Adding new mailstore to cluster fails miserably.

[i2ambler]

Im trying to add a new mailbox server to my existing cluster. Running the install worked fine, I was able to put in the ldap master to get config information, all that jazz worked.. Once the system began to enable zimlets - it failed. Also failed to initialize Documents. Now it says it cannot get any info from ldap.

Looks like a certificate error: from the logs

Wed Jul 13 12:09:15 2011 done.
Wed Jul 13 12:09:15 2011 *** Running as zimbra user: /opt/zimbra/bin/zmsshkeygen
Generating public/private dsa key pair.
Your identification has been saved in /opt/zimbra/.ssh/zimbra_identity.
Your public key has been saved in /opt/zimbra/.ssh/zimbra_identity.pub.
The key fingerprint is:
f9:58:e0:5c:8a:a3:22:45:b3:7c:99:b4:18:e0:65:a0 zmstore-3.pharmacy.com
ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
Wed Jul 13 12:09:17 2011 *** Running as zimbra user: /opt/zimbra/bin/zmupdateauthkeys
ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
Updating /opt/zimbra/.ssh/authorized_keys


Not sure what to do from here.. Ive tried to manually update keys using zmcertmgr, but it fails with the same error. I just need to use a self signed cert on this system - there isnt anything special going on.

[i2ambler]

Does anyone have any ideas on this? The rest of the systems are working fine, but this one added mailbox server wont install/start up due to this cert error.. I dont want to start doing a bunch of crap that may break my existing production environment... Honestly, adding a new server should not be such a difficult task.

[r.palou]

Do you solved the issue? Any suggestions?

[i2ambler]

Here is what support helped me with:

This is an issue with the cert's not being trusted by java on the new server. Do you have commercial or self-signed certs installed on the other boxes? You can manually copy one over to the new server and import it.

If they are commercial, you'll want to look for:
/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
copy it over, an import it with:
opt/zimbra/bin/zmcertmgr addcacert <ssl crt> on the new server.

If it is self-signed, then:
/opt/zimbra/bin/zmcertmgr addcacert
on the crt found here on the ldap server:
/opt/zimbra/ssl/zimbra/server/server.crt

Restart all services and try again.

You may also need to run zmupdateauthkeys

[r.palou]

Thanks, any more ideas?

Recap:
- Self signed cert
- copied (from Master LDap Box) /opt/zimbra/ssl/zimbra/server/server.crt to new box
- on new box: /opt/zimbra/bin/zmcertmgr addcacert ./server.crt
** Importing certificate ./server.crt to CACERTS as zcs-user-server...done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
- shutdown and restart new box
- on new box (as zimbra user): zmupdateauthkeys
ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
Updating /opt/zimbra/.ssh/authorized_keys

[phoenix]

A forum search produces these results: site:zimbra.com +"PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed" - Yahoo! Search Results