Domain disappeared

[gracedman]

Hello, all. We are brand new to Zimbra and like what we see but are having a bear of a time getting it right (about to start our seventh installation). It did look like all was right until we changed the certificates used from the default, self generated certs to a cert issued by our internal PKI. We did this using the export CSR / import cert functionality of the administration web interface. The first thing we noticed was our external LDAP authentication broke unless we turned off SSL. After rebooting the zimbra vserver a couple of times, we suddenly noticed that the one secondary domain we created disappeared!

We have an admittedly moderately complex environment. We have a main server running everything (except Anti-SPAM on the MTA) and another Zimbra server functioning as the Internet MTA in the DMZ. These are both running as vservers on CentOS 5.3 using kernel 2.6.28.7 and vserver 2.3.x. We have enabled loopback remapping and disabled Single IP Special Casing. We are using CentOS Directory Server 8.0 as the main ldap directory but have not replaced the provided openldap directory for Zimbra as we were concerned with forward compatibilty. Instead, we simply use external authentication and a combined GAL. We are running Zimbra GA16.

The logs seem infuriatingly clean but we do notice there are several stacktraces in /opt/zimbra/log.

A packet trace of the failed LDAP communication surprised us in that it showed the LDAP server rejecting the Zimbra certificate and not the other way around. We do not yet know why (in fact the CA cert was copied from the one used by the LDAP server) and were surprised that Zimbra was furnishing its cert. I would have expected it would be requesting the LDAP server cert simply to encrypt traffic.

Unfortunately, I don't have time to troubleshoot this as we are behind on this project. I am about to destroy and rebuild the entire set up as I do know there were some errors we made along the way (a typo in the reverse lookup for the main zimbra server, a missing MX record for the secondary domain, and installing a second logger on the Internet MTA). Not tracking this down may jump up to bite us later!

I thought I would flag it to the list in case anyone has seem anything similar. I find losing a domain and its resources rather disconcerting!

Thanks - so far very impressed if we could just get it working - John

[gracedman]

We are not sure if this is the case as we are moving a little too quickly for comfort and heavy diagnostics, but we wonder if we mistakenly issued the new certificate with a role of WebServer rather than MailServer since we were expecting to use the self generated certs for the internal Zimbra functions and wanted to use this recognized cert simply for the web interface. We see the same cert is used all over the place. I'm not sure but I think WebServer certs only can function as servers whereas MailServer certs can function as both servers and clients.

I don't know if that would have broken some internal communication which then caused the secondary domain to disappear. That seems like a far stretch but we've not been to Zimbra training yet and do not understand the internals very well.