ZCS Network Install: Was working, now possibly broken due to SSL?

[pilot006]

Hi,

We're in the process of trialing ZCS as a replacement for our 5000 user exchange environment. The install was functioning without an issue, and some work was done yesterday to enable SSL. The certificate looked to be invalid and nothing further was done. This morning our pilot group complained that all Zimbra-based services (POP3, IMAP, Web, XMPP) no longer work. I restarted the server and the zimbra service, and the services still do not work. I checked the logs and I'm seeing errors related to LDAP and SSL:

Sat Aug 8 15:07:40 2009 Skipping getAllMtaAuthURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
Sat Aug 8 15:07:43 2009 Skipping Configuration for server zimbra.golub.com update.
Sat Aug 8 15:07:43 2009 gs:zimbra.golub.com ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
Sat Aug 8 15:07:43 2009 Sleeping...Key lookup failed.
Sat Aug 8 15:07:52 2009 Skipping Global system configuration update.
Sat Aug 8 15:07:52 2009 gacf ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
Sat Aug 8 15:07:56 2009 Skipping All Reverse Proxy URLs update.
Sat Aug 8 15:07:56 2009 Skipping getAllReverseProxyURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
Sat Aug 8 15:08:00 2009 Skipping All Reverse Proxy Backends update.
Sat Aug 8 15:08:00 2009 Skipping getAllReverseProxyBackends ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)


I've tried searching for similar issues but haven't found a direct resolution. Again, this install was working great until some SSL handling changes were attempted yesterday. Is it possible even though the certificate wasn't valid, certain modules are attempting to use SSL and it's not working?

[cspiess]

Installed Zimbra 6.0.1 NE on RHEL 5 and restored our system/accounts from another server (Zimbra 6.0.1 on Mac OS X 10.4); went great. Tried to install a certificate from GoDaddy.com; which I have done about 7-8 times before on previous versions (always 5.0+) including Mac server (6.0), and never had a problem like this.

Lots of great help in the forums; since godaddy now requires 2048 bit keys in csr, I used

Code:

/opt/zimbra/bin/zmcertmgr createcsr comm -keysize 2048 -new "/C=Country/ST=State/L=City/O=XXX/OU=XXX/CN=xxx.xxx.com" -subjectAltNames "xxx.xxx.com"

From here I proceeded to use the admin consule to install the godaddy tomcat cert as follows:

Certificate: xxx.xxx.com.crt
Root: gd_bundle.crt
First Intermediate: gd_cross_intermediate.crt
Second Intermediate: gd_intermediate.crt

I know the wiki and others have used different chaining here, but this is what I found to work numerous version ago and has worked until now. The strange thing is that all seems to work, certificates install and it isn't until I do zmcontrol stop/start that I get

Code:

Host xxx.xxx.com
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.

which renders zimbra useless. I even tried to recreate a self-signed certificate but without the ldap running parts fail and I can't get Zimbra running again unless I uninstall/reinstall.

This is the only other post with my exact error (signature check failed):

Code:

noviimail zimbramon[5443]: 5443:info: zmmtaconfig: gacf ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)

I have looked at numerous posts on godaddy/SSL; ldap failed to start, PKIX path building, and some other things. Nothing has worked as of yet, but am open to thoughts, ideas, and suggestions.

[cspiess]

Here is what worked for me:

Using RHEL 5, Zimbra 6.0.1 NE, Godaddy Cert

Generate CSR with 2048 bit key, run the following as root

prompt# /opt/zimbra/bin/zmcertmgr createcsr comm -keysize 2048 -new "/C=Country/ST=State/L=City/O=XXX/OU=XXX/CN=xxx.xxx.com" -subjectAltNames "xxx.xxx.com"

The CSR can be found here

/opt/zimbra/ssl/zimbra/commercial/commercial.csr

Get certificate from Godaddy; download the one for tomcat. You will also need to download gd-class2-root.crt from Godaddy's site (https://certs.godaddy.com/anonymous/repository.seam). When you donwload the tomcat certificate, you get a .zip file with four files

xxx.xxx.com.crt
gd_intermediate.crt
gd_cross_intermediate.crt
gd_bundle.crt

You will need xxx.xxx.com.crt, gd_bundle.crt, and gd-class2-root.crt.

Use the Zimbra admin console to install the commercially signed certificates.

Signed Certificate: xxx.xxx.com.crt
Root Certificate: gd-class2-root.crt
Intermediate Certificate: gd_bundle.crt

Now here is the kicker (at least for 6.0.1), when you restart Zimbra, the ldap server will fail to start

zimbra$ zmstatus start

Host xxx.xxx.com
Starting ldap...Done.
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.

You will get an error message in /var/log/zimbra.log

Oct 20 04:08:13 test zimbramon[30888]: 30888:info: zmmtaconfig: gs:xxx.xxx.com ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target)

To remedy this, run the following as root

prompt# /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

Zimbra should now start with the certificate installed.

[Waffles]

WOW. Just spent many hours working on this.


cspiess's instructions did everything I need except for ONE step that seemed to be necessary for me.

he had:

To remedy this, run the following as root

Code:

prompt# /opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/commercial_ca.pem

Zimbra should now start with the certificate installed.

Before I could do the KEYTOOL -IMPORT I had to delete the root alias first:

Code:

/opt/zimbra/java/bin/keytool -delete -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit