I think I've done something dumb

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
BradC
Advanced member
Advanced member
Posts: 75
Joined: Tue May 03, 2016 1:39 am

I think I've done something dumb

Postby BradC » Thu Jul 25, 2019 1:42 pm

When I first installed Zimbra as a trial back in 2011, I set the server up with the domain name zimbra.vm.home. Not my brightest move. It was on my home vm network and I wasn't planning to keep it around, so it kinda made sense at the time. When I decided to actually buy a NE license and put it into service, I put some port forwards in place and set up the external domain names as additional domains in the server. It has been ticking along merrily ever since.

About 6 or 7 years ago I set up a proper self signed certificate for the external domains, and added "zimbra.vm.home" as an additional name on the cert, so everything was just peachy. Worked inside the network and out.

That is until tonight, when I decided to come up to the 21st century and install a "LetsEncrypt" certificate on the server with the external domain name (can't add private names to an LE cert).

Suddenly I'm confronted with :

Code: Select all

Host zimbra.vm.home
   Starting ldap...Done.
Unable to start TLS: hostname verification failed when connecting to ldap master.

No issues. I'm a fastidious "backeruper". So restore the original self-signed cert and we are back in business while I go away and have a think about the best way to tackle this one. I'm not in any rush at all as all of the client machines (and mobiles) have the CA installed.

From what I see, I have 2 options.
A) Rename the server and make the main public domain the server domain. I don't know how well that will go, but I can run plenty of tests on a cloned VM and try it out.
B) Disable TLS internal to the server and make all the services work unencrypted. Probably not ideal.

Does anyone have any other ideas?

To keep the pedants happy :
zimbra@zimbra:~$ zmcontrol -v
Release 8.8.12.GA.3794.UBUNTU14.64 UBUNTU14_64 NETWORK edition, Patch 8.8.12_P1 proxy.

It's actually 8.8.12_P4, but for some reason I can't be bothered to figure out, it doesn't report it (all components have the right revisions). I'm planning the 8.8.15 upgrade so that's the least of my worries. It's a single VM with 13 users and about 60G of mail, so it's not difficult to try different things (or restore snapshots).


User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 612
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12

Re: I think I've done something dumb

Postby ccelis5215 » Thu Jul 25, 2019 2:58 pm

Hi,

As you are in Ubuntu 14.04, just wait for 8.8.15 GA in 18.04 to migrate to a new server.

Of course, follow Mark's security advices.. https://forums.zimbra.org/viewtopic.php?f=15&t=66672

ccelis
User avatar
DualBoot
Elite member
Elite member
Posts: 1308
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: I think I've done something dumb

Postby DualBoot » Thu Jul 25, 2019 3:18 pm

Hello,

did you disable TLS connection in your localconfig ? (zmlocalconfig)

Regards,
iway
Outstanding Member
Outstanding Member
Posts: 425
Joined: Fri Sep 12, 2014 11:31 pm

Re: I think I've done something dumb

Postby iway » Thu Jul 25, 2019 8:37 pm

You need to set zimbrarequireinterprocesssecurity=0 to get it working again with that cert-hostname mismatch.
BradC
Advanced member
Advanced member
Posts: 75
Joined: Tue May 03, 2016 1:39 am

Re: I think I've done something dumb

Postby BradC » Fri Jul 26, 2019 1:51 am

DualBoot wrote: did you disable TLS connection in your localconfig ? (zmlocalconfig)

iway wrote:You need to set zimbrarequireinterprocesssecurity=0 to get it working again with that cert-hostname mismatch.


No. I thought about it but wondered if that was likely to cause any issues in long term support. (ie is it going to be a problem 4 versions down the track when I've long forgotten I did it).

Actually, now you mention it when I did the first 8.6 -> 8.8 trial upgrade I encountered a similar issue. I solved that by importing my self-signed CA into the java cacerts store. I have a script that runs on server boot that checks if the certificate is in the store and if not, it imports it in there. I might try having a closer look at that also.

ccelis5215 wrote:As you are in Ubuntu 14.04, just wait for 8.8.15 GA in 18.04 to migrate to a new server.


That sounds a bit like the shotgun approach. I might reserve that for the absolute last resort if I can't find a solution before 8.8.15_P1 is released.

In the mean time, I might have a crack at changing the server name using a cloned backup and see if that works.

Thanks for the ideas.

Return to “Administrators”

Who is online

Users browsing this forum: Baidu [Spider] and 18 guests