Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Updating certificate

  1. #1
    Join Date
    Dec 2011
    Posts
    8
    Rep Power
    3

    Exclamation Updating certificate

    I appear to have messed up my LDAP installation. My certificate expired recently and although I have followed the instructions here, I can't get the system to respond. Here's the output with the failure points in bold. I have been battling this for hours so any help would be much appreciated.

    Code:
    root@mail:~# zmcertmgr createca -new
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    root@mail:~# zmcertmgr createcrt -new -days 1096
    Validation days: 1096
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111125234313
    ** Generating a server csr for download self -new -keysize 1024
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111125234313
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    root@mail:~# zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    root@mail:~# zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    root@mail:~# zmcertmgr viewdeployedcrt
    ::service mta::
    notBefore=Nov 26 04:43:17 2011 GMT
    notAfter=Nov 26 04:43:17 2014 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    SubjectAltName=
    ::service proxy::
    notBefore=Nov 26 04:43:17 2011 GMT
    notAfter=Nov 26 04:43:17 2014 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    SubjectAltName=
    ::service mailboxd::
    notBefore=Nov 26 04:43:17 2011 GMT
    notAfter=Nov 26 04:43:17 2014 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    SubjectAltName=
    ::service ldap::
    notBefore=Nov 26 04:43:17 2011 GMT
    notAfter=Nov 26 04:43:17 2014 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    SubjectAltName=
    root@mail:~# keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem
    Certificate already exists in keystore under alias <my_ca>
    Do you still want to add it? [no]:  yes
    Certificate was added to keystore
    root@mail:~# su - zimbra
    zimbra@mail:~$ zmcontrol stop
    start
    Host mail.example.com
            Stopping stats...Done.
            Stopping mta...Done.
            Stopping spell...Done.
            Stopping snmp...Done.
            Stopping archiving...Done.
            Stopping antivirus...Done.
            Stopping antispam...Done.
            Stopping imapproxy...Done.
            Stopping memcached...Done.
            Stopping mailbox...Done.
            Stopping logger...Done.
            Stopping ldap...Done.
    zimbra@mail:~$ zmcontrol start
    Host mail.example.com
            Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    zimbra@mail:~$

  2. #2
    Join Date
    Apr 2010
    Location
    Germany
    Posts
    28
    Rep Power
    5

    Default

    Have a look at this thread http://www.zimbra.com/forums/204759-post4.html
    I successfully renewed selfsigned certs some days ago with these steps.

  3. #3
    Join Date
    Dec 2011
    Posts
    8
    Rep Power
    3

    Default Still failing

    I tried what you suggested... the output is below, again with the failing lines in bold. I think the root of the problem is the error "LDAP: error code 49 - Invalid Credentials"; I assume that failure to authentic against LDAP is the cause of everything else. Pretty much anything to do with setting or retrieving certificates in LDAP is failing.

    One thing I found in the posts I was wandering through is the question "Did you change the host name?". The answer is yes, I did, but if there's a configuration file I need to update somewhere I don't know where it is. The DNS is set correctly; there's only a single interface and the entry for the new host name is in DNS and resolves properly.

    Code:
    # sh /tmp/doit
    Host mail.example.com
            Stopping stats...Done.
            Stopping mta...Done.
            Stopping spell...Done.
            Stopping snmp...Done.
            Stopping archiving...Done.
            Stopping antivirus...Done.
            Stopping antispam...Done.
            Stopping imapproxy...Done.
            Stopping memcached...Done.
            Stopping mailbox...Done.
            Stopping logger...Done.
            Stopping ldap...Done.
    ** Creating directory /opt/zimbra/ssl/zimbra
    ** Creating directory /opt/zimbra/ssl/zimbra/ca
    ** Creating directory /opt/zimbra/ssl/zimbra/server
    ** Creating directory /opt/zimbra/ssl/zimbra/commercial
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111126094850
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Generating a server csr for download self -keysize 1024
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111126094856
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    Host mail.example.com
            Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    ERROR: service.FAILURE (system failure: unable to list all servers) (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
    Updating /opt/zimbra/.ssh/authorized_keys
    
    ::service mta::
    notBefore=Nov 26 14:48:59 2011 GMT
    notAfter=Nov 26 14:48:59 2021 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    SubjectAltName=
    ::service proxy::
    notBefore=Nov 26 14:48:59 2011 GMT
    notAfter=Nov 26 14:48:59 2021 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    SubjectAltName=
    ::service mailboxd::
    notBefore=Nov 26 14:48:59 2011 GMT
    notAfter=Nov 26 14:48:59 2021 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    SubjectAltName=
    ::service ldap::
    notBefore=Nov 26 14:48:59 2011 GMT
    notAfter=Nov 26 14:48:59 2021 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.example.com
    SubjectAltName=

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by kdean View Post
    One thing I found in the posts I was wandering through is the question "Did you change the host name?". The answer is yes, I did, but if there's a configuration file I need to update somewhere I don't know where it is. The DNS is set correctly; there's only a single interface and the entry for the new host name is in DNS and resolves properly.
    Just for confirmation, go to the Split DNS wiki article and run all the commands in the 'Verify...' section and post the output here.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Dec 2011
    Posts
    8
    Rep Power
    3

    Default Split DNS verification

    Except for a search-and-replace on my domain, here's the output:

    Code:
    root@mail:/opt/zimbra/bin# dig example.com mx
    
    ; <<>> DiG 9.4.2-P2.1 <<>> example.com mx
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32729
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;example.com.                        IN      MX
    
    ;; AUTHORITY SECTION:
    example.com.         2592000 IN      SOA     mail.example.com. hostmaster.mail.example.com. 10118 43200 3600 3600000 2592000
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.150.193#53(192.168.150.193)
    ;; WHEN: Tue Dec  6 12:20:31 2011
    ;; MSG SIZE  rcvd: 84
    
    root@mail:/opt/zimbra/bin# dig example.com any
    
    ; <<>> DiG 9.4.2-P2.1 <<>> example.com any
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26960
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;example.com.                        IN      ANY
    
    ;; ANSWER SECTION:
    example.com.         2592000 IN      SOA     mail.example.com. hostmaster.mail.example.com. 10118 43200 3600 3600000 2592000
    example.com.         2592000 IN      NS      mail.example.com.
    
    ;; ADDITIONAL SECTION:
    mail.example.com.    2592000 IN      A       192.168.150.193
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.150.193#53(192.168.150.193)
    ;; WHEN: Tue Dec  6 12:20:46 2011
    ;; MSG SIZE  rcvd: 114
    
    root@mail:/opt/zimbra/bin# host $(hostname)
    mail.example.com has address 192.168.150.193
    mail.example.com mail is handled by 10 mail.example.com.
    
    root@mail:/opt/zimbra/bin# cat /etc/resolv.conf
    search example.com
    nameserver 127.0.0.1
    
    root@mail:/opt/zimbra/bin# cat /etc/hosts
    127.0.0.1       localhost.localdoamin   localhost
    192.168.150.193 mail.example.com     Zimbra mail
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    According to that output you have no MX record for your server and your hosts file should have the line with the LAN IP formatted like this:

    Code:
    192.168.150.193 mail.example.com   mail
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    Join Date
    Dec 2011
    Posts
    8
    Rep Power
    3

    Default

    I fixed the hosts file by removing the spurious entry. However, there is no need for me to have an MX record for my mail server because there is never any mail that will be sent to that domain.

  8. #8
    Join Date
    Dec 2011
    Posts
    8
    Rep Power
    3

    Default

    Here's the Split DNS verification output, with a new resolv.conf pointing to Google's public DNS so that I can resolve everything properly. The problem authenticating against LDAP still exists.

    It seems to me that the authentication problem is likely the root of all the other issues I'm having. Can someone tell me how to diagnose the authentication problem? I have downloaded and installed Softerra LDAP Administrator but logging in as anonymous doesn't show me anything useful.

    Code:
    root@mail:~# dig example.com mx
    
    ; <<>> DiG 9.4.2-P2.1 <<>> example.com mx
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53424
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;example.com.                        IN      MX
    
    ;; AUTHORITY SECTION:
    example.com.         2592000 IN      SOA     mail.example.com. hostmaster.mail.example.com. 10118 43200 3600 3600000 2592000
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Dec  6 14:56:23 2011
    ;; MSG SIZE  rcvd: 84
    
    root@mail:~# dig example.com any
    
    ; <<>> DiG 9.4.2-P2.1 <<>> example.com any
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60594
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;example.com.                        IN      ANY
    
    ;; ANSWER SECTION:
    example.com.         2592000 IN      SOA     mail.example.com. hostmaster.mail.example.com. 10118 43200 3600 3600000 2592000
    example.com.         2592000 IN      NS      mail.example.com.
    
    ;; ADDITIONAL SECTION:
    mail.example.com.    2592000 IN      A       192.168.150.193
    
    ;; Query time: 1 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Dec  6 14:56:25 2011
    ;; MSG SIZE  rcvd: 114
    
    root@mail:~# host $(hostname)
    mail.example.com has address 192.168.150.193
    mail.example.com mail is handled by 10 mail.example.com.
    
    root@mail:~# cat /etc/resolv.conf
    nameserver 127.0.0.1
    nameserver 8.8.8.8
    
    root@mail:~# cat /etc/hosts
    127.0.0.1       localhost.localdoamin   localhost
    192.168.150.193 mail.example.com mail
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts

  9. #9
    Join Date
    Dec 2011
    Posts
    8
    Rep Power
    3

    Default

    I went through localconfig.xml and found the following entries (password masked):

    Code:
      ...
      <key name="zimbra_ldap_userdn">
        <value>uid=zimbra,cn=admins,cn=zimbra</value>
      </key>
      ...
      <key name="zimbra_ldap_password">
        <value>XXXXXXXX</value>
      </key>
      ...
    When I use that user DN and password in Softerra, I get "The supplied credential is invalid". Am I looking at the right entries? If so, why is the password not working? Is there a way to reset the various Zimbra user DNs and passwords?

  10. #10
    Join Date
    Dec 2011
    Posts
    8
    Rep Power
    3

    Default

    Using the Softerra LDAP client, I connect to the LDAP server with anonymous credentials. When I do so, I see the attached. In particular, as you can see in the bottom left of the image, there are no subnodes of the root. Furthermore, neither of the two objects have child nodes.

    As far as I can tell from the slapd.conf file, anonymous read-only access is enabled, so I should be able to see all of my mailbox users, should I not?

    At some point during my wild gyrations to get everything fixed before posting here, I think I ran zmldapinit. Would that have wiped out my users?

    This is a development environment only to it's not a big deal if so, but how can I get my system back to the point where I can actually use it?
    Attached Images Attached Images

Similar Threads

  1. Replies: 1
    Last Post: 04-16-2013, 10:07 AM
  2. [SOLVED] Problem with commercial certificate
    By ppaixao in forum Administrators
    Replies: 3
    Last Post: 06-05-2012, 02:49 PM
  3. [SOLVED] Error Updating Certificate
    By playnada in forum Administrators
    Replies: 3
    Last Post: 01-20-2008, 09:32 AM
  4. Replies: 1
    Last Post: 11-05-2007, 06:55 PM
  5. postfix build error while building Zimbra source
    By anuradha_mihsra in forum Developers
    Replies: 6
    Last Post: 07-19-2007, 11:22 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •