Page 3 of 7 FirstFirst 12345 ... LastLast
Results 21 to 30 of 66

Thread: [SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure

  1. #21
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Is there a log where the zmcertmgr commands show any progress/errors? As far as I can tell they are doing nothing for me (at least no files are being generated in /opt/zimbra/ssl). The admin gui for this task is also failing to generate a certificate.

  2. #22
    Join Date
    Nov 2005
    Posts
    518
    Rep Power
    11

    Default

    run it as "bash -x ~/bin/zmcertmgr" and it will print each line as it executes

  3. #23
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Ok that got me past that problem (I am running on openSUSE 10.3 and had forgotten to change the get_plat_tag.sh file so the platform was listed as unknown which apparently is a problem for this command)
    Unfortunately I am having an issue with the creation of the ca.pem file. It apparently grabs information from LDAP for the CA using the following command:
    Code:
    zmprov -l -- gacf zimbraCertAuthorityCertSelfSigned
    However since step B was to remove this information from LDAP this step fails and creates a ca.pem of 0 size. This causes the steps after this to fail. Is there something I am missing that is supposed to recreate this information?

  4. #24
    Join Date
    Dec 2007
    Posts
    10
    Rep Power
    7

    Default

    ArcaneMagus,

    In addition to deleting zimbraCertAuthorityCertSelfSigned from LDAP, try also deleting zimbraCertAuthorityKeySelfSigned. Then try zmcertmgr createca again. I had the same problem as you, and that seemed to take care of it for me.

  5. #25
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Thank You!! That solved the problem for me as well I was about 2 minutes away from restoring the RC2 backup and trying again...

  6. #26
    Join Date
    Nov 2007
    Location
    Zürich, Switzerland
    Posts
    40
    Rep Power
    8

    Default summary

    Here is a little summary of all steps:

    (a) as root: cd /opt/zimbra/ssl; mkdir bak; mv * bak
    (b) as zimbra:
    (b1) to get the password: zmlocalconfig -s zimbra_ldap_password
    (b2) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
    Code:
    dn: cn=config,cn=zimbra
    changetype:modify
    delete: zimbraCertAuthorityCertSelfSigned
    ^D
    (b3) ldapmodify -x -h fqdn.server.tld -D "uid=zimbra,cn=admins,cn=zimbra" -W
    Code:
    dn: cn=config,cn=zimbra
    changetype:modify
    delete: zimbraCertAuthorityKeySelfSigned
    ^D
    (c) as root: run /opt/zimbra/bin/zmcertmgr createca
    (d) as root: run /opt/zimbra/bin/zmcertmgr deployca
    (e) as root: run /opt/zimbra/bin/zmcertmgr install self -new
    (f) as root: su - zimbra zmcontrol stop; su - zimbra zmcontrol start

    ^D is Control-D

  7. #27
    Join Date
    Nov 2007
    Location
    Zürich, Switzerland
    Posts
    40
    Rep Power
    8

    Default

    I could successfully resolve all troubles with receiving mails with the above steps.

    After that I had another problem and had to restore the previous installation (RC1).

    Then I upgraded again to GA and had the same problem with the STARTTLS Connect error. So I followed these steps once again, but it didn't work this time...

    All commands are OK (createca, etc), no errors.
    Code:
    root@james:/opt/zimbra/ssl# /opt/zimbra/bin/zmcertmgr createca
    ** Creating directory /opt/zimbra/ssl/zimbra
    ** Creating directory /opt/zimbra/ssl/zimbra/ca
    ** Creating directory /opt/zimbra/ssl/zimbra/server
    ** Creating directory /opt/zimbra/ssl/zimbra/commercial
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Retrieving CA private key from ldap...failed.
    ** Retrieving CA cert from ldap...failed.
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    root@james:/opt/zimbra/ssl# /opt/zimbra/bin/zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving CA in ldap...done.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    root@james:/opt/zimbra/ssl# /opt/zimbra/bin/zmcertmgr install self -new
    ** Generating a server csr for download
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20071230180147
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/server/server.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20071230180147
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    But everything I see in the log is:
    Code:
    Dec 30 17:39:15 james postfix/smtpd[10154]: connect from mail.gmx.net[213.165.64.20]
    Dec 30 17:39:23 james postfix/trivial-rewrite[10158]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
    Dec 30 17:39:23 james last message repeated 2 times
    Dec 30 17:39:23 james postfix/trivial-rewrite[10158]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
    Dec 30 17:39:24 james postfix/smtpd[9651]: warning: problem talking to service rewrite: Success
    Dec 30 17:39:24 james postfix/smtpd[10154]: warning: problem talking to service rewrite: Connection reset by peer
    Dec 30 17:39:24 james postfix/master[9432]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 10158 exit status 1
    Dec 30 17:39:24 james postfix/master[9432]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling
    Code:
    127.0.0.1       localhost.localdomain localhost
    10.0.0.4        james.tobru.ch james
    Has anyone an idea what else could be wrong?

    Thanks a lot
    Best Regards,
    Tobias
    Last edited by tobru; 12-30-2007 at 10:35 AM. Reason: output of zmcertmgr / hosts

  8. #28
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Here's a silly question but did you restart Zimbra and/or the entire server? Postfix needs to re read the key from LDAP.

  9. #29
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    10

    Default

    Note that I am seeing this problem even with certificates that have not yet expired. I am trying to figure out why right now.

  10. #30
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Here are the circumstances under which this can happen:
    Basically, if the CA cert has expired, certificate verification fails, even if the cert is valid the MTA can fail.

Similar Threads

  1. Problems with port 25
    By yogiman in forum Installation
    Replies: 57
    Last Post: 06-13-2011, 02:55 PM
  2. Replies: 7
    Last Post: 02-03-2011, 07:01 AM
  3. Issues...
    By timothyalangorman in forum Administrators
    Replies: 3
    Last Post: 11-19-2007, 10:43 AM
  4. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 09:09 AM
  5. receiveing mail
    By maybethistime in forum Administrators
    Replies: 15
    Last Post: 12-09-2005, 04:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •