[SOLVED] Zimbra 6 mailboxd and zmmailboxdctl do not start after upgrade (solution)

[greenrenault]

Short Explanation
Step 1: Re-create and install self-signed SSL certificates.
As root:

Code:

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca
/opt/zimbra/bin/zmcertmgr deploycrt self

Or (if the /opt/zimbra/bin/zmcertmgr viewdeployedcrt indicates that the SSL certificate was not updated) 
/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca -localonly
/opt/zimbra/bin/zmcertmgr createcrt self -new
/opt/zimbra/bin/zmcertmgr deploycrt self

As zimbra:
zmcontrol stop && zmcontrol start

From Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

How to solve the Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
If you see this receive this error for the command: /opt/zimbra/bin/zmcertmgr deploycrt self

Code:

# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...failed.

Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
	at java.security.KeyStore.load(KeyStore.java:1185)
	at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:98)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
	... 3 more

** Installing CA to /opt/zimbra/conf/ca...done.

Then the solution is to do this as root:

Code:

# mv /opt/zimbra/mailboxd/etc/keystore /root/keystore.old
# /opt/zimbra/bin/zmcertmgr deploycrt self

See Ajcody-Notes-SSLCerts - Keystore Password Errors - Server Move Stuff - Zimbra :: Wiki

Step 2: Re-install your commercial SSL certificates (if any)
Geotrust SSL certificate, Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
RapidSSL SSL certificate, 5.x Commercial Certificates Guide - Zimbra :: Wiki

Long Explanation
Upgraded a Zimbra 5.0.18 SLES10 server last night and everything went well with the install upgrade. And even when the Zimbra service started no errors were reported and all services appeared to start OK.

However, when trying to access Zimbra Admin UI or Zimbra Web UI, no response. Running

Code:

zmcontrol status

shows that the mailbox process is not running at all!

Check the /var/log/zimbra.log and there are no errors about mailbox but a lot of email being deferred as the mailbox server is not available.

The only errors are reported in /opt/zimbra/log/zmmailboxd.out

Code:

Zimbra server reserving server socket port=110 bindaddr=null ssl=false
Zimbra server reserving server socket port=995 bindaddr=null ssl=true
Fatal error. exception while binding to ports.
Java.net.BindException: cannot assign requested address

The above error message are misleading and from searching the forums can indicate any number of problems (see references below) from DNS to networking etc.

In my case, what worked was to replace the commercial SSL certificate which were valid and installed correctly (working in ZCS 5) with new self-signed certificate. And then to re-install the commercial SSL certificate again. Thinking about this again, you can probably just skip the self-signed SSL install and just re-install the commercial SSL. Will try that next time.

It is important to note that the commercial SSL certificate had NOT expired and was working fine in Zimbra 5.

Steps are below:
1. Make sure you have a backup of the commercial certificate, csr etc and root certificate as these are just about to be deleted!

As root:

Code:

cp -r /opt/zimbra/ssl/zimbra/commercial ~/ssl-backup

2. Reset the certificates with a self-signed certificate, Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

As root:

Code:

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca
/opt/zimbra/bin/zmcertmgr deploycrt self

As zimbra:

Code:

zmcontrol stop && zmcontrol start

3. Re-install your commercial SSL certificates
As root:

Code:

/opt/zimbra/bin/zmcertmgr deploycrt comm /root/ssl-backup/commercial.crt  /root/ssl-backup/commercial_ca.crt

As zimbra:

Code:

zmmailboxdctl stop
zmmailboxdctl start

Now check Zimbra status with zmcontrol status and via Web Mail

Other methods to install SSL certificates:
Geotrust SSL certificate, Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
RapidSSL SSL certificate, 5.x Commercial Certificates Guide - Zimbra :: Wiki


Some other possible solutions:
https://www.zimbra.com/forums/admini...t-running.html
[SOLVED] No mail after Zimbra 5.0.1 and a new SSL Cert
[SOLVED] Trouble upgrading from 4.5.6 to 5.0.5: Unbound server sockets not implemente
[SOLVED] Problem with httpd on alternate port
http://www.zimbra.com/forums/adminis...mmailboxd.html

[Franck]

one error the log shows:

Zimbra server reserving server socket port=995 bindaddr=null ssl=true
</pre>and then dies... this how I suspected it has nothing to do with port 995 being already used but more with SSL

[greenrenault]

Thanks and correct. Updated the error message.

[fizi]

When I tried to follow those instructions I got errors about it trying to create the 'jetty.pkcs12' file when generating a self-assigned SSL certificate.

I ended up manually re-installing my commercial SSL Certificate using zmcertmgr. Hopefully this will help others.

Installing a IPSCA Commercial Certificate - Zimbra :: Wiki

[ZaphodBB]

Thanks GreenRenault! this is exactly what we encountered when migrating from a CentOS 5.7 box running 7.1.3 to CentOS 6.0 running 7.1.3.

Very big help!

[ituwidi]

Short Explanation
Step 1: Re-create and install self-signed SSL certificates.
As root:

Code:

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca
/opt/zimbra/bin/zmcertmgr deploycrt self

Or (if the /opt/zimbra/bin/zmcertmgr viewdeployedcrt indicates that the SSL certificate was not updated) 
/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca -localonly
/opt/zimbra/bin/zmcertmgr createcrt self -new
/opt/zimbra/bin/zmcertmgr deploycrt self

As zimbra:
zmcontrol stop && zmcontrol start

From Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

How to solve the Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
If you see this receive this error for the command: /opt/zimbra/bin/zmcertmgr deploycrt self

Code:

# /opt/zimbra/bin/zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...failed.

Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
	at java.security.KeyStore.load(KeyStore.java:1185)
	at com.zimbra.cert.MyPKCS12Import.main(MyPKCS12Import.java:98)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
	... 3 more

** Installing CA to /opt/zimbra/conf/ca...done.

Then the solution is to do this as root:

Code:

# mv /opt/zimbra/mailboxd/etc/keystore /root/keystore.old
# /opt/zimbra/bin/zmcertmgr deploycrt self

See Ajcody-Notes-SSLCerts - Keystore Password Errors - Server Move Stuff - Zimbra :: Wiki

Step 2: Re-install your commercial SSL certificates (if any)
Geotrust SSL certificate, Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
RapidSSL SSL certificate, 5.x Commercial Certificates Guide - Zimbra :: Wiki

Long Explanation
Upgraded a Zimbra 5.0.18 SLES10 server last night and everything went well with the install upgrade. And even when the Zimbra service started no errors were reported and all services appeared to start OK.

However, when trying to access Zimbra Admin UI or Zimbra Web UI, no response. Running

Code:

zmcontrol status

shows that the mailbox process is not running at all!

Check the /var/log/zimbra.log and there are no errors about mailbox but a lot of email being deferred as the mailbox server is not available.

The only errors are reported in /opt/zimbra/log/zmmailboxd.out

Code:

Zimbra server reserving server socket port=110 bindaddr=null ssl=false
Zimbra server reserving server socket port=995 bindaddr=null ssl=true
Fatal error. exception while binding to ports.
Java.net.BindException: cannot assign requested address

The above error message are misleading and from searching the forums can indicate any number of problems (see references below) from DNS to networking etc.

In my case, what worked was to replace the commercial SSL certificate which were valid and installed correctly (working in ZCS 5) with new self-signed certificate. And then to re-install the commercial SSL certificate again. Thinking about this again, you can probably just skip the self-signed SSL install and just re-install the commercial SSL. Will try that next time.

It is important to note that the commercial SSL certificate had NOT expired and was working fine in Zimbra 5.

Steps are below:
1. Make sure you have a backup of the commercial certificate, csr etc and root certificate as these are just about to be deleted!

As root:

Code:

cp -r /opt/zimbra/ssl/zimbra/commercial ~/ssl-backup

2. Reset the certificates with a self-signed certificate, Problem with Certificate can cause MTA Failure - Zimbra :: Wiki

As root:

Code:

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca
/opt/zimbra/bin/zmcertmgr deploycrt self

As zimbra:

Code:

zmcontrol stop && zmcontrol start

3. Re-install your commercial SSL certificates
As root:

Code:

/opt/zimbra/bin/zmcertmgr deploycrt comm /root/ssl-backup/commercial.crt  /root/ssl-backup/commercial_ca.crt

As zimbra:

Code:

zmmailboxdctl stop
zmmailboxdctl start

Now check Zimbra status with zmcontrol status and via Web Mail

Other methods to install SSL certificates:
Geotrust SSL certificate, Installing a GeoTrust Commercial Certificate - Zimbra :: Wiki
RapidSSL SSL certificate, 5.x Commercial Certificates Guide - Zimbra :: Wiki


Some other possible solutions:
https://www.zimbra.com/forums/admini...t-running.html
[SOLVED] No mail after Zimbra 5.0.1 and a new SSL Cert
[SOLVED] Trouble upgrading from 4.5.6 to 5.0.5: Unbound server sockets not implemente
[SOLVED] Problem with httpd on alternate port
http://www.zimbra.com/forums/adminis...mmailboxd.html

I have same problem, but this not solved in my case :

[zimbra@mx1 ssl-beneran]$ keytool -list -keystore /opt/zimbra/jetty/etc/keystore -storepass `zmlocalconfig -m nokey -s mailboxd_keystore_password`

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

jetty, Apr 9, 2012, keyEntry,
Certificate fingerprint (MD5): 84:8D:01:A8:27:8B:CA:43:A2:85:82:E60:86:EF:11

[zimbra@mx1 ssl-beneran]$ zmmailboxdctl stop
Stopping mailboxd...mailboxd is not running.
[zimbra@mx1 ssl-beneran]$ zmmailboxdctl start
Starting mailboxd...done.
[zimbra@mx1 ssl-beneran]$ zmmailboxdctl status
mailboxd is not running.

CompilerOracle: exclude com/zimbra/cs/session/SessionMap putAndPrune
CompilerOracle: exclude com/zimbra/cs/mailbox/MailItem delete
0 INFO [main] log - Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog
Zimbra server reserving server socket port=110 bindaddr=null ssl=false
Zimbra server reserving server socket port=995 bindaddr=null ssl=true
Fatal error: exception while binding to ports
java.net.SocketException: Unbound server sockets not implemented
at javax.net.ServerSocketFactory.createServerSocket(S erverSocketFactory.java:80)
at com.zimbra.common.util.NetUtil.newBoundServerSocke t(NetUtil.java:97)
at com.zimbra.common.util.NetUtil.bindServerSocket(Ne tUtil.java:165)
at com.zimbra.common.util.NetUtil.bindSslTcpServerSoc ket(NetUtil.java:56)
at com.zimbra.common.handlers.PrivilegedHandler.openP orts(PrivilegedHandler.java:93)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.mortbay.xml.XmlConfiguration.call(XmlConfigura tion.java:534)
at org.mortbay.xml.XmlConfiguration.configure(XmlConf iguration.java:244)
at org.mortbay.xml.XmlConfiguration.configure(XmlConf iguration.java:206)
at org.mortbay.xml.XmlConfiguration.main(XmlConfigura tion.java:968)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.mortbay.start.Main.invokeMain(Main.java:183)
at org.mortbay.start.Main.start(Main.java:497)
at org.mortbay.start.Main.main(Main.java:115)