Results 1 to 6 of 6

Thread: Adding new mailstore to cluster fails miserably.

  1. #1
    i2ambler is offline Special Member
    Join Date
    Jan 2010
    Posts
    161
    Rep Power
    5

    Default Adding new mailstore to cluster fails miserably.

    Im trying to add a new mailbox server to my existing cluster. Running the install worked fine, I was able to put in the ldap master to get config information, all that jazz worked.. Once the system began to enable zimlets - it failed. Also failed to initialize Documents. Now it says it cannot get any info from ldap.

    Looks like a certificate error: from the logs

    Wed Jul 13 12:09:15 2011 done.
    Wed Jul 13 12:09:15 2011 *** Running as zimbra user: /opt/zimbra/bin/zmsshkeygen
    Generating public/private dsa key pair.
    Your identification has been saved in /opt/zimbra/.ssh/zimbra_identity.
    Your public key has been saved in /opt/zimbra/.ssh/zimbra_identity.pub.
    The key fingerprint is:
    f9:58:e0:5c:8a:a3:22:45:b3:7c:99:b4:18:e0:65:a0 zmstore-3.pharmacy.com
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    Wed Jul 13 12:09:17 2011 *** Running as zimbra user: /opt/zimbra/bin/zmupdateauthkeys
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    Updating /opt/zimbra/.ssh/authorized_keys


    Not sure what to do from here.. Ive tried to manually update keys using zmcertmgr, but it fails with the same error. I just need to use a self signed cert on this system - there isnt anything special going on.

  2. #2
    i2ambler is offline Special Member
    Join Date
    Jan 2010
    Posts
    161
    Rep Power
    5

    Default

    Does anyone have any ideas on this? The rest of the systems are working fine, but this one added mailbox server wont install/start up due to this cert error.. I dont want to start doing a bunch of crap that may break my existing production environment... Honestly, adding a new server should not be such a difficult task.

  3. #3
    r.palou is offline Starter Member
    Join Date
    Feb 2012
    Posts
    2
    Rep Power
    3

    Default

    Do you solved the issue? Any suggestions?

  4. #4
    i2ambler is offline Special Member
    Join Date
    Jan 2010
    Posts
    161
    Rep Power
    5

    Default

    Here is what support helped me with:

    This is an issue with the cert's not being trusted by java on the new server. Do you have commercial or self-signed certs installed on the other boxes? You can manually copy one over to the new server and import it.

    If they are commercial, you'll want to look for:
    /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    copy it over, an import it with:
    opt/zimbra/bin/zmcertmgr addcacert <ssl crt> on the new server.

    If it is self-signed, then:
    /opt/zimbra/bin/zmcertmgr addcacert
    on the crt found here on the ldap server:
    /opt/zimbra/ssl/zimbra/server/server.crt

    Restart all services and try again.

    You may also need to run zmupdateauthkeys

  5. #5
    r.palou is offline Starter Member
    Join Date
    Feb 2012
    Posts
    2
    Rep Power
    3

    Default

    Thanks, any more ideas?

    Recap:
    - Self signed cert
    - copied (from Master LDap Box) /opt/zimbra/ssl/zimbra/server/server.crt to new box
    - on new box: /opt/zimbra/bin/zmcertmgr addcacert ./server.crt
    ** Importing certificate ./server.crt to CACERTS as zcs-user-server...done.
    ** NOTE: mailboxd must be restarted in order to use the imported certificate.
    - shutdown and restart new box
    - on new box (as zimbra user): zmupdateauthkeys
    ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed)
    Updating /opt/zimbra/.ssh/authorized_keys

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,488
    Rep Power
    56

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Upgrade to Zimbra 7 - Table upgrade required
    By n8bounds in forum Administrators
    Replies: 10
    Last Post: 04-25-2011, 11:07 PM
  2. Replies: 13
    Last Post: 07-20-2007, 03:21 AM
  3. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM
  4. Replies: 13
    Last Post: 10-31-2005, 04:22 PM
  5. Certify Error on (re)install
    By rodrigoccurvo in forum Installation
    Replies: 4
    Last Post: 09-23-2005, 09:04 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •