New Certificate Problems - email DOWN

[harlanb]

Based on the error messages that I've been having, it appears that my Zimbra Open Source email server is having problems with expired certificates.

Here are the URLs of the things I've tried:
Unable to determine enabled services from ldap.
Administration Console and CLI Certificate Tools - Zimbra :: Wiki (multi-node)
[SOLVED] SOLVED: Zimbra 6.0.1 stop working if SSL certificate is expired
[SOLVED] SOLVED: Zimbra 6.0.1 stop working if SSL certificate is expired

After creating new certificates on the LDAP server, I copied them to the Mailbox and MTA servers. That hasn't help either.

Needless to say, right now my email system is so messed up, it's not starting up.

Log files:
LDAP:
zmmtaconfig.log:
Sun Mar 6 10:05:24 2011 Watchdog: skipping service antivirus. Service not yet available for restarts.

Mailbox:
$ zmcontrol start
Host mailbox1.vpn
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.

zmmtaconfig.log:
Sun Mar 6 10:08:45 2011 Skipping All Reverse Proxy URLs update.
Sun Mar 6 10:08:45 2011 Skipping getAllReverseProxyURLs ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)

MTA:
zmmtaconfig.log:
Sun Mar 6 10:11:22 2011 Skipping Global system configuration update.
Sun Mar 6 10:11:22 2011 gacf ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)

OS & Zimbra versions:
Release 6.0.5_GA_2213.DEBIAN5 DEBIAN5 FOSS edition.
Linux mailbox1 2.6.26-2-686 #1 SMP Wed Feb 10 08:59:21 UTC 2010 i686 GNU/Linux

I *really* need to help getting this mail system running again!

If there is anything else I forgot to include, please let me know and I'll do my best to get it to you.

Thank You very much for your help!

Harlan...

[phoenix]

Try the following first: [SOLVED] possible self signed SSL cert issues.

If that doesn't work, have a look at some of the other solutions: site:zimbra.com +"PKIX path validation failed: " +solved - Yahoo! Search Results

[harlanb]

Quote:

Originally Posted by phoenix

Try the following first: [SOLVED] possible self signed SSL cert issues.

If that doesn't work, have a look at some of the other solutions: site:zimbra.com +"PKIX path validation failed: " +solved - Yahoo! Search Results

Hi Bill,
Thanks for the quick reply. Unfortunately, I've read many of the suggested articles, even tried several of them.

I can telnet to my Zimbra LDAP server just fine. The Mailbox server will not start:
$ zmcontrol start
Host mailbox1.vpn
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist.

The only log file after the start command was the zmlogprocess.state file that only contained a single byte: 0

Since the Mailbox server won't start, I'm not even trying to start up the MTA server.

Any other ideas?

Thanks,

Harlan...

[phoenix]

Quote:

Originally Posted by harlanb

I can telnet to my Zimbra LDAP server just fine. The Mailbox server will not start:
$ zmcontrol start
Host mailbox1.vpn
Unable to determine enabled services from ldap.
Unable to determine enabled services. Cache is out of date or doesn't exist

The usual reason for this is a DNS problem or an incorrect /etc/hosts file. I can see from the highlighted entry above that your hostname is incorrect. I'd suggest you go to the Split DNS article and just for verification post the output of all the commands in the 'Verify...' section.

What happened on your server to cause this problem? Had you done any update to the operating system, did you restart Zimbra, have the certificates actually expired?

[harlanb]

Quote:

Originally Posted by phoenix

The usual reason for this is a DNS problem or an incorrect /etc/hosts file. I can see from the highlighted entry above that your hostname is incorrect. I'd suggest you go to the Split DNS article and just for verification post the output of all the commands in the 'Verify...' section.

What happened on your server to cause this problem? Had you done any update to the operating system, did you restart Zimbra, have the certificates actually expired?

Hi Bill,
Thanks again for your help!

I run my own internal DNS server, which is why I can get away with such a funny looking address.

Here is some DNS information from mailbox1.vpn to ldap1.vpn:

mailbox1:~# dig @ns1.vpn ldap1.vpn

; <<>> DiG 9.5.1-P3 <<>> @ns1.vpn ldap1.vpn
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12631
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;ldap1.vpn. IN A

;; ANSWER SECTION:
ldap1.vpn. 1500 IN A 10.8.1.19

;; AUTHORITY SECTION:
vpn. 1500 IN NS ns1.vpn.

;; ADDITIONAL SECTION:
ns1.vpn. 1500 IN A 10.8.1.2

;; Query time: 3 msec
;; SERVER: 10.8.1.2#53(10.8.1.2)
;; WHEN: Sun Mar 6 18:07:49 2011
;; MSG SIZE rcvd: 77

mailbox1:~# cat /etc/hosts
127.0.0.1 localhost
10.8.1.20 mailbox1.vpn mailbox1
10.8.1.19 ldap1.vpn ldap1
10.8.1.21 mailmta1.vpn mailmta1

mailbox1:~# cat /etc/resolv.conf
nameserver 10.8.1.2

mailbox1:~# telnet ldap1.vpn 389
Trying 10.8.1.19...
Connected to ldap1.vpn.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

mailbox1:~# dig ns1.vpn mx

; <<>> DiG 9.5.1-P3 <<>> ns1.vpn mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31136
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.vpn. IN MX

;; AUTHORITY SECTION:
vpn. 1500 IN SOA vpn. admin.bloomenterprises.org. 19771108 7200 3600 604800 1800

;; Query time: 3 msec
;; SERVER: 10.8.1.2#53(10.8.1.2)
;; WHEN: Sun Mar 6 21:11:22 2011
;; MSG SIZE rcvd: 87

mailbox1:~# dig ns1.vpn any

; <<>> DiG 9.5.1-P3 <<>> ns1.vpn any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20804
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.vpn. IN ANY

;; ANSWER SECTION:
ns1.vpn. 1500 IN A 10.8.1.2

;; Query time: 2 msec
;; SERVER: 10.8.1.2#53(10.8.1.2)
;; WHEN: Sun Mar 6 21:11:29 2011
;; MSG SIZE rcvd: 41

If there is anything else I can provide to help get my email systems running, please let me know.

Thanks,

Harlan...

[harlanb]

Hi Bill,
I forgot to answer your question about the certicates having actually expired. I don't really know. The errors I was originally looking up pointed to expired certificates. I know I built these systems a little more than a year ago, so I thought it could be plausible that the certificates did expire.

So I started following various posts from the Zimbra forums that I found through Google when search for the error messages that I found in the log files.

Right now, I probably have the systems fairly hosed up. I really do need to be able to recover all of the emails. Even if that means starting up a new system; I've been wanting to upgrade anyways. But in any case, I need Zimbra running, with the emails, in the very near future.

Thanks,

Harlan...

[harlanb]

Something else I forgot to answer.

After setting up the multi-node comfiguration, everything ran just fine for several months. The I noticed that Zimbra would just lock up, occasionally Linux would lock up, but that was far less frequent. Normally the "lock up" would be the Mailbox server just stopping to respond, but the programs would seem to still be running. I would have to reboot the server because I could not get the "zmcontrol stop" command to work at all. The lock up seemed to be happening a couple times a week. The lock ups started happening when I switched from a single combined Zimbra node to a multi-node configuration. I'm planning on switching back to a single node configuration; the performance just isn't what I was expecting, and I don't have very many users.

This is the behavior that set it all off yesterday.

Thanks...

[harlanb]

Does anyone have any ideas on how I can get this running, even if it is just to get the data off?

Thanks,

Harlan...

[harlanb]

This thread is abandoned and no longer relevant.

There are no answers here either. Good Luck.