Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Unable to determine enabled services from ldap after ssl certificate install

  1. #1
    Join Date
    May 2009
    Posts
    8
    Rep Power
    6

    Default Unable to determine enabled services from ldap after ssl certificate install

    New install of Zimbra 6.0 on Ubuntu 8.04lts

    Was working fine before adding a commercial ssl certificate.

    First problem: How do I remove the certificate?

    Second problem: Can I use an ssl cert with a different name than the actual hostname?

  2. #2
    Join Date
    May 2009
    Posts
    8
    Rep Power
    6

    Default installing SSL Cert seems to hose ldap

    Ok. So I uninstalled zimbra and have now re-installed. Here is what I did:
    (names changed to protect the innocent)

    1. Install Ubuntu 8.04LTS. Updated/Upgraded.
    Hostname = wmail.mydomain.com
    Added necessary prerequisites

    2. Configured DNS
    Added A record for wmail to mydomain.com (and reverse)
    Added MX record for wmail.mydomain.com

    3. Verified DNS
    Code:
    root@wmail:~#host wmail.mydomain.com
    wmail.mydomain.com has address 172.16.50.1
    Code:
    root@wmail:~#dig mydomain.com mx
    
    ; <<>> DiG 9.4.2-P2.1 <<>> mydomain.com mx
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38558
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; QUESTION SECTION:
    ;mydomain.com.                 IN      MX
    
    ;; ANSWER SECTION:
    mydomain.com.          3600    IN      MX      300 wmail.mydomain.com.
    
    ;; ADDITIONAL SECTION:
    wmail.mydomain.com.    3600    IN      A       172.16.50.1
    
    ;; Query time: 5 msec
    ;; SERVER: 172.16.10.3#53(172.16.10.3)
    ;; WHEN: Fri Jun  4 13:40:48 2010
    ;; MSG SIZE  rcvd: 109
    4. Install Zimbra - Release 6.0.6_GA_2330.UBUNTU8 UBUNTU8 FOSS edition.
    Took all defaults
    When it asked about the domain name I entered: mydomain.com and it found everything correctly.

    5. Started Zimbra
    Logged into web admin, everything fat/dumb/happy

    Code:
    zimbra@wmail:/root$ zmhostname
    wmail.mydomain.com
    6. Generated CSR
    In web admin interface I generated the CSR for a commercial certificate

    7. Generated Certificate on Godaddy & installed using zmcertmgr
    Code:
    root@wmail:~# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key ./wmail.mydomain.com.crt ./gd_bundle.crt 
    ** Verifying ./wmail.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./wmail.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./wmail.mydomain.com.crt: OK
    root@wmail:~# /opt/zimbra/bin/zmcertmgr deploycrt comm ./wmail.mydomain.com.crt ./gd_bundle.crt 
    ** Verifying ./wmail.mydomain.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
    Certificate (./wmail.mydomain.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
    Valid Certificate: ./wmail.mydomain.com.crt: OK
    ** Copying ./wmail.mydomain.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Appending ca chain ./gd_bundle.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
    ** Saving server config key zimbraSSLCertificate...done.    
    ** Saving server config key zimbraSSLPrivateKey...done.
    ** Installing mta certificate and key...done.
    ** Installing slapd certificate and key...done.
    ** Installing proxy certificate and key...done.
    ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
    ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
    ** Installing CA to /opt/zimbra/conf/ca...done.
    
    root@wmail:~# su zimbra
    
    zimbra@wmail:/root$ zmcontrol stop
    
    Host wmail.mydomain.com
            Stopping stats...Done.
            Stopping mta...Done.
            Stopping spell...Done.
            Stopping snmp...Done.
            Stopping archiving...Done.
            Stopping antivirus...Done.
            Stopping antispam...Done.
            Stopping imapproxy...Done.
            Stopping memcached...Done.
            Stopping mailbox...Done.
            Stopping logger...Done.
            Stopping ldap...Done.
    
    zimbra@wmail:/root$ zmcontrol start
    
    Host wmail.mydomain.com
            Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
            Starting logger...Failed.
    Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
    zimbra logger service is not enabled!  failed.
    
            Starting mailbox...Done.
            Starting antispam...Done.
            Starting antivirus...Done.
            Starting spell...Done.
            Starting mta...Done.
            Starting stats...Done.
    Code:
    root@wmail:~# /opt/zimbra/bin/zmcertmgr viewdeployedcrt
    
    ::service mta::
    notBefore=Jun  4 17:25:29 2010 GMT
    notAfter=Jun  3 20:57:40 2012 GMT
    subject= /O=wmail.mydomain.com/OU=Domain Control Validated/CN=wmail.mydomain.com
    issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
    SubjectAltName= wmail.mydomain.com, www.wmail.mydomain.com
    ::service proxy::
    notBefore=Jun  4 17:25:29 2010 GMT
    notAfter=Jun  3 20:57:40 2012 GMT
    subject= /O=wmail.mydomain.com/OU=Domain Control Validated/CN=wmail.mydomain.com
    issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
    SubjectAltName= wmail.mydomain.com, www.wmail.mydomain.com
    ::service mailboxd::
    notBefore=Jun  4 17:25:29 2010 GMT
    notAfter=Jun  3 20:57:40 2012 GMT
    subject= /O=wmail.mydomain.com/OU=Domain Control Validated/CN=wmail.mydomain.com
    issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
    SubjectAltName= wmail.mydomain.com, www.wmail.mydomain.com
    ::service ldap::
    notBefore=Jun  4 17:25:29 2010 GMT
    notAfter=Jun  3 20:57:40 2012 GMT
    subject= /O=wmail.mydomain.com/OU=Domain Control Validated/CN=wmail.mydomain.com
    issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
    SubjectAltName= wmail.mydomain.com, www.wmail.mydomain.com

    Obviously I am doing something wrong as this seems to be a fairly straightforward process but I can't figure out what.

    Can anyone help with this?

    /x
    Last edited by xlntech; 06-04-2010 at 12:18 PM.

  3. #3
    Join Date
    May 2009
    Posts
    8
    Rep Power
    6

    Exclamation Uh... Tap Tap Tap... is this thing turned on?

    Has the entire community of Zimbra genii been stumped by this one? If so, is there a prize? (I hope so because otherwise this kind of stinks)

    Have I somehow breached ettiquette rules that I'm not aware of? I swear I searched hi and low before posting my question. I saw some other people with similar problems that seem to have similar answers (none). Maybe there is a better forum to post this in?

    I can use more smileys/emoticons if that helps.

    /x

    P.S. All said with a smile, absolutely no offense intended to anyone.

  4. #4
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Try generating the CSR via CLI. I just recently wrote up the procedure. In my case I used a UCC cert but you can probably just leave out the extra domain. I.e. no "/CN=$FQDN2"

    http://www.zimbra.com/forums/install...t-renewal.html

  5. #5
    Join Date
    May 2009
    Posts
    8
    Rep Power
    6

    Default CSR via CLI

    This is what I got when I tried that:

    Code:
    root@wmail:~# /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 "/C=cn/ST=st/L=city/O=Org/CN=wmail.domain.com"
    ** Generating a server csr for download comm -new -keysize 2048 /C=cn/ST=st/L=city/O=Org/CN=wmail.domain.com
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20100610110815 
    ** Creating server cert request /opt/zimbra/ssl/zimbra/commercial/commercial.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    How do I remove the certificate just so I can get my system to start up again?

  6. #6
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Huh, I'm out of ideas...except maybe checking the permissions of files, or manually moving some of them out of the way. In other words, see if you can do something about /opt/zimbra/ssl/zimbra/commercial/commercial.key and maybe some of the other files mentioned in the output of the successful install example from my thread.

    Also there may be a way to create the files in a location other than the default. It's not well documented but I came across it in one example or another.

    Finally (for now) if you haven't read these links for creating a new self-signed cert, see:

    Administration Console and CLI Certificate Tools - Zimbra :: Wiki
    Administration Console and CLI Certificate Tools - Zimbra :: Wiki

  7. #7
    Join Date
    May 2009
    Posts
    8
    Rep Power
    6

    Default

    I completely uninstalled (again) zimbra and re-installed then did the entire SSL process from the CLI. Everything goes nice/happy until I try to restart the server then LDAP is hosed.

    It's pretty obvious is that the problem has to do with LDAP access. I assume inter-process comm is also using SSL, if that is true do you know how I can disable that?

  8. #8
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

  9. #9
    Join Date
    May 2009
    Posts
    8
    Rep Power
    6

    Default

    set ewilen_the_man_status=++

    That helped.

    I used zmlocalconfig to set the following:
    Code:
    zmlocalconfig -e ssl_allow_untrusted_certs=1
    (that didn't actually fix it, I had to set ldap to not use ssl also)
    zmlocalconfig -e ldap_master_url=ldap://wmail.inteltech.com:389
    zmlocalconfig -e ldap_url=ldap://wmail.inteltech.com:389
    zmlocalconfig -e ldap_port=389
    I'm a little confused though. I tried setting ldaps according to that bug note and allowing untrusted certs; which only makes sense to me in that they are related; but that didn't help. So then I just set ldap to not use ssl and it worked. However, I tried setting the allow_untrusted back to false(0) and it quits working again. So my confusion: If I am configuring ldap not to use ssl, why does it care about the allow_untrusted setting at all? Or is that why we call it a bug and not a feature?

    Either way I really appreciate you taking the time to help me on this one. I will start tracking your posts and if I can ever help I will.

    /x

  10. #10
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    You're welcome, glad to have helped!

    I'm not an expert in this, but your previous note rang a bell.

    About the setting for allow_untrusted, I can only guess that setting it to 1 as you did will make it work for a self-signed cert, and therefore setting it to 0 makes it stop working for you because you're using an self-signed cert. But I don't know exactly why the recommendation to set it to 0 is there. That is, is it specifically needed for Zimbra to start, or is it just there because if you allow untrusted certs, you may be defeating the purpose of using ldaps?

    The support portal has somewhat more detailed info for what to do in a new install to 6.0.6. I.e., don't select ldaps during the install, then after install do
    Code:
    zmlocalconfig -e ldap_url=ldaps://mail.domain.com:636
    zmlocalconfig -e ldap_master_url=ldaps://mail.domain.com:636
    zmlocalconfig -e ldap_port=636
    zmlocalconfig -e ldap_starttls_support=0
    zmlocalconfig -e ssl_allow_untrusted_certs=0
    Possibly the ldap_starttls_support=0 is the missing link. (It's mentioned in comment #13 of the bug, too, but not in a way that makes it clear how it relates to the workaround for 6.0.6.)

Similar Threads

  1. Unable to determine enabled services from ldap
    By dgoradia in forum Administrators
    Replies: 4
    Last Post: 07-15-2009, 12:18 AM
  2. [SOLVED] install zcs 6 beta1 / centos 5.3 - LDAP FAIL
    By powrrrplay in forum Installation
    Replies: 7
    Last Post: 04-24-2009, 10:15 AM
  3. Unable to determine enabled services from ldap
    By Offermann in forum Administrators
    Replies: 2
    Last Post: 07-20-2008, 10:21 AM
  4. DNS Questions and Trouble Installing
    By smurraysb in forum Installation
    Replies: 22
    Last Post: 03-14-2008, 04:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •