Upgrade from 5.09 to 5.13 failed with LDAP TLS error on valid self signed cert

[cdmdotnet]

Hi

I install zimbra 5.09 approximately in September last year.
It's worked well until i today decided to upgrade to 5.0.13.

I'm getting what appears to be a common SSL cert issue, although i'm doing a straight upgrade ont he same unchanged machine with a valid SSL cert.
IE ip and host names haven't changed and SSL cert is still valid for 6 months

I've tried following the "recreate a self signed" guide and ran into a number of issues, either permission errors when trying to backup and delete the exiting certs ( folder not existing and java saying permission not allowed )

however I'm not sure i should be trying to re-create a cert when it's valid as that would suggest to me the error is not really the cert.

the log has a lot of repeated error as below
************************
Mon Feb 16 14:17:58 2009 Operations logged to /tmp/zmsetup.02162009-141758.log
Mon Feb 16 14:17:58 2009 Getting installed packages
Mon Feb 16 14:18:01 2009 Getting local config zimbra_server_hostname
Mon Feb 16 14:18:02 2009 Getting local config ldap_url
Mon Feb 16 14:18:04 2009 zimbra_server_hostname contained in ldap_url checking ldap status
Mon Feb 16 14:18:04 2009 Checking ldap status.
Mon Feb 16 14:18:05 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap status
Mon Feb 16 14:18:08 2009 Starting ldap...
Mon Feb 16 14:18:08 2009 *** Running as zimbra user: /opt/zimbra/sleepycat/bin/db_recover -h /opt/zimbra/openldap-data
Mon Feb 16 14:18:10 2009 *** Running as zimbra user: /opt/zimbra/libexec/zmldapapplyldif
IO::Socket::INET: connect: Connection refused at /opt/zimbra/libexec/zmldapapplyldif line 145.
Mon Feb 16 14:20:28 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap status
Mon Feb 16 14:20:29 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap start
Failed to start slapd. Attempting debug start to determine error.
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:356
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:358
TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
main: TLS init def ctx failed: -1


Mon Feb 16 14:44:37 2009 failed with exit code 256.
Mon Feb 16 14:46:17 2009 checking isEnabled zimbra-store
Mon Feb 16 14:46:17 2009 zimbra-store not in enabled cache
Mon Feb 16 14:46:17 2009 enabled packages
Mon Feb 16 14:46:17 2009 zimbra_server_hostname contained in ldap_url checking ldap status
Mon Feb 16 14:46:17 2009 Checking ldap status.
Mon Feb 16 14:46:18 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap status
Mon Feb 16 14:46:19 2009 Starting ldap...
Mon Feb 16 14:46:19 2009 *** Running as zimbra user: /opt/zimbra/sleepycat/bin/db_recover -h /opt/zimbra/openldap-data
Mon Feb 16 14:46:19 2009 *** Running as zimbra user: /opt/zimbra/libexec/zmldapapplyldif
IO::Socket::INET: connect: Connection refused at /opt/zimbra/libexec/zmldapapplyldif line 145.
Mon Feb 16 14:48:33 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap status
Mon Feb 16 14:48:34 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap start
Failed to start slapd. Attempting debug start to determine error.
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:356
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:358
TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
main: TLS init def ctx failed: -1
***************************





Any help would be greatly appriciated

[jwilke]

Try making a backup of your /opt/zimbra/ssl/ and /opt/zimbra/conf/ca folders,

cleaning them out, and then following

Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

to recreate your self signed certs.

Regards



Jeroen

[cdmdotnet]

Hi jwilke

Thanks for the advise

Luckily I'm running zimbra in a VM machine so i restored the virtual drive.
I tried the details you mentioned below on the restored system and again during installation it started to produce tls errors
I ran the same commands while the install was still going ( had only produced one error at this time ) and then things started to work correctly until i got the the "starting mysql "step at which point the install made no more progress with an hour
I stopped the install and am now trying again to get this upgrade installed correctly.
This time I've run the commands just after the core package installed so as to avoid that first ldap starting issue.
i'm now again at the starting mysql stage




********************************
Thu Feb 26 11:55:06 2009 Getting installed packages
Thu Feb 26 11:55:09 2009 Getting local config zimbra_server_hostname
Thu Feb 26 11:55:11 2009 Getting local config ldap_url
Thu Feb 26 11:55:13 2009 zimbra_server_hostname contained in ldap_url checking ldap status
Thu Feb 26 11:55:13 2009 Checking ldap status.
Thu Feb 26 11:55:13 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap status
Thu Feb 26 11:55:14 2009 Starting ldap...
Thu Feb 26 11:55:14 2009 *** Running as zimbra user: /opt/zimbra/sleepycat/bin/db_recover -h /opt/zimbra/openldap-data
Thu Feb 26 11:55:16 2009 *** Running as zimbra user: /opt/zimbra/libexec/zmldapapplyldif
Thu Feb 26 11:55:59 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap status slapd running pid: 14412
Thu Feb 26 11:56:00 2009 done.
Thu Feb 26 11:56:00 2009 Getting installed services from ldap
Thu Feb 26 11:56:07 2009 checking isEnabled zimbra-core
Thu Feb 26 11:56:07 2009 zimbra-core not in enabled cache
Thu Feb 26 11:56:07 2009 enabled packages
Thu Feb 26 11:56:07 2009 zimbra_server_hostname contained in ldap_url checking ldap status
Thu Feb 26 11:56:07 2009 Checking ldap status.
Thu Feb 26 11:56:07 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap status slapd running pid: 14412
Thu Feb 26 11:56:10 2009 slapd already running.
Thu Feb 26 11:56:10 2009 Getting enabled services from ldap
Thu Feb 26 11:56:25 2009 Marking zimbra-apache as installed. Services for zimbra-apache will be enabled.
Thu Feb 26 11:56:27 2009 Setting defaults...
Thu Feb 26 11:56:27 2009 Setting local config zimbra_java_home to /opt/zimbra/java
Thu Feb 26 11:56:27 2009 *** Running as zimbra user: /opt/zimbra/bin/zmlocalconfig -f -e zimbra_java_home='/opt/zimbra/java' 2> /dev/null
Thu Feb 26 11:56:29 2009 checking isEnabled zimbra-cluster
Thu Feb 26 11:56:29 2009 zimbra-cluster not in enabled cache
Thu Feb 26 11:56:29 2009 enabled packages zimbra-logger zimbra-store zimbra-mta zimbra-core zimbra-apache zimbra-proxy zimbra-snmp zimbra-spell zimbra-ldap
Thu Feb 26 11:56:29 2009 zimbra_server_hostname contained in ldap_url checking ldap status
Thu Feb 26 11:56:29 2009 Checking ldap status.
Thu Feb 26 11:56:29 2009 *** Running as zimbra user: /opt/zimbra/bin/ldap status slapd running pid: 14412
Thu Feb 26 11:56:32 2009 slapd already running.
Thu Feb 26 11:56:32 2009 Getting enabled services from ldap
Thu Feb 26 11:56:42 2009 Marking zimbra-apache as installed. Services for zimbra-apache will be enabled.
Thu Feb 26 11:56:44 2009 checking isEnabled zimbra-store
Thu Feb 26 11:56:44 2009 zimbra-store is enabled
Thu Feb 26 11:56:46 2009 checking isEnabled zimbra-ldap
Thu Feb 26 11:56:46 2009 zimbra-ldap is enabled
Thu Feb 26 11:56:48 2009 checking isEnabled zimbra-ldap
Thu Feb 26 11:56:48 2009 zimbra-ldap is enabled
Thu Feb 26 11:56:48 2009 checking isEnabled zimbra-store
Thu Feb 26 11:56:48 2009 zimbra-store is enabled
Thu Feb 26 11:56:48 2009 checking isEnabled zimbra-mta
Thu Feb 26 11:56:48 2009 zimbra-mta is enabled
Thu Feb 26 11:56:49 2009 done.
Thu Feb 26 11:56:49 2009 Upgrading from 5.0.9_GA_2533 to 5.0.13_GA_2791
Thu Feb 26 11:56:53 2009 Stopping zimbra services
Thu Feb 26 11:57:06 2009 Verifying /opt/zimbra/conf/my.cnf
Thu Feb 26 11:57:07 2009 Starting mysql
********************************

[cdmdotnet]

Ok After several months of trying this I've made no progress. My install of zimbra cannot be upgraded. I'll thanks everyone who has told me to regenerate the SSL certs.

I've tried both the instructions in posts Problem with Certificate can cause MTA Failure - Zimbra :: Wiki and Huge problem after upgrade: TLS init def ctx failed: -1

without success.
I've regenerated the SSL certs before upgrading - this just fail as if i didn't regenerate the certs so this methods the worse one although it's the one i keep getting told to do.
I've regenerated the SSL certs after a failed upgrade - even worse since all the settings are now wrong from the failed upgrade so everything just blows up.
The only one that even remotely works in regenerating the SSL certs WHILE the upgrade is taking place, however this results in mysql failing to start during the upgrade ( see above where it's stalls then just quits with an error about root user not being able to start mysql with password - generate mysql error ) - although this sounds like the worse thing i should be doing as i'm sure only some of the settings are getting set.

So, Can anyone provide anymore insight ? Should I keep going down this path of regenerating the SSL certs while upgrade is in progress? Somehow I maybe need to freeze the install process before any settings are being set so I can re-generate the certs so nothing gets missed being set. maybe check the mysql password? make sure zimbra sets it correctly on the new install?

any ideas?

[cdmdotnet]

One last curious thing I've noticed hunting down the version number in the web console says the installed version in 5.0.6, however dpkg reports 5.0.9 the install works and runs well, should I be assuming that a previous failed upgrade from 5.0.6 to 5.0.9 has buggered future upgrades?

[cdmdotnet]

I could really do with some help now, two months of trying everything and I'm still stuck without much help.

Because the help menu said my version was 5.06 ( even though dpkg said I had 5.09 installed ) I ran dpkg to install all the 5.06 packages ( refreshing the database ) restored the /opt/zimbra folder ( everything ran as per usual.

Then tried an upgrade from 5.06 to 5.07 and again the same errors are happening, LDAP fails to start with a "TLS init def ctx failed : -1" error IE the certs are still wrong.

As I've said before : updating the certs before the upgrade doesn't fix this. Infact it doesn't do anything for me. updating the certs while the install is running results in a mess of an install because mysql fails to start - and i doubt i'm fast enough to update the certs while the install is actually happening without missing any settings.

Can this be fixed or do I have a poked install of zimbra and just give up?