Results 1 to 6 of 6

Thread: [SOLVED] zmmailboxd wont start after ssl key import

  1. #1
    stegbth is offline Special Member
    Join Date
    Sep 2008
    Posts
    134
    Rep Power
    6

    Default [SOLVED] zmmailboxd wont start after ssl key import

    hi,

    i am running zcs oss 6.0.10 ubuntu8 x86_64.

    It worked fine. Now i tried to import a ssl certificate from cacert.

    i did it as described here Installing a IPSCA Commercial Certificate - Zimbra :: Wiki
    .

    Then i tried to restart
    zimbra, it did not come up.

    no ldap and logger doesn't run and mailboxd dies.
    in mailbox.log i get:

    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.Sun
    CertPathBuilderException: unable to find valid certification path to requested target

    but now i cant install a new certifikat as zmcertmgr needs zimbra running to import a new cert.

    so i tried
    zmtlsctl http
    but even then mailboxd would bring the above errors.

    could this be an dns issue?
    as the server is named
    zimbra-srv.srv.local
    the certificate is set to
    *.srv.com ?

    best regards
    thomas
    zmcontrol -v
    1x Release 6.0.10_GA_2692.UBUNTU8_64 NETWORK edition.
    1x Release 6.0.14_GA_2928.UBUNTU8_64 NETWORK edition
    2x Release 7.1.3_GA_3346.UBUNTU10_64 NETWORK edition, Patch 7.1.3_P1
    1x Release 8.0.2.GA.5569.UBUNTU12.64 NETWORK edition

    2x Release 6.0.10_GA_2692.UBUNTU8_64 FOSS edition
    2x Release 7.2.2_GA_2852.UBUNTU10_64 FOSS edition
    1x Release 7.1.4_GA_2555.UBUNTU10_64 FOSS
    1x Release 8.0.3.GA.5664.UBUNTU12.64 FOSS edition

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,504
    Rep Power
    57

    Default

    The information you've posted implies that your hosts file is incorrect or the certificate is incorrectly named, go to the Split DNS wiki article and check your configuration in the 'Verify...' section of that article. You could also take a look at some of the relevant forum threads: site:zimbra.com +"PKIX path building failed" - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    stegbth is offline Special Member
    Join Date
    Sep 2008
    Posts
    134
    Rep Power
    6

    Default

    hi,

    thank you for your answer.

    i have a split-DNS setup. it is setup a described in the wiki.

    i tried now to revert to a selfsigned certificate. But as zmmailboxd is not runnig it seems even that is not possible.

    root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr createca -new
    ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
    ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
    ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
    root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr deployca -localonly
    ** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
    ** Copying CA to /opt/zimbra/conf/ca...done.
    root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr createcrt self -new
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105181408
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr createcrt verifycrt self
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105181436
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr createcrt deploycrt self
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105181455
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

    i get all the time
    Retrieving server config key zimbraSSLCertificate...failed

    how can i restart the mailboxd again.
    as even after
    zmtlsmgr http
    it does not startup?

    best regards
    thomas
    zmcontrol -v
    1x Release 6.0.10_GA_2692.UBUNTU8_64 NETWORK edition.
    1x Release 6.0.14_GA_2928.UBUNTU8_64 NETWORK edition
    2x Release 7.1.3_GA_3346.UBUNTU10_64 NETWORK edition, Patch 7.1.3_P1
    1x Release 8.0.2.GA.5569.UBUNTU12.64 NETWORK edition

    2x Release 6.0.10_GA_2692.UBUNTU8_64 FOSS edition
    2x Release 7.2.2_GA_2852.UBUNTU10_64 FOSS edition
    1x Release 7.1.4_GA_2555.UBUNTU10_64 FOSS
    1x Release 8.0.3.GA.5664.UBUNTU12.64 FOSS edition

  4. #4
    stegbth is offline Special Member
    Join Date
    Sep 2008
    Posts
    134
    Rep Power
    6

    Default

    even the recreation of the selfsigned cert does not work as described here:
    Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0 - Zimbra :: Wiki

    backed up the files, removed the ssl folder.
    the create and deploy ca brings no error,
    but creating the selfsigned cert gives me

    /opt/zimbra/bin/zmcertmgr createcrt self -new
    ** Creating /opt/zimbra/conf/zmssl.cnf...done
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105182840
    ** Retrieving server config key zimbraSSLCertificate...failed.
    ** Retrieving server config key zimbraSSLPrivateKey...failed.
    ** Generating a server csr for download self -keysize 1024
    ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105182847
    ** Retrieving Commercial CA cert from ldap...failed.
    ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    ** Saving server config key zimbraSSLPrivateKey...failed.
    ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
    i checked if ldap-server is running
    zmcontrol status |grep ldap
    Unable to determine enabled services from ldap.
    Enabled services read from cache. Service list may be inaccurate.
    ldap Running
    zimbra@zimbra-srv:~$ netstat -lpn |grep 389
    (Not all processes could be identified, non-owned process info
    will not be shown, you would have to be root to see it all.)
    tcp 0 0 192.168.16.5:389 0.0.0.0:* LISTEN -
    zmcontrol -v


    Release 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 NETWORK edition.
    i am pretty out of luck here ;(
    zmcontrol -v
    1x Release 6.0.10_GA_2692.UBUNTU8_64 NETWORK edition.
    1x Release 6.0.14_GA_2928.UBUNTU8_64 NETWORK edition
    2x Release 7.1.3_GA_3346.UBUNTU10_64 NETWORK edition, Patch 7.1.3_P1
    1x Release 8.0.2.GA.5569.UBUNTU12.64 NETWORK edition

    2x Release 6.0.10_GA_2692.UBUNTU8_64 FOSS edition
    2x Release 7.2.2_GA_2852.UBUNTU10_64 FOSS edition
    1x Release 7.1.4_GA_2555.UBUNTU10_64 FOSS
    1x Release 8.0.3.GA.5664.UBUNTU12.64 FOSS edition

  5. #5
    stegbth is offline Special Member
    Join Date
    Sep 2008
    Posts
    134
    Rep Power
    6

    Default

    hi bill,

    i think the trouble is located within zmprov.

    zmprov is unable give me any output

    zmprov -l gaa brings the PKIX path failed
    zmprov -l -s zimbra-srv.srv.local gaa
    zmprov -l -s intranet.srv.com gaa

    also, so i am lost in ssl ?

    i tried
    openssl s_client -connect intranet.srv.com an postfix brings the correct ssl-certificate (*.srv.com signed from cacert)

    how can i recover from the bad ssl?

    please help
    thomas
    zmcontrol -v
    1x Release 6.0.10_GA_2692.UBUNTU8_64 NETWORK edition.
    1x Release 6.0.14_GA_2928.UBUNTU8_64 NETWORK edition
    2x Release 7.1.3_GA_3346.UBUNTU10_64 NETWORK edition, Patch 7.1.3_P1
    1x Release 8.0.2.GA.5569.UBUNTU12.64 NETWORK edition

    2x Release 6.0.10_GA_2692.UBUNTU8_64 FOSS edition
    2x Release 7.2.2_GA_2852.UBUNTU10_64 FOSS edition
    1x Release 7.1.4_GA_2555.UBUNTU10_64 FOSS
    1x Release 8.0.3.GA.5664.UBUNTU12.64 FOSS edition

  6. #6
    stegbth is offline Special Member
    Join Date
    Sep 2008
    Posts
    134
    Rep Power
    6

    Default [SOLVED] zmmailboxd wont start after ssl key import

    Hello everbody,

    i found out my problem:

    zimbrahostname=zimbra-srv.srv.local
    the certificate is named to *.srv.com

    this certificate get prepared for several services (Postfix, Jetty, slapd ??)

    zmprov tries to connect to the server with ssl.
    As the SSL CommonName does not match the zimbrahostname, the connect would fail.

    possible workaround:

    1. Create a CA (if not having one)
    2. create a new certificate for zimbrahostname (zimbra-srv.srv.local in my case)
    3. export cacert, key and certifikate (key without password)
    4. copy certificate to /opt/zimbra/conf/slapd.crt
    5. copy key to /opt/zimbra/conf/slapd.key
    6. ldap stop && ldap start
    7. import the certificate of your ca with
    /opt/zimbra/java/bin/keytool -import -alias stegbauer-datawork -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/sd-cacert.pem
    zmprov works now as expected.
    Currently i dont know what happens on a upgrade, this procedure needs to be redone.
    And what is the correct way to have a public certificate, if the zimbra-hostname does not end to a public domain-name.

    best regards
    thomas
    zmcontrol -v
    1x Release 6.0.10_GA_2692.UBUNTU8_64 NETWORK edition.
    1x Release 6.0.14_GA_2928.UBUNTU8_64 NETWORK edition
    2x Release 7.1.3_GA_3346.UBUNTU10_64 NETWORK edition, Patch 7.1.3_P1
    1x Release 8.0.2.GA.5569.UBUNTU12.64 NETWORK edition

    2x Release 6.0.10_GA_2692.UBUNTU8_64 FOSS edition
    2x Release 7.2.2_GA_2852.UBUNTU10_64 FOSS edition
    1x Release 7.1.4_GA_2555.UBUNTU10_64 FOSS
    1x Release 8.0.3.GA.5664.UBUNTU12.64 FOSS edition

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. The installer was interrupted...
    By spiderbo in forum Zimbra Connector for Outlook
    Replies: 9
    Last Post: 05-23-2013, 06:33 AM
  2. Errors installing Outlook Connector
    By Tim G in forum Zimbra Connector for Outlook
    Replies: 57
    Last Post: 05-05-2011, 02:27 PM
  3. Replies: 7
    Last Post: 02-03-2011, 07:01 AM
  4. Error Installing Outlook Connector
    By DanO in forum Zimbra Connector for Outlook
    Replies: 17
    Last Post: 08-28-2007, 09:35 AM
  5. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •