Zimbra

adavison17 · #1 (**permalink**) 12-19-2010, 07:27 PM

Hi all,

I've posted this in an existing thread, but didn't see the messages show up, so I thought I'd report here (apologies in advance - I know it's probably not considered the "thing to do").

First, the build info:

Code:

[zimbra@rose andy]$ zmcontrol -v


Release 6.0.3_GA_1915.F11_20091118105056 F11 FOSS edition.

[zimbra@rose andy]$

Now, zmcontrol start yields:

Code:

[zimbra@rose andy]$ zmcontrol start
Host xxx.xxx.xxx.xxx
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.
[zimbra@rose andy]$

Now, I've eventually tracked this down to a problem with the certificates having expired yesterday. SO I tried regenerating these using the recommended procedure with the following result (errors highlighted in red):

Code:

[root@rose bin]# ./zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
[root@rose bin]# ./zmcertmgr createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220141501
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220141501
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@rose bin]# ./zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@rose bin]# ./zmcertmgr deployca self
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.

I'm hoping someone can point me in the right direction to get the certificates regenerated, as my users are beating down my door...

Thanks in advance!

Andy

phoenix · #2 (**permalink**) 12-20-2010, 12:06 AM

Follow the instructions from this wiki article: Administration Console and CLI Certificate Tools - Zimbra :: Wiki - post back with your results.

adavison17 · #3 (**permalink**) 12-20-2010, 01:39 AM

Thanks Bill,

The third codebox had the results of this procedure, but I've executed it again just in case I missed something. Results below:

Code:


[root@rose bin]# ./zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
[root@rose bin]# ./zmcertmgr  createcrt -new -days 365
Validation days: 365
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220203916
** Generating a server csr for download self -new -keysize 1024
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220203916
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@rose bin]# ./zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@rose bin]# ./zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@rose bin]# ./zmcertmgr viewdeployedcrt
::service mta::
notBefore=Dec 20 09:39:22 2010 GMT
notAfter=Dec 20 09:39:22 2011 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
SubjectAltName=
::service proxy::
notBefore=Dec 20 09:39:22 2010 GMT
notAfter=Dec 20 09:39:22 2011 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
SubjectAltName=
::service mailboxd::
notBefore=Dec 20 09:39:22 2010 GMT
notAfter=Dec 20 09:39:22 2011 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
SubjectAltName=
::service ldap::
notBefore=Dec 20 09:39:22 2010 GMT
notAfter=Dec 20 09:39:22 2011 GMT
subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=host.domain.com
SubjectAltName=
[root@rose bin]#

Thanks Bill!

Andy

tdslot · #4 (**permalink**) 12-20-2010, 03:14 AM

Hi,

Here is my solution for regenerating certs.

Code:

################################################################################################################
# Regenerate SSL Cert
################################################################################################################
su - zimbra -c 'zmcontrol stop'
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd
/opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
nano /opt/zimbra/bin/zmcertmgr

# Find line 
# SUBJECT="/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}" 
# and change to your company name
# then find and change you want value days expire cert validation_days=365 to validation_days=3650
# save /opt/zimbra/bin/zmcertmgr

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca -localonly
/opt/zimbra/bin/zmcertmgr createcrt self -new
/opt/zimbra/bin/zmcertmgr deploycrt self

su - zimbra -c 'zmcontrol start'

/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr deployca

su - zimbra -c 'zmupdateauthkeys'
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

################################################################################################################

adavison17 · #5 (**permalink**) 12-20-2010, 03:44 AM

Thanks for that,

Unfortunately I get very similar results with this set of operations:

Code:

[root@rose bin]# su - zimbra -c 'zmcontrol stop'
Host host.domain.com
        Stopping stats...Done.
        Stopping mta...Done.
        Stopping spell...Done.
        Stopping snmp...Done.
        Stopping archiving...Done.
        Stopping antivirus...Done.
        Stopping antispam...Done.
        Stopping imapproxy...Done.
        Stopping memcached...Done.
        Stopping mailbox...Done.
        Stopping logger...Done.
        Stopping ldap...Done.
[root@rose bin]# rm -rf /opt/zimbra/ssl/*
[root@rose bin]# rm -rf /opt/zimbra/ssl/.rnd
[root@rose bin]# /opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
[root@rose bin]# /opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
vi /opt/zimbra/bin/zmcertmgr
[root@rose bin]# ./zmcertmgr createca -new
** Creating directory /opt/zimbra/ssl/zimbra
** Creating directory /opt/zimbra/ssl/zimbra/ca
** Creating directory /opt/zimbra/ssl/zimbra/server
** Creating directory /opt/zimbra/ssl/zimbra/commercial
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
[root@rose bin]# ./zmcertmgr deployca -localonly
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@rose bin]# ./zmcertmgr createcrt self -new
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220224046
** Retrieving server config key zimbraSSLCertificate...failed.
** Retrieving server config key zimbraSSLPrivateKey...failed.
** Generating a server csr for download self -keysize 1024
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20101220224059
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
[root@rose bin]# ./zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@rose bin]# su - zimbra -c 'zmcontrol start'
Host rose.davison-family.com
        Starting ldap...Done.
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.

[root@rose bin]# ./zmcertmgr deploycrt self
** Saving server config key zimbraSSLCertificate...failed.
** Saving server config key zimbraSSLPrivateKey...failed.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
[root@rose bin]# ./zmcertmgr deployca
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Saving global config key zimbraCertAuthorityCertSelfSigned...failed.
** Saving global config key zimbraCertAuthorityKeySelfSigned...failed.
** Copying CA to /opt/zimbra/conf/ca...done.
[root@rose bin]# su - zimbra -c 'zmupdateauthkeys'
ERROR: service.FAILURE (system failure: unable to list all servers) (cause: javax.naming.AuthenticationException [LDAP: error code 49 - Invalid Credentials])
Updating /opt/zimbra/.ssh/authorized_keys

[root@rose bin]# ./zmcertmgr viewdeployedcrt
::service mta::
notBefore=Dec 20 11:41:07 2010 GMT
notAfter=Dec 17 11:41:07 2020 GMT
subject= /C=US/ST=N/A/O=My Family/OU=My Family/CN=host.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=My Family/OU=My Family/CN=host.domain.com
SubjectAltName=
::service proxy::
notBefore=Dec 20 11:41:07 2010 GMT
notAfter=Dec 17 11:41:07 2020 GMT
subject= /C=US/ST=N/A/O=My Family/OU=MyFamily/CN=host.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=My Family/OU=My Family/CN=host.domain.com
SubjectAltName=
::service mailboxd::
notBefore=Dec 20 11:41:07 2010 GMT
notAfter=Dec 17 11:41:07 2020 GMT
subject= /C=US/ST=N/A/O=My Family/OU=My Family/CN=host.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=My Family/OU=My Family/CN=host.domain.com
SubjectAltName=
::service ldap::
notBefore=Dec 20 11:41:07 2010 GMT
notAfter=Dec 17 11:41:07 2020 GMT
subject= /C=US/ST=N/A/O=My Family/OU=My Family/CN=host.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=My Family/OU=My Family/CN=host.domain.com
SubjectAltName=
[root@rose bin]#

adavison17 · #6 (**permalink**) 12-21-2010, 06:19 AM

Does anyone have any ideas on this one? It seems like it's a simple one to fix, but I'll be damned if I can figure out how...

Andy

adavison17 · #7 (**permalink**) 12-27-2010, 04:00 AM

At the moment I've appeased my users by putting up a new instance of Zimbra, but now I need to pull their user data from the broken installation, without being able to start up the service.

Does anyone have a method of extracting mailboxes from a server that's down and not coming back up?

Thanks,

Andy

adavison17 · #8 (**permalink**) 12-27-2010, 07:09 AM

Ok. For anyone who may have caught onto this thread because of the certificate problem, the solution is to simply re-install the same version of Zimbra over the top of the existing one. This recreates the certificates appropriately and gets everything working (more or less ... a couple of services have stopped unexpectedly, like spam filtering).

Take a backup of your zimbra folder first (just copy it somewhere else on the machine) and then run the install.sh script from the distribution you originally used.

Don't worry about your existing users data - it will all be intact!

Thanks to everyone for their advice to date.

Regards,

Andy

farrukhndm · #9 (**permalink**) 03-01-2011, 06:31 AM

################################################## ################################################## ###########
# Regenerate SSL Cert
################################################## ################################################## ############
su - zimbra -c 'zmcontrol stop'
rm -rf /opt/zimbra/ssl/*
rm -rf /opt/zimbra/ssl/.rnd
/opt/zimbra/java/bin/keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
/opt/zimbra/java/bin/keytool -delete -alias jetty -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `su - zimbra -c 'zmlocalconfig -s -m nokey mailboxd_keystore_password'`
vi /opt/zimbra/bin/zmcertmgr

# Find line
# SUBJECT="/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=${zimbra_server_hostname}"
# and change to your company name

# then find and change you want value days expire cert validation_days=365 to validation_days=3650
# save /opt/zimbra/bin/zmcertmgr

/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca -localonly
/opt/zimbra/bin/zmcertmgr createcrt self -new
/opt/zimbra/bin/zmcertmgr deploycrt self

su - zimbra -c 'zmcontrol start'

/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr deployca

su - zimbra -c 'zmupdateauthkeys'
/opt/zimbra/bin/zmcertmgr viewdeployedcrt

################################################## ################################################## ############

wiredfutureman · #10 (**permalink**) 03-11-2011, 03:00 AM

Thanks farrukhndm, that worked a treat!

However, how would this work with commercial certificates?

Can you post an alternate version outlining what I need to do _please_

Many thanks

Zimbra

Downloads

Product Information

Toolbox

Why Join?