Results 1 to 8 of 8

Thread: [SOLVED] After install ssl, ldap can't start

  1. #1
    Join Date
    Jul 2009
    Location
    Hồ Chi Minh City, Vietnam
    Posts
    13
    Rep Power
    6

    Default [SOLVED] After install ssl, ldap can't start

    My system use Ubuntu 8.04 - 64 TLS + ZCS 6.0.1 GA 1816

    Affter install ssl cert via web admin : it said successfull install
    zmcontrol stop
    and then
    zmcontrol start

    zimbra@mail:~$ zmcontrol start
    Host mail.xxxxxx.com
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...one.

    Help me

  2. #2
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    You don't say if the server is working otherwise. Try searching the forum for ldap unable determine services and you'll find that the error message can be benign, or if not in your case, what info you need to post for folks to troubleshoot.

  3. #3
    Join Date
    Jul 2009
    Location
    Hồ Chi Minh City, Vietnam
    Posts
    13
    Rep Power
    6

    Default

    Quote Originally Posted by ewilen View Post
    You don't say if the server is working otherwise. Try searching the forum for ldap unable determine services and you'll find that the error message can be benign, or if not in your case, what info you need to post for folks to troubleshoot.
    This is trash reply. Anybody can help me?

  4. #4
    Join Date
    Oct 2009
    Posts
    1
    Rep Power
    6

    Default

    I have the same issue - albeit on a 32-bit CentOS 5.3 install.

    The cert is a GlobalSign wildcard certificate that installs and works just fine in Exim, Apache, lighttpd, Courier-IMAP and Dovecot - had problems getting it to install at first due to Zimbra not using OpenSSL's own root CA repository.

    Our GlobalSign cert required the GlobalSign root cert adding to the intermediate cert in order for Zimbra to verify and install it - something which I didn't anticipate but I'm not averse to going a little out of my way to sorting something simple like a cert trust path.

    Nevertheless, the certificate installed with no issues once I did that but like you, I'm seeing the exact same issue - which magically goes away when I do a '/opt/zimbra/bin/zmcertmgr deploycrt' and Zimbra generates/installs a new self-signed cert.

    The documentation is horrible - a product geared towards enterprise use should have extensive docs (especially on the SSL parts; we manage/install/support 500+ SSL certs as a GlobalSign partner and like to think we know what we are doing but this issue has us well and truly stumped).

    The closest I can get to finding the problem is:

    zmmtaconfig.log:Sat Oct 3 10:43:38 2009 gs:*******.example.com ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)

    (why oh why don't you echo this to stderr rather than dumping it in a logfile - at least print something to stderr to say, something bad happened, you can see what in /opt/zimbra/log/blahblah.log)

    Which I suspect is due to the root/intermediate certificate problem I detailed earlier, but according to the zmcertmgr documentation, if our certificate and associated root/intermediate certs pass a 'verifycrt' and 'verifycrtchain' like so:

    [root@****** certs]# /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
    ** Verifying commercial.crt against commercial.key
    Certificate (commercial.crt) and private key (commercial.key) match.
    Valid Certificate: commercial.crt: OK

    [root@******* certs]# /opt/zimbra/bin/zmcertmgr verifycrtchain commercial_ca.crt commercial.crt
    Valid Certificate Chain: commercial.crt: OK

    ... why does it not work as expected ?

    Add to that, the cavalier attitude of the Zimbra devs towards an officially supported deployment platform of RHEL5 (that of Xen virtualization) and the fact that the issue as detailed in Bug 23683 – Use posix mutexes on Linux builds to avoid Xen issues is still not fixed in Zimbra 6.0.1 NE even though the Bugzilla entry is marked as 'FIXED' does not give me any confidence in the quality of the binaries they are throwing out.

    It isn't a pretty sight watching a dual Xeon 3.0GHz machine with 4GB of RAM fall to its' knees while the zmlogger process periodically eats 90%+ of CPU time due to this particular issue.

    For one thing, Red Hat ship only *one* copy of OpenLDAP with their distro - it works perfectly with both non-Xen and Xen-enabled kernels; Zimbra's binary packages are specially customized for each distribution of Linux they support and the fact that they couldn't be bothered to investigate and implement the same fixes that OpenLDAP/Red Hat made to their binaries makes me feel that this attitude may be the same across the entire product.

    I'll point out to the Zimbra folks that while I'm running this on CentOS 5.3/i386, I can certainly duplicate both of the above issues on a genuine RHEL 5.3/i386 install also.

    We are currently seven days in to a 60-day Network Edition evaluation license and definitely not liking it because we can't even get the thing installed and working with SSL-only webmail (our one and only 'must have') due to the aforementioned cert problems - eventually plan to become a Zimbra Hosting Partner but if *I* don't feel comfortable in the quality of the product or even using it internally within our own organization, there is no way I am going to ask our customers to make such a leap of faith when we aren't prepared to do it ourselves.

    Sorry to the OP for 'semi-hijacking' this thread with a 'me too!' response but hopefully my response will get someone to look into this as a matter of urgency.

    To any non-Zimbra folks who want to reply with 'you should search the forum for the answer'; I would like to inform you that I have searched for every single combination of SSL/LDAP issues on this forum but cannot find any solution which I have not already tried that does not work - removing .zmcontrol.cache, etc, etc.

    I look forward to a helpful and informative response from a Zimbra staffer.

    Regards,
    Terry Froy
    Spilsby Internet Solutions

  5. #5
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Quote Originally Posted by hoangkk View Post
    My system use Ubuntu 8.04 - 64 TLS + ZCS 6.0.1 GA 1816

    Affter install ssl cert via web admin : it said successfull install
    zmcontrol stop
    and then
    zmcontrol start

    zimbra@mail:~$ zmcontrol start
    Host mail.xxxxxx.com
    Starting ldap...Done.
    Run "ldap start" by itself, and see what error is reported. Most commonly, the cert provider failed to provide the full CA chain required for validating the cert, including whomever signed their CA.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  6. #6
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Quote Originally Posted by liteforce View Post
    Add to that, the cavalier attitude of the Zimbra devs towards an officially supported deployment platform of RHEL5 (that of Xen virtualization) and the fact that the issue as detailed in Bug 23683 – Use posix mutexes on Linux builds to avoid Xen issues
    Actually, this issue has been fixed for ages. That doesn't mean Xen does not have its own issues that make it problematic for use. Your rant against Xen is entirely off topic for this thread. My guess is you are referring to the hack Xen has in place for 32-bit oses and how it deals with thread local storage.

    For one thing, Red Hat ship only *one* copy of OpenLDAP with their distro - it works perfectly with both non-Xen and Xen-enabled kernels; Zimbra's binary packages are specially customized for each distribution of Linux they support
    Eh, again, you are incorrect here. We build OpenLDAP with the same options for all of our Linux builds. The only platform we do differently is Mac OSX, because it doesn't support epoll().

    And if you think RedHat's build of OpenLDAP "works perfectly", you've obviously never used it. As a member of the OpenLDAP development team, I've first hand experience with the multitude of issues the way in which the RedHat packagers have completely bypassed safeguards and hacked OpenLDAP with patches that were broken have caused.

    and the fact that they couldn't be bothered to investigate and implement the same fixes that OpenLDAP/Red Hat made to their binaries makes me feel that this attitude may be the same across the entire product.
    I spent quite a bit of time investigating the thread local storage issue. It's clearly a hack in Xen, and it only pertains to 32-bit systems. Again, not a specific issue with what Zimbra does, but with how RedHat implemented its virtualization product.

    I'll point out to the Zimbra folks that while I'm running this on CentOS 5.3/i386, I can certainly duplicate both of the above issues on a genuine RHEL 5.3/i386 install also.
    As noted several times now, this is a problem with the way Xen handles 32-bit linux implementations and thread local storage.

    --Quanah
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  8. #8
    Join Date
    Jul 2009
    Location
    Hồ Chi Minh City, Vietnam
    Posts
    13
    Rep Power
    6

    Default

    I was try to many way like
    cp cert file to /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/ on

    http://www.zimbra.com/forums/install...es-zimbra.html

    or clean out older cert files on

    http://www.zimbra.com/forums/adminis...ices-ldap.html

    or use command to deploy commercial cert

    but my system status is
    Code:
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Host mail.domain.com
    	antispam                Running
    	antivirus               Running
    	ldap                    Running
    	logger                  Running
    	mailbox                 Running
    	mta                     Running
    	snmp                    Running
    	spell                   Running
    	stats                   Running
    and my system is still down : can't access via web, can't send and recive email

    ---------------------------------
    ---------------------------------

    Overcome many way to fix this problem, now I was fix it with unfamiliar way.
    Last edited by hoangkk; 10-08-2009 at 09:20 AM. Reason: Fix

Similar Threads

  1. Replies: 8
    Last Post: 12-23-2010, 10:17 AM
  2. Replies: 8
    Last Post: 08-07-2008, 05:18 AM
  3. Error Installing Outlook Connector
    By DanO in forum Zimbra Connector for Outlook
    Replies: 17
    Last Post: 08-28-2007, 09:35 AM
  4. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 06:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •