Zimbra

gerwin · #1 (**permalink**) 01-30-2009, 03:13 AM

Hya guys,

In the process of setting up a Zimbra test pilot, we tried to install an official certificate.
After doing this and doing zmcontrol start it Zimbra fails to start up.

It give the following error:

----------------------------------------------------------------------
[zimbra@office ~]$ zmcontrol start
Host XXXX.digitalus.nl
Starting ldap...Done.
FAILED
Failed to start slapd. Attempting debug start to determine error.
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:356
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:358
main: TLS init def ctx failed: -1
-----------------------------------------------------------------------

The SSL certicates test was oke:
------------------------------------------------------------------------
[root@office ssl]# /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial.key /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
** Verifying /opt/zimbra/ssl/zimbra/commercial/commercial.crt against /opt/zimbra/ssl/zimbra/commercial.key
Certificate (/opt/zimbra/ssl/zimbra/commercial/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial.key) match.
Valid Certificate: /opt/zimbra/ssl/zimbra/commercial/commercial.crt: OK
-------------------------------------------------------------------------

Could anyone tell me what's this causing? Sollutions on this forum did not helped.

uxbod · #2 (**permalink**) 01-30-2009, 03:25 AM

Welcome to the forums

Some of these may help :-

Cannot install a Commercial Certificate in Zimbra 5.0 - Zimbra :: Wiki
Problem with Certificate can cause MTA Failure - Zimbra :: Wiki
Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
Installing a Thawte SSL Certificate on ZCS 5.0.x - Zimbra :: Wiki
Installing a Network Solutions Certificate on ZCS 5.0.x - Zimbra :: Wiki
Installing a GoDaddy Commercial Certificate - Zimbra :: Wiki

It would help if you let us know which certificate provider and

Code:

su - zimbra
zmcontrol -v

gerwin · #3 (**permalink**) 01-30-2009, 03:34 AM

Thanks for the quick reply, we are using:

Release 5.0.12_GA_2789.RHEL5_20090126051426 CentOS5

And installed a RapidSSL (so not the QuickSSL) certificate (Equifax/Geotrust I believe).

uxbod · #4 (**permalink**) 01-30-2009, 03:43 AM

[SOLVED] GeoTrust Rapid SSL Invalid Certificate Chain

gerwin · #5 (**permalink**) 01-30-2009, 04:03 AM

I tried the root certificate you told me to use:

[zimbra@office ssl]$ sudo zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Verifying commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: commercial.crt: OK
** Copying commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

But slapd refuses to start ....

Dirk · #6 (**permalink**) 01-30-2009, 04:12 AM

I think I've had similar problems, slapd was giving a certificate related error for me so I followed the info here Recreating a Self-Signed SSL Certificate - Zimbra :: Wiki (i think) and removed the certs and replaced them with selfsigned ones. That allowed everything to start up ok and from there you can try to get the real cert back on. It's not a fix, but if you need to get the server up then it should help.

gerwin · #7 (**permalink**) 01-30-2009, 04:30 AM

Thanks for all the help but this ain't gonna work. Even after recreating a self-signed request slapd spits out the same error.

Because there is no data yet on this server, it's possible for us to reintstall the server.
Maybe thats the best "sollution" ....

uxbod · #8 (**permalink**) 01-30-2009, 04:35 AM

Yes you can re-install over the top of the server. It will save your old config first, and then re-apply once installed. It would be worth taking a backup first though.

gerwin · #9 (**permalink**) 01-30-2009, 06:54 AM

Reinstalled the stuff, all is up. But I have to admit that getting SSL up and running is a really hard job in Zimbra. I did all steps (web):
- create a CSR for commercial certificate
- send CSR to Geotrust
- received certificate
- in webmin: install commercial certificate
- upload both ceriticate and root ca
- *** Error ***

gerwin · #10 (**permalink**) 01-30-2009, 07:19 AM

Guys thanks for all the help! We have it working .... The web function didn't worked first, but trying to do it the CLI way, it worked suddenly. Thanks again for the help

Zimbra

Downloads

Product Information

Toolbox

Why Join?