Results 1 to 7 of 7

Thread: Zimbra LDAP replication problem: TLS isn't working.

  1. #1
    jdinunci is offline Intermediate Member
    Join Date
    May 2009
    Posts
    19
    Rep Power
    5

    Default Zimbra LDAP replication problem: TLS isn't working.

    Hello, I'm trying to install a second zimbra instance for LDAP replication.

    The ldap master host is c.correo, and the replica is d.correo. After the installation, I see in the replica's zimbra log:

    slap_client_connect: URI=ldap://c.correo.uc.edu.ve:389 Error, ldap_start_tls failed (-11)

    So, it can't connect to the ldap master. I made a manual test without TLS

    ldapsearch -x -H ldap://c.correo -D cn=config -w mypwd -b dc=mydomain 'uid=me'

    and it works. But when I try using TLS

    ldapsearch -x -Z -H ldap://c.correo -D cn=config -w mypwd -b dc=mydomain 'uid=me'

    It answers:

    ldap_start_tls: Connect error (-11)
    ldap_result: Can't contact LDAP server (-1)

    So, it seems that the ldap master host is not answering TLS connections. How can activate TLS answers in zimbra's openldap?

    Thanks in advance.

  2. #2
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,192
    Rep Power
    9

    Default

    add -d -1 to your ldapsearch command. Most likely your master has a different CA than your replica, and so the replica can't verify the master's cert.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    jdinunci is offline Intermediate Member
    Join Date
    May 2009
    Posts
    19
    Rep Power
    5

    Default

    Thanks!

    In effect, when I run the search with -d -1 I get

    [...]
    TLS certificate verification: depth: 0, err: 20, subject: /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=c.correo.uc.edu.ve, issuer: /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=c.correo.uc.edu.ve
    TLS certificate verification: Error, unable to get local issuer certificate
    tls_write: want=7, written=7
    0000: 15 03 01 00 02 02 30 ......0
    TLS trace: SSL3 alert write:fatal:unknown CA
    TLS trace: SSL_connect:error in SSLv3 read server certificate B
    TLS trace: SSL_connect:error in SSLv3 read server certificate B
    TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
    [...]
    If I edit ~zimbra/openldap/etc/openldap/ldap.conf and add

    TLS_REQCERT never
    then, ldapsearch -Z ... success.

    The master ldap is an old instance with more than a year, so its original certificate expired and I had to generate a new one (which I did by hand), but I don't think I changed the CA. These are the md5sum of the certs in the master:

    d1c089d9c6dfaa9077cd357b05c86196 ./conf/ca/ca.pem
    d1c089d9c6dfaa9077cd357b05c86196 ./ssl/zimbra/ca/ca.pem
    and these are the ones in the replica:

    d1c089d9c6dfaa9077cd357b05c86196 ./conf/ca/ca.pem
    d1c089d9c6dfaa9077cd357b05c86196 ./ssl/zimbra/ca/ca.pem
    What can I do to restore the vality fo the certificate in c.correo?

  4. #4
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,192
    Rep Power
    9

    Default

    It clearly states in your bug log it doesn't know the CA:

    TLS trace: SSL3 alert write:fatal:unknown CA

    What does ls -l /opt/zimbra/conf/ca

    show on the replica and the master?
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #5
    jdinunci is offline Intermediate Member
    Join Date
    May 2009
    Posts
    19
    Rep Power
    5

    Default

    On the master:

    lrwxrwxrwx 1 root root 6 Jul 15 09:30 22cd13e9.0 -> ca.pem
    -rw-r--r-- 1 root root 887 Jul 15 09:30 ca.key
    -rw-r--r-- 1 root root 976 Jul 15 09:30 ca.pem
    on the replica:

    -rw-r----- 1 zimbra zimbra 887 Jul 14 09:27 ca.key
    -rw-r----- 1 zimbra zimbra 976 Jul 14 09:27 ca.pem
    lrwxrwxrwx 1 zimbra zimbra 6 Jul 14 09:27 f84c91e9.0 -> ca.pem

  6. #6
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,192
    Rep Power
    9

    Default

    Note the difference in generated x509 hash between the master and the replica. Clearly the ca.pem files are different. You need to copy the "ca.pem" from the master to the replica, naming it "master_ca.pem" or similar. Create the same symlink to it as exists on the master. This way the replica will be able to verify the cert provided by the master.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    jdinunci is offline Intermediate Member
    Join Date
    May 2009
    Posts
    19
    Rep Power
    5

    Default

    Thanks!

    After reading your comments I realized that when my cert expired, I only upgraded c.correo:/opt/zimbra/ssl/zimbra/server/server.crt but not c.correo:/opt/zimbra/conf/ca/ca.pem.

    So I did:

    cd /opt/zimbra/conf/ca
    openssl x509 -in ca.pem -days 3650 -out ca.pem -signkey ca.key
    and then copied the certs on d.correo, as you indicated in your last message. Now the replica is working.

    Thanks again.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 12
    Last Post: 03-23-2011, 09:39 PM
  2. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  3. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 09:56 PM
  4. Cleanup after many upgrades
    By tobru in forum Installation
    Replies: 1
    Last Post: 12-23-2007, 09:21 AM
  5. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •