After installing certificate, Zimbra (slapd) can't start

[MaffooClock]

Well, I'm having precisely the same problem as gerwin. The only difference is that my server is not a new/fresh install that I can just rebuild like he did.

[MaffooClock]

Well, I got my server to start again.

I spent several hours trying to work around this, and I literally made ZERO progress during that time -- the most frustrating time I've ever wasted!

My solution:
I perform full backups every day, so I took the one from midnight this morning and duplicated it so I could have a working copy. I deleted everything that was data (data, index, log, openldap-data, store), and then copied what was left on top of /opt/zimbra/*. I ran `zmfixperms` and then `install.sh -s` just to make sure everything was current (I upgraded from 5.0.11 to 5.0.12 yesterday), and then I was able to start zimbra. I know this isn't exactly the right steps, but based on what I have learned so far it was the best I could do and it worked for me.

While I am relieved that i got it running again, I'm still quite angry that I had to go through all of this just to install a RapidSSL certificate. By the way, I did get the certificate installed via CLI initially and all was working fine. But once zimbra was stopped and restarted, this is what happened.

I will still watch this thread, hoping someone can give some insight on what I just went through.

[MaffooClock]

I decided to try this again. This time I verified that everything was perfect -- I have the correct certificate file, the correct root CA, the correct key. I checked everything over and over with zmcertmgr and it all checked out perfectly.

Then, I used zmcertmgr to install the certificate and the CA certificate, and it was successful. Restarting Zimbra causes certain death.

Code:

zimbra@Zimbra:~/bin$ zmcontrol start
Host zimbra.divergentsystems.net
        Starting ldap...Done.
FAILED
Failed to start slapd.  Attempting debug start to determine error.
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:356
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:358
main: TLS init def ctx failed: -1

I've spent days reading all the documentation and troubleshooting tips. Absolutely nothing works. I have upgraded to v5.0.13 a couple of weeks ago, and all was working well.

When I issue `/opt/zimbra/bin/zmcertmgr viewdeployedcrt`:

Code:

::service mta::
notBefore=Jan 30 17:52:00 2009 GMT
notAfter=Jan 31 17:52:00 2010 GMT
subject= /C=US/O=zimbra.divergentsystems.net/OU=GT28814049/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=zimbra.divergentsystems.net
issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
SubjectAltName=
::service proxy::
notBefore=Jan 30 17:52:00 2009 GMT
notAfter=Jan 31 17:52:00 2010 GMT
subject= /C=US/O=zimbra.divergentsystems.net/OU=GT28814049/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=zimbra.divergentsystems.net
issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
SubjectAltName=
::service mailboxd::
notBefore=Jan 30 17:52:00 2009 GMT
notAfter=Jan 31 17:52:00 2010 GMT
subject= /C=US/O=zimbra.divergentsystems.net/OU=GT28814049/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=zimbra.divergentsystems.net
issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
SubjectAltName=
::service ldap::
notBefore=Jan 30 17:52:00 2009 GMT
notAfter=Jan 31 17:52:00 2010 GMT
subject= /C=US/O=zimbra.divergentsystems.net/OU=GT28814049/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=zimbra.divergentsystems.net
issuer= /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
SubjectAltName=

So what's wrong? Why won't slapd start? Why does a perfectly good certificate totally trash my Zimbra instance? Am I on my own planet, here?

[MaffooClock]

I guess I am on my own planet... so let me try a different approach.

If no one has a solution they'd like to share, that's cool. I'm happy to figure this out on my own. That being said, can anyone give pointers on how to troubleshoot Zimbra's OpenLDAP? I mean, what do I need to check and what do things look like when they are working normally?

[MaffooClock]

Well, I must say that I'm rather surprised that no one has any sort of input on this problem.

I bought a certificate from GoDaddy (could not install via Web UI, of course, but CLI worked fine).

I'm abandoning this thread.

[Dirk]

MaffooClock thanks for your input on this, I'm sorry the thread was not more active and that a good resolution was not reached.

I'll be rebuilding my home server this weekend and plan to get a certificate on it again (I had it running with a cert from startcom, which worked but broke the server after a platfrom migration, it's been running self-cert ever since.)

I may go the godaddy route, their ssl certs are cheap enough (compared to verisign!) I'll take care during the install and look for bugs/problems. I've never managed a smooth certificate installation so I'm hoping that this time is the first!