Results 1 to 10 of 14

Thread: [SOLVED] Argh Commercial Certificates after a 4.10 > 5.0 FOSS upgrade!

Hybrid View

  1. #1
    Join Date
    Nov 2006
    Posts
    31
    Rep Power
    9

    Default [SOLVED] Argh Commercial Certificates after a 4.10 > 5.0 FOSS upgrade!

    Ok, I'm at my wits end and it looks like there have been a number of the issues with this. I can't seem to find any real solution, hopefully someone can help here.

    Before the upgrade everything had been working fine with a 2 year GoDaddy commercial certificate.

    After I did the upgrade, everything looked fine, then I saw these errors in the log file:

    Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
    Dec 30 13:18:44 webmail last message repeated 2 times
    Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
    Dec 30 13:18:45 webmail postfix/master[12029]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 12042 exit status 1
    Dec 30 13:18:45 webmail postfix/master[12029]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling


    I found in bugzilla or another message to regenerate a self-signed certificate by doing:
    [root@webmail ssl]# /opt/zimbra/bin/zmcertmgr createca
    ** Creating directory /opt/zimbra/ssl/zimbra
    ** Creating directory /opt/zimbra/ssl/zimbra/ca
    ** Creating directory /opt/zimbra/ssl/zimbra/server
    ** Creating directory /opt/zimbra/ssl/zimbra/commercial
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Retrieving CA private key from ldap...done.
    ** Retrieving CA cert from ldap...done.
    [root@webmail ssl]# /opt/zimbra/bin/zmcertmgr deployca
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Saving CA in ldap...done.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    [root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install self -new


    This worked fine in getting things working, the SSL webpage still had the correct commercial certificate installed so no errors there, however, while the SSL Cert was installed on the MTA now, it was the self-signed which prompts up a warning box the first time you try and send an email out through a fat mail client. I need it to use the purchased commercial cert.

    So I did the following:
    [root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install com -new

    I looked at what files it was looking for:
    1) Default is /opt/zimbra/ssl/zimbra/server/server.crt for server and /opt/zimbra/ssl/zimbra/commercial/commercial.crt for commercial
    2) Default is "/C=US/ST=N_A/L=N_A/O=Zimbra Collaboration Suite/CN=webmail.intotheoven.com"
    3) Default is 365.
    4) install self is to install the certificates using self signed csr is in /opt/zimbra/ssl/zimbra/server
    5) install comm is to install the certificates using commercially signed certificate in /opt/zimbra/ssl/zimbra/commercial
    6) default is
    7) for verifycrt, by default for self priv_key is /opt/zimbra/ssl/zimbra/server/server.key and the certfile is /opt/zimbra/ssl/zimbra/server/server.crt, for comm priv_key is /opt/zimbra/ssl/zimbra/commercial/commercial.key and the certfile is /opt/zimbra/ssl/zimbra/commercial/commercial.crt


    I found the back-up of those files, copied them into the appropriate directory, then ran the:
    [root@webmail ssl]# /opt/zimbra/bin/zmcertmgr install com -new

    It failed with an error, so I re-ran it with '-x' to see the output, here is where it failed:
    + '[' '!' -f /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt ']'
    + echo 'XXXXX ERROR: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt does not exist.'
    XXXXX ERROR: /opt/zimbra/mailboxd/webapps/zimbraAdmin/tmp/current.crt does not exist.


    So I copied my .crt to the temp dir and it ran fine:
    [root@webmail commercial]# sh /opt/zimbra/bin/zmcertmgr install comm -new
    ** Installing Certificates from /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20071230130845
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.


    Hopes were setup high here, but then again same error as above:

    Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
    Dec 30 13:18:44 webmail last message repeated 2 times
    Dec 30 13:18:44 webmail postfix/trivial-rewrite[12042]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
    Dec 30 13:18:45 webmail postfix/master[12029]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 12042 exit status 1
    Dec 30 13:18:45 webmail postfix/master[12029]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling


    This is very irritating as I can not send mail through the server on my iPhone with a self-signed cert.

    Any assistance would GREATLY be appreciated!

    Here is the result of a:
    /opt/zimbra/bin/zmcertmgr viewdeployedcrt all
    ::service mta::
    notBefore=Jul 30 20:25:48 2007 GMT
    notAfter=Jul 29 20:25:48 2009 GMT
    subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
    issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
    SubjectAltName=
    ::service proxy::
    notBefore=Jul 30 20:25:48 2007 GMT
    notAfter=Jul 29 20:25:48 2009 GMT
    subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
    issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
    SubjectAltName=
    ::service mailboxd::
    notBefore=Jul 30 20:25:48 2007 GMT
    notAfter=Jul 29 20:25:48 2009 GMT
    subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
    issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
    SubjectAltName=
    ::service ldap::
    notBefore=Jul 30 20:25:48 2007 GMT
    notAfter=Jul 29 20:25:48 2009 GMT
    subject= /O=webmail.intotheoven.com/OU=Domain Validated/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/CN=webmail.intotheoven.com
    issuer= /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com
    SubjectAltName=


    HELP!

  2. #2
    Join Date
    Nov 2006
    Posts
    31
    Rep Power
    9

    Default Turning off Postfix and TLS -> LDAP

    I think I could get this problem if I knew where to turn off Postfix trying to lookup the address rewrites in LDAP via TLS and back to the anonymous lookups of 4.10.

    I thought it might be related to my certificate being past the one year mark, well I just purchased another certificate because I need to get this thing going and I'm in the exact same boat. I even installed the cert through the webinterface.

    Everything starts fine, can access IMAP, HTTPS (web), but I just can't send or receive any e-mail while I'm getting this error:

    Dec 31 15:33:01 webmail postfix/trivial-rewrite[14070]: fatal: ldap:/opt/zimbra/conf/ldap-vmd.cf(0,lock|fold_fix): table lookup problem
    Dec 31 15:33:01 webmail postfix/trivial-rewrite[14071]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
    Dec 31 15:33:01 webmail last message repeated 2 times
    Dec 31 15:33:01 webmail postfix/trivial-rewrite[14071]: fatal: ldap:/opt/zimbra/conf/ldap-vmd.cf(0,lock|fold_fix): table lookup problem
    Dec 31 15:33:02 webmail postfix/qmgr[7320]: warning: problem talking to service rewrite: Success
    Dec 31 15:33:02 webmail postfix/master[7310]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 14061 exit status 1
    Dec 31 15:33:02 webmail postfix/master[7310]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling


    Seriously, if anyone has any ideas, I would appreciate it.

  3. #3
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

  4. #4
    Join Date
    Nov 2006
    Posts
    31
    Rep Power
    9

    Default

    Ok maybe I'm missing something here, I have tried that before and again just now. It works fine if I'm just self-signing a cert. But as soon as I try and add in a Commercial Cert (two year), it does the exact same thing again.

    If at that point I do a 'zmcertmgr install self' I can get back up and running, but as soon as I do the commercial, I get the postfix/ldap errors.

  5. #5
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    ah, okay. I think you're hitting:
    Bug 23294 - commercial certs fail to install

  6. #6
    Join Date
    Nov 2006
    Posts
    31
    Rep Power
    9

    Default

    Yep, I have referenced that too, same thing. The last entry in there is they have everything working (as do I), except they haven't had a chance to see if the postfix->ldap communication has been fixed.

    I can tell you over here, it's not.

    Any ideas or log entries I can assist with? Everything is running, there is nothing out of the ordinary except this in the zimbra.log

    ec 31 20:36:53 webmail postfix/trivial-rewrite[30620]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
    Dec 31 20:36:53 webmail postfix/trivial-rewrite[30621]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
    Dec 31 20:36:53 webmail last message repeated 2 times
    Dec 31 20:36:53 webmail postfix/trivial-rewrite[30621]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
    Dec 31 20:36:54 webmail postfix/qmgr[26010]: warning: problem talking to service rewrite: Success
    Dec 31 20:36:54 webmail postfix/master[26006]: warning: process /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite pid 30614 exit status 1
    Dec 31 20:36:54 webmail postfix/master[26006]: warning: /opt/zimbra/postfix-2.4.3.3z/libexec/trivial-rewrite: bad command startup -- throttling


    Quote Originally Posted by jholder View Post
    ah, okay. I think you're hitting:
    Bug 23294 - commercial certs fail to install

Similar Threads

  1. Upgrade from ZCS 5.0 GA FOSS to ZCA 5.0 NE
    By fcolpron in forum Installation
    Replies: 7
    Last Post: 01-22-2008, 12:44 PM
  2. [SOLVED] Upgrade 4.5.7 > 5.0 GA Failed
    By jimbo in forum Installation
    Replies: 11
    Last Post: 01-13-2008, 05:21 PM
  3. ZCS 5.0 FOSS is Released!!!
    By jholder in forum Announcements
    Replies: 1
    Last Post: 12-21-2007, 12:21 PM
  4. Replies: 2
    Last Post: 07-01-2007, 12:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •