Results 1 to 10 of 12

Thread: lost connection after STARTTLS

Hybrid View

  1. #1
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    10

    Default lost connection after STARTTLS

    I have been tring to use an IMAP client to connect to zimbra and send emails but it is broken and i keep getting this in my logs.

    This is a fresh install of M2 on fedora core 3 but i forgot to enable https during the initial setup this has caused me some problems one being that i can login from http and https undesirable and this new problem.

    Seems there is a certificate missing or something can i create one without doing a reinstall? Or should i reinstall and hopfully fix both problems? If i do reinstall can i select no to upgrade and then yes to save users and mailboxes?



    Nov 28 08:43:56 shoemasters postfix/smtpd[14794]: initializing the server-side TLS engine
    Nov 28 08:43:56 shoemasters postfix/smtpd[14794]: warning: cannot get certificate from file /opt/zimbra/conf/smtpd.crt
    Nov 28 08:43:56 shoemasters postfix/smtpd[14794]: warning: TLS library problem: 14794:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('/opt/zimbra/conf/smtpd.crt','r'):
    Nov 28 08:43:56 shoemasters postfix/smtpd[14794]: warning: TLS library problem: 14794:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:
    Nov 28 08:43:56 shoemasters postfix/smtpd[14794]: warning: TLS library problem: 14794:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:758:
    Nov 28 08:43:56 shoemasters postfix/smtpd[14794]: cannot load RSA certificate and key data
    Nov 28 08:43:56 shoemasters postfix/smtpd[14794]: connect from digi.spots.ab.ca[209.115.173.9]
    Computer King

    http://www.computerking.ca

    Sales, Service, and Hosting
    Email, Data, and Web Packages
    Ask about web design specials

    Affiliates
    http://www.computerking.ca/pages/lin...affiliates.htm

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Did you try to just recreate the certs?

  3. #3
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    10

    Default

    I recreated the certs it broke some more things and now get this error when trying to start zimbra using zmcontrol start

    ERROR: service.FAILURE (system failure: getDirectContext) (cause: javax.naming.CommunicationException shoemasters.com:389)

    Also i got some java errors that according to this post
    http://www.zimbra.com/forums/showthr...ighlight=certs

    are ok but one error during about line 47 print or something during the command zmtlsctl https


    Kevin if i do an upgrade using the the .install.sh are my chances pretty good? ie do not want to loose users emails again however it has only been a couple of days?

    Do you u think upgrade will fix and my http and https prob or is this an error you have come across before?
    Last edited by rmvg; 11-28-2005 at 05:39 PM.
    Computer King

    http://www.computerking.ca

    Sales, Service, and Hosting
    Email, Data, and Web Packages
    Ask about web design specials

    Affiliates
    http://www.computerking.ca/pages/lin...affiliates.htm

  4. #4
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    install.sh can do an overinstall. You could try that and just let it reinstall the pkgs but keep the data.

  5. #5
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    10

    Default

    does that mean click yes or no to upgrade?
    Computer King

    http://www.computerking.ca

    Sales, Service, and Hosting
    Email, Data, and Web Packages
    Ask about web design specials

    Affiliates
    http://www.computerking.ca/pages/lin...affiliates.htm

  6. #6
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    yes for upgrade.

  7. #7
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default upgrade installs

    On an upgrade, it attempts to start ldap, and connect to it to verify that your ldap host/passwd/port are correct.

    If ldap isn't starting, the re-install won't work. Let me check on the cert creation error, and post another fix.

  8. #8
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default cert recreation

    The print error in zmcertinstall is complaining that the certificate file can't be found - so let's try recreating your certs.

    Run, as zimbra:
    sh -x bin/zmcreatecert

    and post the output.

  9. #9
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    10

    Default

    [zimbra@shoemasters ~]$ sh -x bin/zmcreatecert
    + CONF=/opt/zimbra/conf
    + TCONF=/opt/zimbra/tomcat/conf
    + B=/opt/zimbra/ssl
    + BASE=/opt/zimbra/ssl/ssl
    + JAVA_HOME=/opt/zimbra/java
    + TOMCAT=/opt/zimbra/tomcat/conf
    + rm -rf /opt/zimbra/ssl/ssl/newCA
    + mkdir -p /opt/zimbra/ssl/ssl/ca
    + mkdir -p /opt/zimbra/ssl/ssl/newCA/newcerts
    + touch /opt/zimbra/ssl/ssl/newCA/index.txt
    + mkdir -p /opt/zimbra/ssl/ssl/cert
    + mkdir -p /opt/zimbra/ssl/ssl/server
    + mkdir -p /opt/zimbra/tomcat/conf
    + getHostInfo
    ++ /opt/zimbra/bin/zmlocalconfig -m nokey zimbra_server_hostname
    + H=shoemasters.com
    + createConf
    + cat /opt/zimbra/conf/zmssl.cnf.in
    + sed -e s/@@HOSTNAME@@/shoemasters.com/
    + createSerial
    + '[' -f /opt/zimbra/ssl/ssl/ca/ca.srl ']'
    ++ cat /opt/zimbra/ssl/ssl/ca/ca.srl
    + SER=06
    ++ expr 06 + 1
    + SER=7
    + '[' 7 -lt 10 ']'
    + SER=07
    + echo 07
    + importCA
    + echo '** Importing CA'
    ** Importing CA
    + echo

    + keytool -import -noprompt -keystore /opt/zimbra/java/jre/lib/security/cacerts -file /opt/zimbra/ssl/ssl/ca/ca.pem -alias my_ca -storepass changeit
    keytool error: java.lang.Exception: Certificate not imported, alias <my_ca> already exists
    + createKeyStore
    + echo '** Creating keystore'
    ** Creating keystore
    + echo

    + rm -f /opt/zimbra/tomcat/conf/keystore
    + keytool -genkey -dname 'CN=shoemasters.com, OU=Zimbra, O=Zimbra, L=NA, S=NA, C=US' -alias tomcat -keyalg RSA -keysize 1024 -keystore /opt/zimbra/tomcat/conf/keystore -storetype JKS -storepass zimbra -keypass zimbra
    + createCertReq
    + echo '** Creating server cert request'
    ** Creating server cert request
    + echo

    + openssl req -new -nodes -out /opt/zimbra/ssl/ssl/server/server.csr -keyout /opt/zimbra/ssl/ssl/server/server.key -newkey rsa:1024 -config /opt/zimbra/ssl/ssl/zmssl.cnf -batch
    Generating a 1024 bit RSA private key
    .++++++
    ............++++++
    unable to write 'random state'
    writing new private key to '/opt/zimbra/ssl/ssl/server/server.key'
    -----
    + keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/server/tomcat.csr -keystore /opt/zimbra/tomcat/conf/keystore -storepass zimbra
    + cp /opt/zimbra/ssl/ssl/server/tomcat.csr /tmp/tomcat.csr.9212
    + cat /tmp/tomcat.csr.9212
    + sed -e 's/NEW CERTIFICATE REQUEST/CERTIFICATE REQUEST/'
    + signCertReq
    + echo '** Signing cert request'
    ** Signing cert request
    + echo

    + openssl ca -out /opt/zimbra/ssl/ssl/server/server.crt -notext -config /opt/zimbra/ssl/ssl/zmssl.cnf -in /opt/zimbra/ssl/ssl/server/server.csr -keyfile /opt/zimbra/ssl/ssl/ca/ca.key -cert /opt/zimbra/ssl/ssl/ca/ca.pem -batch
    Using configuration from /opt/zimbra/ssl/ssl/zmssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 7 (0x7)
    Validity
    Not Before: Nov 29 10:29:24 2005 GMT
    Not After : Nov 29 10:29:24 2006 GMT
    Subject:
    countryName = US
    stateOrProvinceName = N/A
    organizationName = Zimbra Collaboration Suite
    commonName = shoemasters.com
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    49:A2:55:5D:6E:53:91:31:70:C6:7C:56:04:6A2:AC:48:6C:1D:F9
    X509v3 Authority Key Identifier:
    DirName:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=shoemasters.com
    serial:00

    Certificate is to be certified until Nov 29 10:29:24 2006 GMT (365 days)

    Write out database with 1 new entries
    Data Base Updated
    unable to write 'random state'
    + openssl x509 -CA /opt/zimbra/ssl/ssl/ca/ca.pem -CAkey /opt/zimbra/ssl/ssl/ca/ca.key -CAserial /opt/zimbra/ssl/ssl/ca/ca.srl -req -in /opt/zimbra/ssl/ssl/server/tomcat.csr -out /opt/zimbra/ssl/ssl/server/tomcat.crt -days 365
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=shoemasters.com
    Getting CA Private Key
    unable to write 'random state'
    + cp /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/conf/slapd.crt
    + cp /opt/zimbra/ssl/ssl/server/server.key /opt/zimbra/conf/slapd.key
    + mkdir -p /opt/zimbra/conf/ca
    + cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
    + cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
    Computer King

    http://www.computerking.ca

    Sales, Service, and Hosting
    Email, Data, and Web Packages
    Ask about web design specials

    Affiliates
    http://www.computerking.ca/pages/lin...affiliates.htm

  10. #10
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default Follow this thread

    http://www.zimbra.com/forums/showthr...p?threadid=865

    This is the same issue, so let's move the discussion over there - run the zmcertinstall listed in that thread.

Similar Threads

  1. zmprov mc default zimbraFeatureNotebookEnabled TRUE
    By nbhanji in forum Installation
    Replies: 11
    Last Post: 04-29-2008, 10:39 AM
  2. Replies: 3
    Last Post: 07-19-2007, 02:00 AM
  3. SMTP SSL Problem
    By nexus in forum Installation
    Replies: 8
    Last Post: 03-15-2007, 07:26 AM
  4. lost connection after RCPT
    By scott_mcneilage in forum Administrators
    Replies: 1
    Last Post: 05-20-2006, 04:00 AM
  5. lost connection after AUTH
    By avisser in forum Administrators
    Replies: 4
    Last Post: 10-18-2005, 02:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •