Results 1 to 10 of 10

Thread: New Certificate Problems - email DOWN

  1. #1
    Join Date
    Aug 2009
    Posts
    35
    Rep Power
    6

    Exclamation New Certificate Problems - email DOWN

    Based on the error messages that I've been having, it appears that my Zimbra Open Source email server is having problems with expired certificates.

    Here are the URLs of the things I've tried:
    http://www.zimbra.com/forums/adminis...es-ldap-2.html
    Administration Console and CLI Certificate Tools - Zimbra :: Wiki (multi-node)
    http://www.zimbra.com/forums/adminis...e-expired.html
    http://www.zimbra.com/forums/adminis...e-expired.html

    After creating new certificates on the LDAP server, I copied them to the Mailbox and MTA servers. That hasn't help either.

    Needless to say, right now my email system is so messed up, it's not starting up.

    Log files:
    LDAP:
    zmmtaconfig.log:
    Sun Mar 6 10:05:24 2011 Watchdog: skipping service antivirus. Service not yet available for restarts.

    Mailbox:
    $ zmcontrol start
    Host mailbox1.vpn
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.

    zmmtaconfig.log:
    Sun Mar 6 10:08:45 2011 Skipping All Reverse Proxy URLs update.
    Sun Mar 6 10:08:45 2011 Skipping getAllReverseProxyURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)

    MTA:
    zmmtaconfig.log:
    Sun Mar 6 10:11:22 2011 Skipping Global system configuration update.
    Sun Mar 6 10:11:22 2011 gacf ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)

    OS & Zimbra versions:
    Release 6.0.5_GA_2213.DEBIAN5 DEBIAN5 FOSS edition.
    Linux mailbox1 2.6.26-2-686 #1 SMP Wed Feb 10 08:59:21 UTC 2010 i686 GNU/Linux

    I *really* need to help getting this mail system running again!

    If there is anything else I forgot to include, please let me know and I'll do my best to get it to you.

    Thank You very much for your help!

    Harlan...

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Try the following first: http://www.zimbra.com/forums/adminis...rt-issues.html

    If that doesn't work, have a look at some of the other solutions: site:zimbra.com +"PKIX path validation failed: " +solved - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Aug 2009
    Posts
    35
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    Try the following first: http://www.zimbra.com/forums/adminis...rt-issues.html

    If that doesn't work, have a look at some of the other solutions: site:zimbra.com +"PKIX path validation failed: " +solved - Yahoo! Search Results
    Hi Bill,
    Thanks for the quick reply. Unfortunately, I've read many of the suggested articles, even tried several of them.

    I can telnet to my Zimbra LDAP server just fine. The Mailbox server will not start:
    $ zmcontrol start
    Host mailbox1.vpn
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.

    The only log file after the start command was the zmlogprocess.state file that only contained a single byte: 0

    Since the Mailbox server won't start, I'm not even trying to start up the MTA server.

    Any other ideas?

    Thanks,

    Harlan...

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by harlanb View Post
    I can telnet to my Zimbra LDAP server just fine. The Mailbox server will not start:
    $ zmcontrol start
    Host mailbox1.vpn
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist
    The usual reason for this is a DNS problem or an incorrect /etc/hosts file. I can see from the highlighted entry above that your hostname is incorrect. I'd suggest you go to the Split DNS article and just for verification post the output of all the commands in the 'Verify...' section.

    What happened on your server to cause this problem? Had you done any update to the operating system, did you restart Zimbra, have the certificates actually expired?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Aug 2009
    Posts
    35
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    The usual reason for this is a DNS problem or an incorrect /etc/hosts file. I can see from the highlighted entry above that your hostname is incorrect. I'd suggest you go to the Split DNS article and just for verification post the output of all the commands in the 'Verify...' section.

    What happened on your server to cause this problem? Had you done any update to the operating system, did you restart Zimbra, have the certificates actually expired?
    Hi Bill,
    Thanks again for your help!

    I run my own internal DNS server, which is why I can get away with such a funny looking address.

    Here is some DNS information from mailbox1.vpn to ldap1.vpn:

    mailbox1:~# dig @ns1.vpn ldap1.vpn

    ; <<>> DiG 9.5.1-P3 <<>> @ns1.vpn ldap1.vpn
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12631
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;ldap1.vpn. IN A

    ;; ANSWER SECTION:
    ldap1.vpn. 1500 IN A 10.8.1.19

    ;; AUTHORITY SECTION:
    vpn. 1500 IN NS ns1.vpn.

    ;; ADDITIONAL SECTION:
    ns1.vpn. 1500 IN A 10.8.1.2

    ;; Query time: 3 msec
    ;; SERVER: 10.8.1.2#53(10.8.1.2)
    ;; WHEN: Sun Mar 6 18:07:49 2011
    ;; MSG SIZE rcvd: 77

    mailbox1:~# cat /etc/hosts
    127.0.0.1 localhost
    10.8.1.20 mailbox1.vpn mailbox1
    10.8.1.19 ldap1.vpn ldap1
    10.8.1.21 mailmta1.vpn mailmta1

    mailbox1:~# cat /etc/resolv.conf
    nameserver 10.8.1.2

    mailbox1:~# telnet ldap1.vpn 389
    Trying 10.8.1.19...
    Connected to ldap1.vpn.
    Escape character is '^]'.
    ^]
    telnet> quit
    Connection closed.

    mailbox1:~# dig ns1.vpn mx

    ; <<>> DiG 9.5.1-P3 <<>> ns1.vpn mx
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31136
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;ns1.vpn. IN MX

    ;; AUTHORITY SECTION:
    vpn. 1500 IN SOA vpn. admin.bloomenterprises.org. 19771108 7200 3600 604800 1800

    ;; Query time: 3 msec
    ;; SERVER: 10.8.1.2#53(10.8.1.2)
    ;; WHEN: Sun Mar 6 21:11:22 2011
    ;; MSG SIZE rcvd: 87

    mailbox1:~# dig ns1.vpn any

    ; <<>> DiG 9.5.1-P3 <<>> ns1.vpn any
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20804
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;ns1.vpn. IN ANY

    ;; ANSWER SECTION:
    ns1.vpn. 1500 IN A 10.8.1.2

    ;; Query time: 2 msec
    ;; SERVER: 10.8.1.2#53(10.8.1.2)
    ;; WHEN: Sun Mar 6 21:11:29 2011
    ;; MSG SIZE rcvd: 41

    If there is anything else I can provide to help get my email systems running, please let me know.

    Thanks,

    Harlan...

  6. #6
    Join Date
    Aug 2009
    Posts
    35
    Rep Power
    6

    Default

    Hi Bill,
    I forgot to answer your question about the certicates having actually expired. I don't really know. The errors I was originally looking up pointed to expired certificates. I know I built these systems a little more than a year ago, so I thought it could be plausible that the certificates did expire.

    So I started following various posts from the Zimbra forums that I found through Google when search for the error messages that I found in the log files.

    Right now, I probably have the systems fairly hosed up. I really do need to be able to recover all of the emails. Even if that means starting up a new system; I've been wanting to upgrade anyways. But in any case, I need Zimbra running, with the emails, in the very near future.

    Thanks,

    Harlan...

  7. #7
    Join Date
    Aug 2009
    Posts
    35
    Rep Power
    6

    Default

    Something else I forgot to answer.

    After setting up the multi-node comfiguration, everything ran just fine for several months. The I noticed that Zimbra would just lock up, occasionally Linux would lock up, but that was far less frequent. Normally the "lock up" would be the Mailbox server just stopping to respond, but the programs would seem to still be running. I would have to reboot the server because I could not get the "zmcontrol stop" command to work at all. The lock up seemed to be happening a couple times a week. The lock ups started happening when I switched from a single combined Zimbra node to a multi-node configuration. I'm planning on switching back to a single node configuration; the performance just isn't what I was expecting, and I don't have very many users.

    This is the behavior that set it all off yesterday.

    Thanks...

  8. #8
    Join Date
    Aug 2009
    Posts
    35
    Rep Power
    6

    Default

    Does anyone have any ideas on how I can get this running, even if it is just to get the data off?

    Thanks,

    Harlan...

  9. #9
    Join Date
    Aug 2009
    Posts
    35
    Rep Power
    6

    Default

    This thread is abandoned and no longer relevant.

    There are no answers here either. Good Luck.

  10. #10
    Join Date
    Sep 2009
    Posts
    11
    Rep Power
    6

    Default

    I know this is an old thread but maybe this can help some-one else.
    Quickest way to bypass ssl cert issues , just to get the server up and running :

    zmlocalconfig -e ldap_starttls_required=false

Similar Threads

  1. [SOLVED] Problem with commercial certificate
    By ppaixao in forum Administrators
    Replies: 3
    Last Post: 06-05-2012, 02:49 PM
  2. Replies: 5
    Last Post: 02-08-2008, 09:15 PM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  4. upgrade to 4.0.3 antispam does'nt work
    By lucanannipieri in forum Administrators
    Replies: 14
    Last Post: 11-07-2006, 03:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •