Results 1 to 6 of 6

Thread: [SOLVED] possible self signed SSL cert issues.

Hybrid View

  1. #1
    Join Date
    Nov 2008
    Posts
    5
    Rep Power
    7

    Default [SOLVED] possible self signed SSL cert issues.

    first, a little background. This server has been up and running for almost 9 months now without any issues. It hosts 4 mail domains, all of which worked fine until 2 days ago, when both the web interface and Zimbra client connections went down.

    Ubuntu 8.04 LTS x64 hosted on VMWare VSphere 4.0


    Release 6.0.2_GA_1912.UBUNTU8_64 UBUNTU8_64 NETWORK edition.



    I'm receiving the below errors when trying to start Zimbra. From my research on these forums, it appears to be an SSL cert issue (I'm just using self signed certs on this box)

    zimbra@mail:/root$ zmcontrol start
    Host mail.domain1.com
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed)
    zimbra logger service is not enabled! failed.


    Starting convertd...Done.
    Starting mailbox...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting snmp...Done.
    Starting spell...Done.
    Starting mta...Done.
    Starting stats...Done.


    other posts have suggested trying to recreate the self-signed certs, but that also gives me errors. (found here)
    http://www.zimbra.com/forums/users/1...es-ldap-3.html

    When I run 'zmcertmgr createcrt -new -days 365' I get the following output

    root@mail:~# /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
    Validation days: 365
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101110102726
    ** Generating a server csr for download self -new -keysize 1024
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101110102726
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.


    slapd is also running (and the only ldap process running)
    zimbra 22116 29672 0 10:22 pts/2 00:00:00 grep slapd




    here is my /etc/hosts file. the last entry is for my BackupPC box (not related)
    Code:
    127.0.0.1 localhost.localdomain localhost
    172.21.1.75 mail.domain1.com mail
    172.21.1.75 mail.domain2.com mail
    172.21.1.75 mail.domain3.com mail
    172.21.1.75 mail.domain4.com mail
    172.21.1.76 backup.domain1.com backup

    obviously I'm missing something here...did my cert expire out of the blue and hose my install, or what? I honestly haven't had to touch this install much at all until now, and I didn't do anything prior to it going down. I appreciate any direction.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

  3. #3
    Join Date
    Nov 2008
    Posts
    5
    Rep Power
    7

    Default

    I also checked the permissions and ran the reset script to make sure that wasn't an issue.

    Code:
    chown -R zimbra:zimbra /opt/zimbra
    /opt/zimbra/libexec/zmfixperms -verbose

    Thanks, i hadn't checked Yahoo, but I'm seeing a lot of the same threads I've already read. One suggested to run this code.
    Code:
    zmprov gs `zmhostname` | grep zimbraServiceEnabled
    Here is the output
    zimbra@mail:/root$ zmprov gs `zmhostname` | grep zimbraServiceEnabled
    ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)


    What can't it connect to, LDAP?

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by pclyne View Post
    I also checked the permissions and ran the reset script to make sure that wasn't an issue.

    Code:
    chown -R zimbra:zimbra /opt/zimbra
    /opt/zimbra/libexec/zmfixperms -verbose

    Thanks, i hadn't checked Yahoo, but I'm seeing a lot of the same threads I've already read. One suggested to run this code.
    Code:
    zmprov gs `zmhostname` | grep zimbraServiceEnabled
    Here is the output
    zimbra@mail:/root$ zmprov gs `zmhostname` | grep zimbraServiceEnabled
    ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)


    What can't it connect to, LDAP?
    Probably because your certificate is expired although the 'connection refused' usually implies the service isn't running, is it? There are two threads in the link I gave you earlier that are marked as #Solved', did either of those appply to your problem?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Nov 2008
    Posts
    5
    Rep Power
    7

    Default

    ldap is running..and split dns has been running since implementation (and still looks setup right to me)


    zimbra@mail:/root$ ldap status
    slapd running pid: 6034



    zimbra@mail:/root$ ps auxww | grep zimbra | grep slapd
    zimbra 6034 0.0 1.5 268640 48392 ? Ssl 09:59 0:00 /opt/zimbra/openldap/sbin/slapd -l LOCAL0 -4 -u zimbra -h ldap://mail.domain1.com:389 ldapi:/// -F /opt/zimbra/data/ldap/config
    zimbra 20748 0.0 0.0 5168 832 pts/2 S+ 11:12 0:00 grep slapd


    I can even connect to it using telnet...

    zimbra@mail:/root$ telnet mail.domain1.com 389
    Trying 172.21.1.75...
    Connected to mail.domain1.com.
    Escape character is '^]'.


    Would any Ubuntu updates cause a failure like this? A colleague was on this box last week and may have installed some, but probably didn't reboot (which I did when the box went down)

  6. #6
    Join Date
    Nov 2008
    Posts
    5
    Rep Power
    7

    Default

    I found the below code snippet in a forum post linked from another person having the exact same problem as I had.

    Code:
    /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem
    maybe this should be added to an FAQ or something on the Wiki page?
    Last edited by pclyne; 11-12-2010 at 11:07 AM.

Similar Threads

  1. Upgrade Self Signed Cert to Commercial Cert (godaddy)
    By lareck in forum Administrators
    Replies: 1
    Last Post: 01-04-2010, 02:51 AM
  2. SSL Cert Questions
    By playnada in forum Administrators
    Replies: 3
    Last Post: 05-06-2008, 11:22 AM
  3. [SOLVED] SSL Cert Import IE/windows broken?
    By raj in forum Installation
    Replies: 4
    Last Post: 01-28-2008, 07:48 PM
  4. SSL Cert = new hostname issues
    By jbAZ in forum Installation
    Replies: 0
    Last Post: 04-26-2007, 04:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •