Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
sub1
Posts: 5
Joined: Mon Dec 22, 2014 4:37 am

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby sub1 » Mon Dec 22, 2014 5:02 am

Hello,



I'm trying to upgrade Zimbra 8.5.0 to latest 8.6.0 on CentOS 6.5. System is up to date. I'm using a commercial cert for mailbox and it is valid.


[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# ./install.sh

Operations logged to /tmp/install.log.22738
Checking for existing installation...
    zimbra-ldap...FOUND zimbra-ldap-8.5.0_GA_3042
    zimbra-logger...FOUND zimbra-logger-8.5.0_GA_3042
    zimbra-mta...FOUND zimbra-mta-8.5.0_GA_3042
    zimbra-dnscache...FOUND zimbra-dnscache-8.5.0_GA_3042
    zimbra-snmp...FOUND zimbra-snmp-8.5.0_GA_3042
    zimbra-store...FOUND zimbra-store-8.5.0_GA_3042
    zimbra-apache...FOUND zimbra-apache-8.5.0_GA_3042
    zimbra-spell...FOUND zimbra-spell-8.5.0_GA_3042
    zimbra-convertd...NOT FOUND
    zimbra-memcached...FOUND zimbra-memcached-8.5.0_GA_3042
    zimbra-proxy...NOT FOUND
    zimbra-archiving...NOT FOUND
    zimbra-core...FOUND zimbra-core-8.5.0_GA_3042
ZCS upgrade from 8.5.0 to 8.6.0 will be performed.
Validating ldap configuration
Error: Unable to create a successful TLS connection to the ldap masters.
       Fix cert configuration prior to upgrading.


I tried to debug a little :


[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# bin/zmValidateLdap.pl -l --vmajor 8 --vminor 5
ERROR: Unable to connect via startTLS to master: ldap://zimbra.domain.intra:389


[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap | grep tls
ldap_common_require_tls = 0
ldap_starttls_required = true
ldap_starttls_supported = 1


[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# /opt/zimbra/bin/zmlocalconfig | grep ldap_master
ldap_master_url = ldap://zimbra.domain.intra:389


If anyone can help me to solve this problem ?


Regards



User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby jorgedlcruz » Mon Dec 22, 2014 10:45 am

Hi sub1,

I saw this error before, let me take a look into my notes and chat with the rest of the team.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
dslauter
Posts: 6
Joined: Sat Sep 13, 2014 3:36 am

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby dslauter » Mon Dec 22, 2014 2:31 pm

I also have the same issue on Ubuntu 14.04, let me know if you need anything.
dlbewley
Advanced member
Advanced member
Posts: 82
Joined: Fri Sep 12, 2014 10:15 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby dlbewley » Mon Dec 22, 2014 10:30 pm

Is this a multi-server install? What's the CN on the cert? Is your zmlocalconfig `ldap_url` different from `ldap_master_url`?



See if this is relevant https://bugzilla.zimbra.com/show_bug.cgi?id=95420
sub1
Posts: 5
Joined: Mon Dec 22, 2014 4:37 am

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby sub1 » Tue Dec 23, 2014 3:35 am

Hi,



In my case, it's a mono-server installation.



[root@ZIMBRA zcs-8.6.0_GA_1153.RHEL6_64.20141215151155]# "/opt/zimbra/bin/zmlocalconfig" | grep ldap | grep url

ldap_bind_url =

ldap_master_url = ldap://zimbra.domain.intra:389

ldap_url = ldap://zimbra.domain.intra:389



CN on cert is "*.domain.com" and my server is named "zimbra.domain.intra"





Concerning bug id 95420, if i replace in "bin/zmValidateLdap.pl"



$mesgp = $ldapp->start_tls(

verify => 'require',

capath => "/opt/zimbra/conf/ca",

);

by

$mesgp = $ldapp->start_tls(

verify => 'none',

capath => "/opt/zimbra/conf/ca",

);



Validation is OK.



It seems that I can't anymore have a commercial cert with a DN not matching hostname. This configuration was valid before 8.6.

Any ideas on the best way to solve this issue ?



Regards.
adilm
Posts: 4
Joined: Tue Dec 23, 2014 9:28 am

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby adilm » Tue Dec 23, 2014 9:32 am

I have a same issue upgrading from 8.5.1 to 8.6.0. Mono server install. Exactly same output in validation commands.
t.goetten
Posts: 19
Joined: Fri Sep 12, 2014 11:22 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby t.goetten » Thu Dec 25, 2014 4:44 am

I have (supposingly) the same issue too.

- commercial certificate (not expired!)

- Zimbra 8.5.1_GA_3056 (build 20141103151510)

- single server



Validating ldap configuration

Error: Unable to create a successful TLS connection to the ldap masters.

Fix cert configuration prior to upgrading.



Any suggestions?
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby jorgedlcruz » Thu Dec 25, 2014 5:28 am

Hi guys,


I'm taking a look deeper with the rest of the Zimbra Team. Please could you launch this command like root:


root@zimbra-sn-u14-01:/home/oper# /opt/zimbra/bin/zmcertmgr viewdeployedcrt

And tell us if the hostname of your Single Server, is included in the CN (I guess not because in the CN you have the FQDN) or if your hostname of your Single Server is included at least in the SubjectAltName?


Best regards

Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
t.goetten
Posts: 19
Joined: Fri Sep 12, 2014 11:22 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby t.goetten » Thu Dec 25, 2014 5:52 am

Hi Jorge,



thanks for looking into our issue. Your assumption is right. Running zmcertmgr reveals that the hostname is NOT included. Both CN and SubjectAltName carry the official FQDN and are identical.



Do you need the output?



Best regards

Thomas
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Upgrading to Zimbra Collaboration 8.6.0 from 8.5.0 : Error: Unable to create a successful TLS connection to the ldap masters

Postby jorgedlcruz » Thu Dec 25, 2014 6:00 am

Hi  t.goetten,


No, no, is enough.


Some SSL Certificates can be updated if is still valid. Could you please try to regenerate again the SSL with the next command, with your country, etc, please pay pecial attention to the CN and the subjectaltnames:


/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=GB/ST=London/L=London/O=Zimbra/OU=Zimbra IT/CN=FQDN" -subjectAltNames "FQDN,HOSTNAME"

And then reissue the SSL, apply to Zimbra, launch the viewdeployedcrt command again, and if you have the hostname in the subjectaltnames correctly, then try to upgrade again.


We are looking into this problem.


Best regards

Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 21 guests