[SOLVED] ZCS 5.0.1 OS Edition certificate problems - Followed threads, still have pro

[dowdle]

Greetings,

I've read the relevant threads on this problem... but none of them work for me.

SSL Certificate Problems - Zimbra :: Wiki
[SOLVED] Expired Cert in 5.0GA can cause mail Delivery failure

I did an upgrade from 4.5.10 to 5.0.0 and then to 5.0.1 some time ago. The upgrades went fine. After running for a few weeks though, I had a certificate expire.

The system in question is running RHEL 4 Update 6 and the RHEL 4 i386 version of ZCS 5.0.1 OS Edition.

Anyway, it appears my mailboxd certificate expired today. I logged into the admin console looked at the certs and it said that there were three of them, two of them were still good into 2012 (if I remember correctly) but that the one for mailboxd was expired as of today. I tried using the cert install feature of the admin console and checked "reinstall" or "overwrite" or whatever it was. That failed. After the failure, I seemed to have two certs and no cert for mailboxd. After that inbound and outbound mail stopped working.

So, I tried following the instructions at the first URL above... and there were two missing commands... zmcreateca and zmcreatecert are MISSING. There are sections to the document that say are for upto 4.5 and others that say they are for 5+. I followed them all as much as possible... but with missing commands... it wasn't going to work.

Then I found the second URL mentioned above. All of the instructions worked... and my system was now able to send and receive mail (inbound and outbound worked again)... but I can NO LONGER login to the admin console AND the web certificate is still expired... so the fix didn't fix anything... and only made the situation worse.

How do I fix this?

While there are lots of instructions, they are basically a jumbled mess... and in many ways non-functional. I've been running Zimbra for over two years and have had to fix expired certs twice before... on pre-5 systems and the instructions worked.

Please help.

I considered deleting my cert dirs and trying to do an install/upgrade of the same version on top of itself but decided that since I have a certain level of functionality, I don't want to make it any worse.

Thanks in advance!

[fisch09]

Hi,

[I am using selfsigned certs]

I got my zimbra to a point where it delivers and accepts emails again. But some other stuff is still broken.

For example -> spamtraining:

spamtraining.log shows:
which is obvoius why - but how to fix it?????

Code:

[] ERROR: java.security.cert.CertificateExpiredException: NotAfter: Thu Dec 13 00:43:01 EST 2007
Exception in thread "main" com.zimbra.common.service.ServiceException: system failure: admin auth failed url=https://mail.myplace2b.
net:7071/service/admin/soap/
Code:service.FAILURE
        at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:183)
        at com.zimbra.cs.util.SpamExtract.getAdminAuthToken(SpamExtract.java:434)
        at com.zimbra.cs.util.SpamExtract.main(SpamExtract.java:187)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
        at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
        at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:150)
        at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:495)
        at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
        at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
        at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
        at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
        at com.zimbra.common.soap.SoapHttpTransport.invoke(SoapHttpTransport.java:234)
        at com.zimbra.common.soap.SoapTransport.invoke(SoapTransport.java:295)
        at com.zimbra.common.soap.SoapTransport.invokeWithoutSession(SoapTransport.java:282)
        at com.zimbra.cs.util.SpamExtract.getAdminAuthToken(SpamExtract.java:429)
        ... 1 more
Caused by: java.security.cert.CertificateException: Untrusted Server Certificate Chain
        at com.sun.net.ssl.X509TrustManagerJavaxWrapper.checkServerTrusted(SSLSecurity.java:600)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:967)
        ... 22 more
20080130234505 Finished spam/ham cleanup

I would like to throw away all certs and get new once - as a fresh install would do.

Cheers
Andre

[fisch09]

the server tells me:

/opt/zimbra/bin/zmcertmgr verifycrtchain /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/ssl/zimbra/server/server.crt

Valid Certificate Chain: /opt/zimbra/ssl/zimbra/server/server.crt: OK

and the admin gui tells me as well that all certs are ok....

I am confused....

Andre

[dowdle]

After not messing with it all night... and trying to login to the admin interface this morning... lo and behold I can get into the Admin Console again. I won't ask why because I'm just happy it is working.

I did though restart the machine at least once, stop and restart the zimbra service as root several times during the various processes to see if the changes worked... so why it works now when it wouldn't last night is a mystery. I did quite my browsers and start it back up again a few times as well... but who knows... maybe I didn't do it in the perfect order... or maybe I should have flushed my browser cache too?!

Anyway, I still have a lot of logs to check through to see what if any pieces are still broken.

The web certificate is still expired so the original problem still remains.

I have one other Zimbra setup completely unrelated to the one I've been writing about that also had the web certificate expire yesterday... and I really don't know where to begin with it. I don't want to break it in the ways I broke this one.

It would be nice to see documentation the explains what is going on and why things are done so to better understand the process... instead of just following a recipe.

The first URL mentioned above does do a bit of explanation... but it still feels incredibly like a black box. Perhaps there is documentation out there explaining how Zimbra operates in finer detail so it is understandable by non-developers... and if so I'm sorry I haven't looked hard enough for it yet. Pointers would be appreciated.

I'll be happy to grep logs for anything but given the number of logs and their volumes, I didn't want to just start pasting stuff in here just because it looks like an error message... because it might not be related. Guidance please.

I do want to state just how much I like the Zimbra Collaboration Suite and how I've been using it for two years and have been promoting it by writing about it on my website some and also sending notices to various Linux new sites about Zimbra updates... and a few of them have picked them up. I mention this stuff not to say that I'm owed anything... but just to prove how much I believe in Zimbra as the best darn mail solution that exists.

Unfortunately I haven't needed a many of the additional features in the Network Edition (except perhaps for technical support, eh?) and have not really contributed to the company in a financial way.

The only significant problems I've had with Zimbra have been been related to certificate expirations. The last couple of times I regen'ed them I attempted / wanted to extend them for 5 years (rather than 1 year) but there are / were bugs where it didn't work without some script (rather than configuration) editing and I was weary of that.

I hope that the next few releases are able to expand and improve on the certificate management features in the Admin Console... that that problems related to certificates become less frequent. As more and more people upgrade to 5.0.1, I can imagine a rash of cert problems until all of this is fleshed out... and I hope it isn't just me.

[dowdle]

I have two servers that are running ZCS 5.0.1 OS Edition. One is RHEL 4 i386 and the other is RHEL 5 i386.

The first one I went through the recommended fixes... and there were problems with those... and they caused trouble... and I'm back to where I was before.

So, reset... do over.

I have two servers that have expired web certificates. When I access the Zimbra Web Client or the Zimbra Admin Console my browser gripes about my self-signed certificate being expired. They both expired yesterday.

I login to the Zimbra Admin Console on the one I've screwed with trying to update the cert, I see three:

1) Certificate for Zimbra ldap Service - 2009
2) Certificate for Zimbra mta Service - 2009
3) Certificate for Zimbra proxy Service - 2009

I don't even have the proxy package installed but that's ok. Where is the certificate for the mailboxd (aka Jetty)? It isn't listed.

On the machine I haven't tried to fix yet I login to the Admin Console and see three certs:

1) Certificate for Zimbra ldap Service - 2012
2) Certificate for Zimbra mailboxd Service - Jan 31 03:25:37 2008 GMT [expired]
3) Certificate for Zimbra mta Service - 2012

So on that machine there is a mailboxd cert but no proxy... which is good because I'm not running proxy on that one either.

Now the two questions are:

A) How do I get rid of the expired cert (that isn't showing in the admin console) and make a new one without breaking things? - the instructions use commands that are missing

B) How do I delete and update the mailboxd cert (that is showing in the admin console) without breaking things? - same excuse as above

Thanks in advance!

[dowdle]

I did a good backup and was determined to fix it.

I upgraded both of my 5.0.1 servers to 5.0.2. Upgrade went well but the web certificates were still expired.

I followed the instructions given in the second link mentioned in the first posting of this thread. I paused about 60 seconds between each step... just in case there was some sort of weird timing thing.

It worked. All of my certs are now good for 1 more year. Good, I don't have to worry about this again for another 365 days!

I don't know what fixed it... the upgrade... the pausing... or what.