrol start
    From Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

    How to solve the Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
    If you see this receive this error for the command: /opt/zimbra/bin/zmcertmgr deploycrt self
    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...failed.
    
    Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
    	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
    	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
    	at java.security.KeyStore.load(KeyStore.java:1185)
    	at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:98)
    Caused by: java.security.UnrecoverableKeyException: Password verification failed
    	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
    	... 3 more
    
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Then the solution is to do this as root:
    Code:
    # mv /opt/zimbra/mailboxd/etc/keystore /root/keystore.old
    # /opt/zimbra/bin/zmcertmgr deploycrt self
    See Ajcody-Notes-SSLCerts - Keystore Password Errors - Server Move Stuff - Zimbra :: Wiki

    Step 2: Re-install your commercial SSL certificates (if any)
    Geotrust SSL certificate, Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
    RapidSSL SSL certificate, 5.x Commercial Certificates Guide - Zimbra :: Wiki

    Long Explanation
    Upgraded a Zimbra 5.0.18 SLES10 server last night and everything went well with the install upgrade. And even when the Zimbra service started no errors were reported and all services appeared to start OK.

    However, when trying to access Zimbra Admin UI or Zimbra Web UI, no response. Running
    Code:
    zmcontrol status
    shows that the mailbox process is not running at all!

    Check the /var/log/zimbra.log and there are no errors about mailbox but a lot of email being deferred as the mailbox server is not available.

    The only errors are reported in /opt/zimbra/log/zmmailboxd.out
    Code:
    Zimbra server reserving server socket port=110 bindaddr=null ssl=false
    Zimbra server reserving server socket port=995 bindaddr=null ssl=true
    Fatal error. exception while binding to ports.
    Java.net.BindException: cannot assign requested address
    The above error message are misleading and from searching the forums can indicate any number of problems (see references below) from DNS to networking etc.

    In my case, what worked was to replace the commercial SSL certificate which were valid and installed correctly (working in ZCS 5) with new self-signed certificate. And then to re-install the commercial SSL certificate again. Thinking about this again, you can probably just skip the self-signed SSL install and just re-install the commercial SSL. Will try that next time.

    It is important to note that the commercial SSL certificate had NOT expired and was working fine in Zimbra 5.

    Steps are below:
    1. Make sure you have a backup of the commercial certificate, csr etc and root certificate as these are just about to be deleted!

    As root:
    Code:
    cp -r /opt/zimbra/ssl/zimbra/commercial ~/ssl-backup
    2. Reset the certificates with a self-signed certificate, Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

    As root:
    Code:
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca
    /opt/zimbra/bin/zmcertmgr deploycrt self
    As zimbra:
    Code:
    zmcontrol stop && zmcontrol start
    3. Re-install your commercial SSL certificates
    As root:
    Code:
    /opt/zimbra/bin/zmcertmgr deploycrt comm /root/ssl-backup/commercial.crt  /root/ssl-backup/commercial_ca.crt
    As zimbra:
    Code:
    zmmailboxdctl stop
    zmmailboxdctl start
    Now check Zimbra status with zmcontrol status and via Web Mail

    Other methods to install SSL certificates:
    Geotrust SSL certificate, Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
    RapidSSL SSL certificate, 5.x Commercial Certificates Guide - Zimbra :: Wiki


    Some other possible solutions:
    https://www.zimbra.com/forums/admini...t-running.html
    http://www.zimbra.com/forums/install...-ssl-cert.html
    http://www.zimbra.com/forums/adminis...mplemente.html
    http://www.zimbra.com/forums/install...nate-port.html
    http://www.zimbra.com/forums/adminis...mmailboxd.html
    Last edited by greenrenault; 02-20-2011 at 07:46 PM. Reason: Add solution for the Keystore was tampered with, or password was incorrect

    http://agilemail.com.au

    Your Australian Zimbra experts
    Sales, consulting, installation, support

  2. #2
    Join Date
    Jul 2007
    Location
    Fiji
    Posts
    38
    Rep Power
    8

    Default

    one error the log shows:

    Zimbra server reserving server socket port=995 bindaddr=null ssl=true
    </pre>and then dies... this how I suspected it has nothing to do with port 995 being already used but more with SSL

  3. #3
    Join Date
    Jul 2006
    Location
    Australia, ACT
    Posts
    197
    Rep Power
    9

    Smile Thanks

    Thanks and correct. Updated the error message.

    http://agilemail.com.au

    Your Australian Zimbra experts
    Sales, consulting, installation, support

  4. #4
    Join Date
    Nov 2006
    Location
    Canada
    Posts
    69
    Rep Power
    9

    Default

    When I tried to follow those instructions I got errors about it trying to create the 'jetty.pkcs12' file when generating a self-assigned SSL certificate.

    I ended up manually re-installing my commercial SSL Certificate using zmcertmgr. Hopefully this will help others.

    Installing a IPSCA Commercial Certificate - Zimbra :: Wiki

  5. #5
    Join Date
    Apr 2011
    Posts
    3
    Rep Power
    4

    Default Exactly what I needed, Zimbra 7.1.3

    Thanks GreenRenault! this is exactly what we encountered when migrating from a CentOS 5.7 box running 7.1.3 to CentOS 6.0 running 7.1.3.

    Very big help!

  6. #6
    Join Date
    Apr 2012
    Posts
    1
    Rep Power
    3

    Default

    Quote Originally Posted by greenrenault View Post
    Short Explanation
    Step 1: Re-create and install self-signed SSL certificates.
    As root:
    Code:
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca
    /opt/zimbra/bin/zmcertmgr deploycrt self
    
    Or (if the /opt/zimbra/bin/zmcertmgr viewdeployedcrt indicates that the SSL certificate was not updated) 
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca -localonly
    /opt/zimbra/bin/zmcertmgr createcrt self -new
    /opt/zimbra/bin/zmcertmgr deploycrt self
    
    As zimbra:
    zmcontrol stop && zmcontrol start
    From Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

    How to solve the Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
    If you see this receive this error for the command: /opt/zimbra/bin/zmcertmgr deploycrt self
    Code:
    # /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...failed.
    
    Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
    	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
    	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
    	at java.security.KeyStore.load(KeyStore.java:1185)
    	at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:98)
    Caused by: java.security.UnrecoverableKeyException: Password verification failed
    	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
    	... 3 more
    
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Then the solution is to do this as root:
    Code:
    # mv /opt/zimbra/mailboxd/etc/keystore /root/keystore.old
    # /opt/zimbra/bin/zmcertmgr deploycrt self
    See Ajcody-Notes-SSLCerts - Keystore Password Errors - Server Move Stuff - Zimbra :: Wiki

    Step 2: Re-install your commercial SSL certificates (if any)
    Geotrust SSL certificate, Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
    RapidSSL SSL certificate, 5.x Commercial Certificates Guide - Zimbra :: Wiki

    Long Explanation
    Upgraded a Zimbra 5.0.18 SLES10 server last night and everything went well with the install upgrade. And even when the Zimbra service started no errors were reported and all services appeared to start OK.

    However, when trying to access Zimbra Admin UI or Zimbra Web UI, no response. Running
    Code:
    zmcontrol status
    shows that the mailbox process is not running at all!

    Check the /var/log/zimbra.log and there are no errors about mailbox but a lot of email being deferred as the mailbox server is not available.

    The only errors are reported in /opt/zimbra/log/zmmailboxd.out
    Code:
    Zimbra server reserving server socket port=110 bindaddr=null ssl=false
    Zimbra server reserving server socket port=995 bindaddr=null ssl=true
    Fatal error. exception while binding to ports.
    Java.net.BindException: cannot assign requested address
    The above error message are misleading and from searching the forums can indicate any number of problems (see references below) from DNS to networking etc.

    In my case, what worked was to replace the commercial SSL certificate which were valid and installed correctly (working in ZCS 5) with new self-signed certificate. And then to re-install the commercial SSL certificate again. Thinking about this again, you can probably just skip the self-signed SSL install and just re-install the commercial SSL. Will try that next time.

    It is important to note that the commercial SSL certificate had NOT expired and was working fine in Zimbra 5.

    Steps are below:
    1. Make sure you have a backup of the commercial certificate, csr etc and root certificate as these are just about to be deleted!

    As root:
    Code:
    cp -r /opt/zimbra/ssl/zimbra/commercial ~/ssl-backup
    2. Reset the certificates with a self-signed certificate, Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

    As root:
    Code:
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca
    /opt/zimbra/bin/zmcertmgr deploycrt self
    As zimbra:
    Code:
    zmcontrol stop && zmcontrol start
    3. Re-install your commercial SSL certificates
    As root:
    Code:
    /opt/zimbra/bin/zmcertmgr deploycrt comm /root/ssl-backup/commercial.crt  /root/ssl-backup/commercial_ca.crt
    As zimbra:
    Code:
    zmmailboxdctl stop
    zmmailboxdctl start
    Now check Zimbra status with zmcontrol status and via Web Mail

    Other methods to install SSL certificates:
    Geotrust SSL certificate, Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
    RapidSSL SSL certificate, 5.x Commercial Certificates Guide - Zimbra :: Wiki


    Some other possible solutions:
    https://www.zimbra.com/forums/admini...t-running.html
    http://www.zimbra.com/forums/install...-ssl-cert.html
    http://www.zimbra.com/forums/adminis...mplemente.html
    http://www.zimbra.com/forums/install...nate-port.html
    http://www.zimbra.com/forums/adminis...mmailboxd.html
    I have same problem, but this not solved in my case :

    [zimbra@mx1 ssl-beneran]$ keytool -list -keystore /opt/zimbra/jetty/etc/keystore -storepass `zmlocalconfig -m nokey -s mailboxd_keystore_password`

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    jetty, Apr 9, 2012, keyEntry,
    Certificate fingerprint (MD5): 84:8D:01:A8:27:8B:CA:43:A2:85:82:E60:86:EF:11
    [zimbra@mx1 ssl-beneran]$ zmmailboxdctl stop
    Stopping mailboxd...mailboxd is not running.
    [zimbra@mx1 ssl-beneran]$ zmmailboxdctl start
    Starting mailboxd...done.
    [zimbra@mx1 ssl-beneran]$ zmmailboxdctl status
    mailboxd is not running.
    CompilerOracle: exclude com/zimbra/cs/session/SessionMap putAndPrune
    CompilerOracle: exclude com/zimbra/cs/mailbox/MailItem delete
    0 INFO [main] log - Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog
    Zimbra server reserving server socket port=110 bindaddr=null ssl=false
    Zimbra server reserving server socket port=995 bindaddr=null ssl=true
    Fatal error: exception while binding to ports
    java.net.SocketException: Unbound server sockets not implemented
    at javax.net.ServerSocketFactory.createServerSocket(S erverSocketFactory.java:80)
    at com.zimbra.common.util.NetUtil.newBoundServerSocke t(NetUtil.java:97)
    at com.zimbra.common.util.NetUtil.bindServerSocket(Ne tUtil.java:165)
    at com.zimbra.common.util.NetUtil.bindSslTcpServerSoc ket(NetUtil.java:56)
    at com.zimbra.common.handlers.PrivilegedHandler.openP orts(PrivilegedHandler.java:93)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at org.mortbay.xml.XmlConfiguration.call(XmlConfigura tion.java:534)
    at org.mortbay.xml.XmlConfiguration.configure(XmlConf iguration.java:244)
    at org.mortbay.xml.XmlConfiguration.configure(XmlConf iguration.java:206)
    at org.mortbay.xml.XmlConfiguration.main(XmlConfigura tion.java:968)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at org.mortbay.start.Main.invokeMain(Main.java:183)
    at org.mortbay.start.Main.start(Main.java:497)
    at org.mortbay.start.Main.main(Main.java:115)

Similar Threads

  1. Replies: 5
    Last Post: 01-16-2009, 06:13 PM
  2. Mailboxd fails to start
    By sfoe in forum Installation
    Replies: 4
    Last Post: 10-26-2008, 02:28 AM
  3. [SOLVED] 5.0 RC1 - mailboxd won't start after a reboot
    By staufj22 in forum Installation
    Replies: 17
    Last Post: 10-22-2007, 09:26 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •