Page 1 of 2 12 LastLast
Results 1 to 10 of 31

Thread: Renewing certificate failed zimbra 6

Hybrid View

  1. #1
    Join Date
    Nov 2011
    Posts
    6
    Rep Power
    3

    Default Renewing certificate failed zimbra 6

    Hi
    I've installed zimbra on RHEL5 and It was working fine for about a year when it failed to start.
    I'm running zimbra behind an adsl router with port forwarding enabled on that.
    when I try to start the service it gives the following msg.

    [zimbra@mail ~]$ zmcontrol start
    Host mail.mail-server.com
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    [zimbra@mail ~]$

    some of the threads which discussed similar matters in the web said this caused due to wrong configuration of SPLIT DNS ! but since It worked really well for a year That seems to be doubtful here.

    When i checked my certificate expiration using "/opt/zimbra/bin/zmcertmgr viewdeployedcrt" it showed that they are expired.


    Im using ZCS v6.0.8

    [zimbra@mail ~]$ zmcontrol -v

    Release 6.0.8_GA_2661.RHEL5_20100820051652 RHEL5 FOSS edition.
    [zimbra@mail ~]$

    I used following link to recreate Zimbra certificates
    Administration Console and CLI Certificate Tools - Zimbra :: Wiki

    but when I run the 2nd step of "Single-Node Self-Signed Certificate" the command faild with following output !

    [root@mail zimbra]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
    Validation days: 365
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111212212528
    ** Generating a server csr for download self -new -keysize 1024
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111212212528
    ** Retrieving Commercial CA cert from ldap...failed.
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    [root@mail zimbra]#



    It tries to Retrieve commercial Certificate. But I did installed the free version
    and saving server config key zimbraSSLPrivatekey.... faild ??


    Any Help Regarding the above matter would be Highly appriciated.

    Thanx in Advanced !
    Last edited by phoenix; 12-12-2011 at 08:34 AM.

  2. #2
    Join Date
    Jul 2009
    Posts
    23
    Rep Power
    6

    Default

    I am having exactly the same problem.

    Version : Release 6.0.8_GA_2661.RHEL5_64_20100820052503 CentOS5_64 FOSS edition.

    [root@archive ~]# mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old
    [root@archive ~]# /opt/zimbra/bin/zmcertmgr createca -new
    ** Creating directory /opt/zimbra/ssl/zimbra
    ** Creating directory /opt/zimbra/ssl/zimbra/ca
    ** Creating directory /opt/zimbra/ssl/zimbra/server
    ** Creating directory /opt/zimbra/ssl/zimbra/commercial
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    [root@archive ~]# /opt/zimbra/bin/zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    [root@archive ~]# /opt/zimbra/bin/zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    [root@archive ~]# /opt/zimbra/bin/zmcertmgr createcrt -new
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111214161813
    ** Generating a server csr for download self -new -keysize 1024
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111214161813
    ** Retrieving Commercial CA cert from ldap...failed.
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    [root@archive ~]# /opt/zimbra/bin/zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.

    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.


    The following resource have proven to be useless thus far:-

    Administration Console and CLI Certificate Tools - Zimbra :: Wiki
    http://www.zimbra.com/forums/adminis...n-error-2.html
    http://www.zimbra.com/forums/adminis...-self-ssl.html
    http://www.zimbra.com/forums/adminis...ices-ldap.html
    http://www.zimbra.com/forums/virtual...rtificate.html
    LDAP - Zimbra :: Wiki

    Can anyone shed light on this problem?

  3. #3
    Join Date
    Apr 2010
    Location
    Cape Town, South Africa
    Posts
    71
    Rep Power
    5

    Default

    Hi,

    I've recently had loads of certificate related queries and have learnt quite a substantial amount thanks to awesome NE support. Have you looked at the following link:

    http://www.zimbra.com/forums/adminis...e-expired.html

    Also, please post the output of:

    /opt/zimbra/bin/zmcertmgr viewdeployedcrt

    Thanks.

  4. #4
    Join Date
    Nov 2011
    Posts
    6
    Rep Power
    3

    Default

    Hi GWilliams,

    Thank you very much for the prompt reply.
    I've tried what you have said but still with no luck.

    The problem occurs when I regenerate the certificates.
    As I mentioned in my first initial message The STEP1 of the regenerating certificate runs well.
    but on step two (/opt/zimbra/bin/zmcertmgr createcrt -new -days 365)

    It tries to Retrieve a Commercial CA cert from LDAP and FAILS the process.( The output is displayed in my first message)

    When I go through the whole process of regenerating certificates (regardless of the errors), the output of
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt

    Looks like this

    [root@mail log]# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    ::service mta::
    notBefore=Dec 18 15:13:41 2011 GMT
    notAfter=Dec 17 15:13:41 2012 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    SubjectAltName=
    ::service proxy::
    notBefore=Dec 18 15:13:41 2011 GMT
    notAfter=Dec 17 15:13:41 2012 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    SubjectAltName=
    ::service mailboxd::
    notBefore=Dec 18 15:13:41 2011 GMT
    notAfter=Dec 17 15:13:41 2012 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    SubjectAltName=
    ::service ldap::
    notBefore=Dec 18 15:13:41 2011 GMT
    notAfter=Dec 17 15:13:41 2012 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    SubjectAltName=
    [root@mail log]#


    And When Tryed to stop and start zimbra ,


    [zimbra@mail ~]$ zmcontrol stop
    Host mail.mail-server.com
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping archiving...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping imapproxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
    [zimbra@mail ~]$ zmcontrol start
    Host mail.mail-server.com
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    [zimbra@mail ~]$

    Can Anybody Help ???
    Thanx in Advanced.. !!!

  5. #5
    Join Date
    Apr 2010
    Location
    Cape Town, South Africa
    Posts
    71
    Rep Power
    5

    Default

    Hi buddhikeg,

    Have you moved your cert folder to an alternate location and tried again?

    As root:
    mkdir -p /root/backup/ssl/zimbra
    mv /opt/zimbra/ssl/zimbra /root/backup/ssl/zimbra
    cd /opt/zimbra/bin/
    zmcertmgr createca -new
    zmcertmgr createcrt -new -days 365
    zmcertmgr deploycrt self
    zmcertmgr deployca
    zmcertmgr viewdeployedcrt

    I really hope this works for you.

    Regards.

  6. #6
    Join Date
    Nov 2011
    Posts
    6
    Rep Power
    3

    Default

    Hi GWilliams,

    thank you for the quick reply agian

    I did that too but the problem still exists !
    I think the problem is it tries to create commercial CA ! The output of what you've said is like this

    first I moved the cert folder using following commands


    mkdir -p /root/backup/ssl/zimbra
    mv /opt/zimbra/ssl/zimbra /root/backup/ssl/zimbra

    Then When I run the first step the output was like this,

    [root@mail zimbra]# cd /opt/zimbra/bin/
    [root@mail bin]# ./zmcertmgr createca -new
    ** Creating directory /opt/zimbra/ssl/zimbra
    ** Creating directory /opt/zimbra/ssl/zimbra/ca
    ** Creating directory /opt/zimbra/ssl/zimbra/server
    ** Creating directory /opt/zimbra/ssl/zimbra/commercial
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

    from above output u can see it creates a folder for COMMERCIAL CA too !
    But like i said before my zimbra version is

    [zimbra@mail ~]$ zmcontrol -v


    Release 6.0.8_GA_2661.RHEL5_20100820051652 RHEL5 FOSS edition.

    [zimbra@mail ~]$


    Also when i run the other steps the output was like this

    [root@mail bin]# ./zmcertmgr createcrt -new -days 365
    Validation days: 365
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111219132931
    ** Generating a server csr for download self -new -keysize 1024
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111219132931
    ** Retrieving Commercial CA cert from ldap...failed.
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

    [root@mail bin]# ./zmcertmgr deploycrt self
    ** Saving server config key zimbraSSLCertificate...failed.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.

    [root@mail bin]# ./zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
    ** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.

    ** Copying CA to /opt/zimbra/conf/ca...done.

    [root@mail bin]# ./zmcertmgr viewdeployedcrt
    ::service mta::
    notBefore=Dec 19 07:59:38 2011 GMT
    notAfter=Dec 18 07:59:38 2012 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    SubjectAltName=
    ::service proxy::
    notBefore=Dec 19 07:59:38 2011 GMT
    notAfter=Dec 18 07:59:38 2012 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    SubjectAltName=
    ::service mailboxd::
    notBefore=Dec 19 07:59:38 2011 GMT
    notAfter=Dec 18 07:59:38 2012 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    SubjectAltName=
    ::service ldap::
    notBefore=Dec 19 07:59:38 2011 GMT
    notAfter=Dec 18 07:59:38 2012 GMT
    subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.mail-server.com
    SubjectAltName=
    [root@mail bin]#

    and when i try to stop and start zimbra at the end Its like this,

    [root@mail bin]# su - zimbra
    [zimbra@mail ~]$ zmcontrol stop
    Host mail.mail-server.com
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping archiving...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping imapproxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
    [zimbra@mail ~]$ zmcontrol start
    Host mail.mail-server.com
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Unable to determine enabled services. Cache is out of date or doesn't exist.
    [zimbra@mail ~]$

    Thank you again for any help !!!

  7. #7
    Join Date
    Jul 2009
    Posts
    23
    Rep Power
    6

    Default

    Even tried this:-
    Split DNS - Zimbra :: Wiki

    But still get this:-
    [root@archive etc]# /opt/zimbra/bin/zmcertmgr createca
    ** Retrieving Commercial CA cert from ldap...failed.

    [root@archive etc]# /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
    Validation days: 365
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111219165540
    ** Generating a server csr for download self -new -keysize 1024
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20111219165540
    ** Retrieving Commercial CA cert from ldap...failed.
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

    Any help??

  8. #8
    Join Date
    Apr 2010
    Location
    Cape Town, South Africa
    Posts
    71
    Rep Power
    5

    Default

    Hi guys,

    Just wondering... I've also read somewhere before (can't remember where) that you should move the .rnd file as well... Sorry that I didn't post that previously.

    mv /opt/zimbra/ssl/.rnd /root/backup/ssl/

    Once that is done, please try the re-creation again.

    Thanks,

  9. #9
    Join Date
    Nov 2011
    Posts
    6
    Rep Power
    3

    Default

    Hi GWilliams,

    Thank you for the quick reply again,

    I did the whole process back again with .rnd file backup, But the result is same.

    What I am still wondering is why does it try to retrieve Commercial CA cert from ldap ?? and Saving server config key zimbraSSLcert/privatekey fails ??


    Thank you so much for any help ???

  10. #10
    Join Date
    Nov 2009
    Posts
    89
    Rep Power
    5

    Default

    I am also facing the same issue and any help is hgighlt appreciated and expected..

Similar Threads

  1. Did I miss something? (Zimbra GA 6.0.8 on Ubuntu 10.04)
    By vpetersson in forum Installation
    Replies: 2
    Last Post: 10-26-2010, 06:29 AM
  2. Old Backup stay in TO_DELETE status and no clearing..
    By bartounet in forum Administrators
    Replies: 0
    Last Post: 10-05-2010, 07:40 AM
  3. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 01:00 AM
  4. Big Fubar on 5 FOSS GA Upgrade
    By uxbod in forum Administrators
    Replies: 24
    Last Post: 01-21-2008, 02:37 AM
  5. My Zimbra server down ... please help :)
    By frankb in forum Administrators
    Replies: 2
    Last Post: 12-12-2007, 10:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •