[SOLVED] zmmailboxd wont start after ssl key import

[stegbth]

hi,

i am running zcs oss 6.0.10 ubuntu8 x86_64.

It worked fine. Now i tried to import a ssl certificate from cacert.

i did it as described here Installing a IPSCA Commercial Certificate - Zimbra :: Wiki
.

Then i tried to restart
zimbra, it did not come up.

no ldap and logger doesn't run and mailboxd dies.
in mailbox.log i get:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.Sun
CertPathBuilderException: unable to find valid certification path to requested target

but now i cant install a new certifikat as zmcertmgr needs zimbra running to import a new cert.

so i tried
zmtlsctl http
but even then mailboxd would bring the above errors.

could this be an dns issue?
as the server is named
zimbra-srv.srv.local
the certificate is set to
*.srv.com ?

best regards
thomas

[phoenix]

The information you've posted implies that your hosts file is incorrect or the certificate is incorrectly named, go to the Split DNS wiki article and check your configuration in the 'Verify...' section of that article. You could also take a look at some of the relevant forum threads: site:zimbra.com +"PKIX path building failed" - Yahoo! Search Results

[stegbth]

hi,

thank you for your answer.

i have a split-DNS setup. it is setup a described in the wiki.

i tried now to revert to a selfsigned certificate. But as zmmailboxd is not runnig it seems even that is not possible.

root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr createca -new
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr deployca -localonly
** Importing CA /opt/zimbra/ssl/zimbra/ca/ca.pem into CACERTS...done.
** Copying CA to /opt/zimbra/conf/ca...done.
root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr createcrt self -new
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105181408
** Retrieving server config key zimbraSSLCertificate...failed.
** Retrieving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr createcrt verifycrt self
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105181436
** Retrieving server config key zimbraSSLCertificate...failed.
** Retrieving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
root@zimbra-utec:~# /opt/zimbra/bin/zmcertmgr createcrt deploycrt self
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105181455
** Retrieving server config key zimbraSSLCertificate...failed.
** Retrieving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

i get all the time
Retrieving server config key zimbraSSLCertificate...failed

how can i restart the mailboxd again.
as even after
zmtlsmgr http
it does not startup?

best regards
thomas

[stegbth]

even the recreation of the selfsigned cert does not work as described here:
Recreating a Self-Signed SSL Certificate in ZCS 4.5 & 5.0 - Zimbra :: Wiki

backed up the files, removed the ssl folder.
the create and deploy ca brings no error,
but creating the selfsigned cert gives me

/opt/zimbra/bin/zmcertmgr createcrt self -new
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105182840
** Retrieving server config key zimbraSSLCertificate...failed.
** Retrieving server config key zimbraSSLPrivateKey...failed.
** Generating a server csr for download self -keysize 1024
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20110105182847
** Retrieving Commercial CA cert from ldap...failed.
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...failed.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

i checked if ldap-server is running

zmcontrol status |grep ldap
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
ldap Running
zimbra@zimbra-srv:~$ netstat -lpn |grep 389
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 192.168.16.5:389 0.0.0.0:* LISTEN -

zmcontrol -v


Release 6.0.10_GA_2692.UBUNTU8_64 UBUNTU8_64 NETWORK edition.

i am pretty out of luck here ;(

[stegbth]

hi bill,

i think the trouble is located within zmprov.

zmprov is unable give me any output

zmprov -l gaa brings the PKIX path failed
zmprov -l -s zimbra-srv.srv.local gaa
zmprov -l -s intranet.srv.com gaa

also, so i am lost in ssl ?

i tried
openssl s_client -connect intranet.srv.com an postfix brings the correct ssl-certificate (*.srv.com signed from cacert)

how can i recover from the bad ssl?

please help
thomas

[stegbth]

Hello everbody,

i found out my problem:

zimbrahostname=zimbra-srv.srv.local
the certificate is named to *.srv.com

this certificate get prepared for several services (Postfix, Jetty, slapd ??)

zmprov tries to connect to the server with ssl.
As the SSL CommonName does not match the zimbrahostname, the connect would fail.

possible workaround:

1. Create a CA (if not having one)
2. create a new certificate for zimbrahostname (zimbra-srv.srv.local in my case)
3. export cacert, key and certifikate (key without password)
4. copy certificate to /opt/zimbra/conf/slapd.crt
5. copy key to /opt/zimbra/conf/slapd.key
6. ldap stop && ldap start
7. import the certificate of your ca with

/opt/zimbra/java/bin/keytool -import -alias stegbauer-datawork -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /tmp/sd-cacert.pem

zmprov works now as expected.
Currently i dont know what happens on a upgrade, this procedure needs to be redone.
And what is the correct way to have a public certificate, if the zimbra-hostname does not end to a public domain-name.

best regards
thomas