[SOLVED] 5.0.7 Upgrade Failure - when hostname of server does not match cert

[hurstel]

I attempted to upgrade ZCS 5.0.6NE to 5.0.7 tonight and everything was gonig normal like all the other installs but then I started getting a massive amount of these errors.


ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLPeerUnverifiedException hostname of the server 'notthereal.servername' does not match the hostname in the server's certificate.)

It tried to continue and finish the install.

When I tired starting the server up, I got this error

Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Unable to determine enabled services from ldap.

and then everything started up but I cannot connect.

I have called support and also submitted a case via email.

[mmorse]

Handled by support - he'll update the thread later with details after some sleep.

[hurstel]

Thanks very much to mmorse and network support person Jason Bryan I'm back up and running with 5.0.7. Jason filed a very detailed bug description and I think that best explains everything. Thanks!

Bug 29600


Hurstel

[janderson]

Would we be safe from this bug if the host name does not match, but the web access url is listed as an alt name in the cert?

[cjstone]

About the possible fix in the bug report...

I have a name mismatch cert on my test server, and the install didn't complete for me until I ran zmlocalconfig -e zimbra_require_interprocess_security=0.

That is, it appears to me that zmlocalconfig -e ssl_allow_untrusted_certs=TRUE does not allow for name mismatches. (I tried that first, without success).

--Chris

[bdial]

will this fail on a wildcart cert? (*.domain.com)

[tonster]

janderson,

This would work fine as long as the server hostname (not necessarily the name you access the server from via http, imap, pop, etc) is either listed as the primary hostname or the SubjectAltName of the certificate.

cjstone,

You're correct. ssl_allow_untrusted_certs=TRUE is NOT a good workaround. We're working on correcting some code to allow that setting to work in 5.0.8.

bdial,

Wildcard certificates will work correctly.

[dlbewley]

Should you maybe point to this thread from the following announcement thread?
5.0.7 NE Released!

I've scheduled downtime on Friday to upgrade from 4.5.9, is there any chance (a safe) 5.0.8 will be out by then? There look to be some useful calendar fixes in 5.0.7.

[janderson]

tonster, thanks for clearing that up!

[inigoml]

Same problem here when upgrading from 5.0.5 to 5.0.7.
Fortunately, I've not found problems to revert to 5.0.5 but I prefer to wait until 5.0.8 arrives instead of try to ugrade again applying workarounds.