[SOLVED] possible self signed SSL cert issues.

[pclyne]

first, a little background. This server has been up and running for almost 9 months now without any issues. It hosts 4 mail domains, all of which worked fine until 2 days ago, when both the web interface and Zimbra client connections went down.

Ubuntu 8.04 LTS x64 hosted on VMWare VSphere 4.0


Release 6.0.2_GA_1912.UBUNTU8_64 UBUNTU8_64 NETWORK edition.



I'm receiving the below errors when trying to start Zimbra. From my research on these forums, it appears to be an SSL cert issue (I'm just using self signed certs on this box)

zimbra@mail:/root$ zmcontrol start
Host mail.domain1.com
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Starting logger...Failed.
Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed)
zimbra logger service is not enabled! failed.


Starting convertd...Done.
Starting mailbox...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.

other posts have suggested trying to recreate the self-signed certs, but that also gives me errors. (found here)
http://www.zimbra.com/forums/users/1...es-ldap-3.html

When I run 'zmcertmgr createcrt -new -days 365' I get the following output

root@mail:~# /opt/zimbra/bin/zmcertmgr createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101110102726
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101110102726
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.


slapd is also running (and the only ldap process running)
zimbra 22116 29672 0 10:22 pts/2 00:00:00 grep slapd




here is my /etc/hosts file. the last entry is for my BackupPC box (not related)

Code:

127.0.0.1 localhost.localdomain localhost
172.21.1.75 mail.domain1.com mail
172.21.1.75 mail.domain2.com mail
172.21.1.75 mail.domain3.com mail
172.21.1.75 mail.domain4.com mail
172.21.1.76 backup.domain1.com backup

obviously I'm missing something here...did my cert expire out of the blue and hose my install, or what? I honestly haven't had to touch this install much at all until now, and I didn't do anything prior to it going down. I appreciate any direction.

[phoenix]

Try the following: site:zimbra.com "Saving server config key zimbraSSLPrivateKey...failed." - Yahoo! Search Results

[pclyne]

I also checked the permissions and ran the reset script to make sure that wasn't an issue.

Code:

chown -R zimbra:zimbra /opt/zimbra
/opt/zimbra/libexec/zmfixperms -verbose

Thanks, i hadn't checked Yahoo, but I'm seeing a lot of the same threads I've already read. One suggested to run this code.

Code:

zmprov gs `zmhostname` | grep zimbraServiceEnabled

Here is the output
zimbra@mail:/root$ zmprov gs `zmhostname` | grep zimbraServiceEnabled
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)


What can't it connect to, LDAP?

[phoenix]

Quote:

Originally Posted by pclyne

I also checked the permissions and ran the reset script to make sure that wasn't an issue.

Code:

chown -R zimbra:zimbra /opt/zimbra
/opt/zimbra/libexec/zmfixperms -verbose

Thanks, i hadn't checked Yahoo, but I'm seeing a lot of the same threads I've already read. One suggested to run this code.

Code:

zmprov gs `zmhostname` | grep zimbraServiceEnabled

Here is the output
zimbra@mail:/root$ zmprov gs `zmhostname` | grep zimbraServiceEnabled
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)


What can't it connect to, LDAP?

Probably because your certificate is expired although the 'connection refused' usually implies the service isn't running, is it? There are two threads in the link I gave you earlier that are marked as #Solved', did either of those appply to your problem?

[pclyne]

ldap is running..and split dns has been running since implementation (and still looks setup right to me)


zimbra@mail:/root$ ldap status
slapd running pid: 6034



zimbra@mail:/root$ ps auxww | grep zimbra | grep slapd
zimbra 6034 0.0 1.5 268640 48392 ? Ssl 09:59 0:00 /opt/zimbra/openldap/sbin/slapd -l LOCAL0 -4 -u zimbra -h ldap://mail.domain1.com:389 ldapi:/// -F /opt/zimbra/data/ldap/config
zimbra 20748 0.0 0.0 5168 832 pts/2 S+ 11:12 0:00 grep slapd


I can even connect to it using telnet...

zimbra@mail:/root$ telnet mail.domain1.com 389
Trying 172.21.1.75...
Connected to mail.domain1.com.
Escape character is '^]'.


Would any Ubuntu updates cause a failure like this? A colleague was on this box last week and may have installed some, but probably didn't reboot (which I did when the box went down)

[pclyne]

I found the below code snippet in a forum post linked from another person having the exact same problem as I had.

Code:

/opt/zimbra/java/bin/keytool -import -alias root -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/conf/ca/ca.pem

maybe this should be added to an FAQ or something on the Wiki page?