Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Huge problem after upgrade: TLS init def ctx failed: -1

  1. #11
    cdmdotnet is offline Intermediate Member
    Join Date
    May 2008
    Posts
    24
    Rep Power
    6

    Default

    Hi all.
    I've just cleaned up the instructions just a little :
    removing line breaks that shouldn't exist
    replacing general instructions with commands
    adding an additional permission change
    and inclusing two points at which I got errors which meant the fix didn't work properly - the things marked /* ...... */

    1. First stage

    As root: IE sudo -i
    tar cf /tmp/zimbra-ssl-bak.tar /opt/zimbra/ssl/
    rm -rf /opt/zimbra/ssl/*
    chown zimbra:zimbra /opt/zimbra/ssl
    chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
    chmod 644 /opt/zimbra/java/jre/lib/security/cacerts
    chown zimbra:zimbra /opt/zimbra/mailboxd/etc/keystore

    As zimbra: IE su zimbra
    keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
    keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
    /* Error here about permissions means this fix probably WONT work */

    As root: IE sudo -i
    /opt/zimbra/bin/zmcertmgr createca -new
    /opt/zimbra/bin/zmcertmgr deployca -localonly
    /opt/zimbra/bin/zmcertmgr createcrt self -new
    /* an error here while retreiving the cert from the server then again, this fix most probably wont work */
    /opt/zimbra/bin/zmcertmgr deploycrt self

    As zimbra: IE su zimbra
    zmcontrol stop
    zmcontrol start


    2. Second stage

    As root: IE sudo -i
    tar cf /tmp/zimbra-ca-bak.tar /opt/zimbra/conf/ca/
    rm -rf /opt/zimbra/conf/ca/*
    cp /opt/zimbra/ssl/zimbra/ca/ca.key /opt/zimbra/conf/ca/ca.key
    cp /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
    ln -f -s ca.pem /opt/zimbra/conf/ca/`openssl x509 -hash -noout -in /opt/zimbra/conf/ca/ca.pem`.0
    chmod 644 /opt/zimbra/conf/ca/*

    As zimbra: IE su zimbra
    zmcontrol stop
    zmcontrol start
    Last edited by cdmdotnet; 04-16-2009 at 08:29 PM.

  2. #12
    ljrand is offline Starter Member
    Join Date
    Jul 2009
    Posts
    1
    Rep Power
    5

    Default

    Quote Originally Posted by cdmdotnet View Post
    2. Second stage

    As root: IE sudo -i
    tar cf /tmp/zimbra-ca-bak.tar /opt/zimbra/conf/ca/
    rm -rf /opt/zimbra/conf/ca/*
    cp /opt/zimbra/ssl/zimbra/ca/ca.key /opt/zimbra/conf/ca/ca.key
    cp /opt/zimbra/ssl/zimbra/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
    ln -f -s ca.pem /opt/zimbra/conf/ca/`openssl x509 -hash -noout -in /opt/zimbra/conf/ca/ca.pem`.0
    chmod 644 /opt/zimbra/conf/ca/*
    Doesn't the last line above leave /opt/zimbra/conf/ca/ca.key world-readable when it should be chmod'ed to only 600?

  3. #13
    jdp459 is offline Active Member
    Join Date
    Sep 2008
    Location
    Georgia, USA
    Posts
    28
    Rep Power
    6

    Default

    Whenever I see 'su zimbra' I wonder if that really should be 'su - zimbra' to get the zimbra environment variables?
    OSS Zimbra 7.2.7 64-bit ... er ... now.

  4. #14
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by jdp459 View Post
    Whenever I see 'su zimbra' I wonder if that really should be 'su - zimbra' to get the zimbra environment variables?
    It should always be 'su - zimbra', anything else can cause problems.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #15
    wizpva is offline Starter Member
    Join Date
    Feb 2010
    Posts
    1
    Rep Power
    5

    Thumbs up probleme to generate new certificate

    Hello

    Sorry for a poor english and thanks for your help.

    We use the following Release :
    Zimbra opensource release 6.0.4_GA_2038.SLES11_64_20091214184036
    on a SLES11_64 FOSS edition

    We haven't access to zimbra admin and need to recreate the certificate.
    We found your post for a 5.0 release. We follow it but we meet problems :

    antispam Running
    antivirus Running
    ldap Running
    logger Running
    mailbox Stopped
    zmmailboxdctl is not running.
    mta Running
    snmp Running
    spell Running
    stats Running

    and a zmprov give :

    [] INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused
    [] INFO: Retrying request
    ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)

    Is there somebody who can help us.

    Best regards

  6. #16
    jdp459 is offline Active Member
    Join Date
    Sep 2008
    Location
    Georgia, USA
    Posts
    28
    Rep Power
    6

    Default

    We haven't migrated to 6.x yet, but looking at the message doesn't make me think it is a problem with the certificate at all. I could be wrong.

    a) What makes you believe the cert needs to be regenerated? Is there a log entry with cert errors?
    b) Why don't you have access to the admin GUI? You can reset the admin password from CLI and you can use ssh to forward ports through a firewall if necessary.
    c) I hope you've already tried to restart Zimbra.
    sudo /etc/init.d/zimbra restart

    I haven't run SuSE in years, so that cmd could be off a little.

    Whenever I see Zimbra connection errors, I have to think that it is a /etc/hosts or DNS issue first. Does the Zimbra server have access to it self using the FQN that Zimbra knows as itself?

    To get better help, you'll need to attach the interesting parts from few logs from /opt/zimbra/log/ and /var/log/zimbra.log.

    Lastly, I think the certificate handling in 6.x changed from what 5.x does. Did you read the wiki article on 6.x and certs? Here's a 5.x Problem with Certificate can cause MTA Failure - Zimbra :: Wiki article. Here's a forum thread on 6.x certs [SOLVED] Certificate problem with 6.0.5

    I hope these questions don't send you in the wrong directions for the solution you need. Good luck!

    BTW, your English is fine.
    OSS Zimbra 7.2.7 64-bit ... er ... now.

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Spam training problem...
    By TaskMaster in forum Installation
    Replies: 2
    Last Post: 05-08-2007, 09:49 AM
  2. failed upgrade, failed restore, big trouble
    By feralcoder in forum Installation
    Replies: 2
    Last Post: 03-19-2007, 05:38 PM
  3. Lotus migration
    By babou in forum Migration
    Replies: 15
    Last Post: 03-05-2007, 10:33 PM
  4. 4.01 to 4.02 upgrade problem (with solution)
    By criley in forum Migration
    Replies: 2
    Last Post: 09-28-2006, 11:36 PM
  5. Upgrade SLAPD Cert problem
    By gregbazar in forum Installation
    Replies: 2
    Last Post: 11-29-2005, 12:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •