Results 1 to 4 of 4

Thread: ZCS Network Install: Was working, now possibly broken due to SSL?

  1. #1
    pilot006 is offline Starter Member
    Join Date
    Aug 2009
    Posts
    1
    Rep Power
    6

    Default ZCS Network Install: Was working, now possibly broken due to SSL?

    Hi,

    We're in the process of trialing ZCS as a replacement for our 5000 user exchange environment. The install was functioning without an issue, and some work was done yesterday to enable SSL. The certificate looked to be invalid and nothing further was done. This morning our pilot group complained that all Zimbra-based services (POP3, IMAP, Web, XMPP) no longer work. I restarted the server and the zimbra service, and the services still do not work. I checked the logs and I'm seeing errors related to LDAP and SSL:

    Sat Aug 8 15:07:40 2009 Skipping getAllMtaAuthURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    Sat Aug 8 15:07:43 2009 Skipping Configuration for server zimbra.golub.com update.
    Sat Aug 8 15:07:43 2009 gs:zimbra.golub.com ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    Sat Aug 8 15:07:43 2009 Sleeping...Key lookup failed.
    Sat Aug 8 15:07:52 2009 Skipping Global system configuration update.
    Sat Aug 8 15:07:52 2009 gacf ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    Sat Aug 8 15:07:56 2009 Skipping All Reverse Proxy URLs update.
    Sat Aug 8 15:07:56 2009 Skipping getAllReverseProxyURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    Sat Aug 8 15:08:00 2009 Skipping All Reverse Proxy Backends update.
    Sat Aug 8 15:08:00 2009 Skipping getAllReverseProxyBackends ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)


    I've tried searching for similar issues but haven't found a direct resolution. Again, this install was working great until some SSL handling changes were attempted yesterday. Is it possible even though the certificate wasn't valid, certain modules are attempting to use SSL and it's not working?

  2. #2
    cspiess is offline Starter Member
    Join Date
    Oct 2009
    Posts
    2
    Rep Power
    5

    Default

    Installed Zimbra 6.0.1 NE on RHEL 5 and restored our system/accounts from another server (Zimbra 6.0.1 on Mac OS X 10.4); went great. Tried to install a certificate from GoDaddy.com; which I have done about 7-8 times before on previous versions (always 5.0+) including Mac server (6.0), and never had a problem like this.

    Lots of great help in the forums; since godaddy now requires 2048 bit keys in csr, I used

    Code:
    /opt/zimbra/bin/zmcertmgr createcsr comm -keysize 2048 -new "/C=Country/ST=State/L=City/O=XXX/OU=XXX/CN=xxx.xxx.com" -subjectAltNames "xxx.xxx.com"
    From here I proceeded to use the admin consule to install the godaddy tomcat cert as follows:

    Certificate: xxx.xxx.com.crt
    Root: gd_bundle.crt
    First Intermediate: gd_cross_intermediate.crt
    Second Intermediate: gd_intermediate.crt

    I know the wiki and others have used different chaining here, but this is what I found to work numerous version ago and has worked until now. The strange thing is that all seems to work, certificates install and it isn't until I do zmcontrol stop/start that I get

    Code:
    Host xxx.xxx.com
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    which renders zimbra useless. I even tried to recreate a self-signed certificate but without the ldap running parts fail and I can't get Zimbra running again unless I uninstall/reinstall.

    This is the only other post with my exact error (signature check failed):

    Code:
    noviimail zimbramon[5443]: 5443:info: zmmtaconfig: gacf ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    I have looked at numerous posts on godaddy/SSL; ldap failed to start, PKIX path building, and some other things. Nothing has worked as of yet, but am open to thoughts, ideas, and suggestions.

  3. #3
    cspiess is offline Starter Member
    Join Date
    Oct 2009
    Posts
    2
    Rep Power
    5

    Default RHEL 5/Zimbra 6.0.1/Godaddy Solved

    Here is what worked for me:

    Using RHEL 5, Zimbra 6.0.1 NE, Godaddy Cert

    Generate CSR with 2048 bit key, run the following as root

    prompt# /opt/zimbra/bin/zmcertmgr createcsr comm -keysize 2048 -new "/C=Country/ST=State/L=City/O=XXX/OU=XXX/CN=xxx.xxx.com" -subjectAltNames "xxx.xxx.com"

    The CSR can be found here

    /opt/zimbra/ssl/zimbra/commercial/commercial.csr

    Get certificate from Godaddy; download the one for tomcat. You will also need to download gd-class2-root.crt from Godaddy's site (https://certs.godaddy.com/anonymous/repository.seam). When you donwload the tomcat certificate, you get a .zip file with four files

    xxx.xxx.com.crt
    gd_intermediate.crt
    gd_cross_intermediate.crt
    gd_bundle.crt


    You will need xxx.xxx.com.crt, gd_bundle.crt, and gd-class2-root.crt.

    Use the Zimbra admin console to install the commercially signed certificates.

    Signed Certificate: xxx.xxx.com.crt
    Root Certificate: gd-class2-root.crt
    Intermediate Certificate: gd_bundle.crt


    Now here is the kicker (at least for 6.0.1), when you restart Zimbra, the ldap server will fail to start

    zimbra$ zmstatus start
    Host xxx.xxx.com
    Starting ldap...Done.
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.

    You will get an error message in /var/log/zimbra.log

    Oct 20 04:08:13 test zimbramon[30888]: 30888:info: zmmtaconfig: gs:xxx.xxx.com ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)

    To remedy this, run the following as root

    prompt# /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

    Zimbra should now start with the certificate installed.

  4. #4
    Waffles is offline Intermediate Member
    Join Date
    Nov 2009
    Posts
    16
    Rep Power
    5

    Default

    WOW. Just spent many hours working on this.


    cspiess's instructions did everything I need except for ONE step that seemed to be necessary for me.

    he had:
    To remedy this, run the following as root

    Code:
    prompt# /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem
    Zimbra should now start with the certificate installed.
    Before I could do the KEYTOOL -IMPORT I had to delete the root alias first:

    Code:
    /opt/zimbra/java/bin/keytool -delete -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Trouble Sending mail - All Messages deferred!
    By SiteDiscovery in forum Administrators
    Replies: 7
    Last Post: 09-03-2009, 04:52 AM
  2. Installing commercial ssl on zimbra cs (network ed.)
    By keithop in forum Administrators
    Replies: 4
    Last Post: 04-28-2009, 04:16 PM
  3. I got Ubuntu and Zimbra working
    By pacsteel in forum Installation
    Replies: 73
    Last Post: 06-23-2008, 11:41 AM
  4. Trying to install Zimbra Network Edition on REH 4.4
    By intekular in forum Installation
    Replies: 4
    Last Post: 12-18-2006, 09:51 PM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •